Heads up: New critical CVE on Apache Xalan with arbitrary bytecode evaluation risk

[ejschoen]

trafficstars

This is a heads up, since you can't do anything about the issue at the moment. This new CVE was published this week, and I fear it will have log4j2 level ramifications (code security audits looking for Xalan classes in jars, etc):

https://www.opencve.io/cve/CVE-2022-34169

While I can't find any code in clj-xpath that actually uses the Xalan's XLST (I see imports of javax.xml.transform, but no use of the classes or interfaces), Xalan is providing the implementation of XPath, and it's the only practical choice for that, since other implementations of the JAXP specification are commercial or GPL licensed.

It looks like there is some effort underway to release a fix to Xalan:

https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8

Oracle and OpenJDK have patched their embedded versions, so it's worth watching for a 2.7.3 release to appear on Maven.

[kyleburton]

Thank you for the notification and links I'll try to keep an eye on the Xalan release & update clj-xpath when it's published.