CVE-2022-34169 Overview
The Apache Xalan Java XSLT library contains a critical integer truncation vulnerability when processing malicious XSLT stylesheets. This flaw exists within the internal XSLTC compiler and can be exploited to corrupt Java class files generated during stylesheet compilation, ultimately allowing attackers to execute arbitrary Java bytecode. The vulnerability has far-reaching implications as Java runtimes such as OpenJDK include repackaged copies of the Xalan library, significantly expanding the attack surface across numerous Java applications and environments.
Critical Impact
Successful exploitation enables arbitrary Java bytecode execution through corrupted class files, potentially compromising the integrity of Java applications processing untrusted XSLT stylesheets.
Affected Products
- Apache Xalan-Java (versions prior to 2.7.3)
- Oracle JDK (versions 1.7.0 update 343, 1.8.0 update 333, 11.0.15.1, 17.0.3.1, 18.0.1.1)
- Oracle OpenJDK (multiple versions including 7, 8, 11, 13, 15, 17, 18)
- Oracle JRE (versions 1.7.0 update 343, 1.8.0 update 333, 11.0.15.1, 17.0.3.1, 18.0.1.1)
- Oracle GraalVM Enterprise (versions 20.3.6, 21.3.2, 22.1.0)
- Azul Zulu (versions 6.47, 7.54, 8.62, 11.56, 13.48, 15.40, 17.34, 18.30)
- Debian Linux (versions 10.0, 11.0)
- Fedora (versions 35, 36)
- NetApp products (7-Mode Transition Tool, Active IQ Unified Manager, Cloud Insights Acquisition Unit, Cloud Secure Agent, HCI Management Node, OnCommand Insight, SolidFire, HCI Compute Node)
Discovery Timeline
- July 19, 2022 - CVE-2022-34169 published to NVD
- July 2022 - Oracle releases security patches in CPU July 2022
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2022-34169
Vulnerability Analysis
This vulnerability stems from an integer truncation error (CWE-681: Incorrect Conversion between Numeric Types) within the Apache Xalan Java XSLT library's internal XSLTC compiler. When the compiler processes XSLT stylesheets, certain numeric values are improperly converted between integer types, causing truncation that leads to corrupted Java class file generation.
The XSLTC compiler transforms XSLT stylesheets into executable Java bytecode at runtime. Due to the integer truncation flaw, an attacker can craft a malicious XSLT stylesheet that, when processed, causes the compiler to generate corrupted class files containing attacker-controlled bytecode. This bytecode is then loaded and executed by the JVM, bypassing standard Java security mechanisms.
The vulnerability is particularly dangerous because it affects not only standalone Xalan library deployments but also the bundled copies within most Java runtime environments. Any application that processes untrusted XSLT content—including XML transformation services, document processing systems, and web applications—may be vulnerable.
Root Cause
The root cause is an incorrect conversion between numeric types within the XSLTC compiler's class file generation logic. When handling certain numeric values that exceed the bounds of the target integer type, the compiler truncates the value rather than properly validating or handling the overflow condition. This truncation corrupts internal data structures used to construct the generated Java class file, allowing an attacker to manipulate the resulting bytecode.
Attack Vector
The attack can be executed remotely over the network by submitting a maliciously crafted XSLT stylesheet to any vulnerable application that processes XSLT transformations. The attacker does not require authentication or any prior privileges on the target system.
The attack proceeds as follows: An attacker crafts an XSLT stylesheet containing specific numeric values designed to trigger the integer truncation during compilation. When a vulnerable application processes this stylesheet through the Xalan XSLTC compiler, the truncation corrupts the generated class file structure. The corrupted class file contains attacker-controlled bytecode that executes with the privileges of the Java application, potentially leading to full system compromise.
Applications that accept user-supplied XSLT stylesheets or process XSLT content from untrusted sources are at highest risk. For detailed technical analysis of the exploitation mechanism, see the Packet Storm Security Advisory.
Detection Methods for CVE-2022-34169
Indicators of Compromise
- Anomalous XSLT stylesheet submissions containing unusually large numeric values or complex nested structures
- Unexpected Java class file generation or loading events following XSLT processing
- Unusual process behavior or network connections originating from Java-based XSLT processing applications
- Memory corruption signatures or JVM crashes during XSLT transformation operations
Detection Strategies
- Monitor XSLT processing endpoints for suspicious stylesheet content, particularly large or malformed numeric literals
- Implement application-layer logging for all XSLT transformation operations with content inspection
- Deploy behavioral analysis to detect anomalous JVM activity following XSLT processing, including unexpected bytecode loading
- Use SentinelOne's runtime protection capabilities to detect and block arbitrary bytecode execution attempts
Monitoring Recommendations
- Enable verbose logging on Java applications that process XSLT transformations
- Configure alerting for XSLT compilation errors or unusual XSLTC compiler behavior
- Monitor system call patterns from Java processes for indicators of post-exploitation activity
- Track Java class loading events for unexpected or unsigned class files
How to Mitigate CVE-2022-34169
Immediate Actions Required
- Update Apache Xalan-Java library to version 2.7.3 or later immediately
- Apply vendor-specific patches for all affected Java runtime environments (Oracle JDK/JRE, OpenJDK, Azul Zulu, GraalVM)
- Audit applications to identify any that process XSLT content from untrusted sources
- Implement input validation to restrict XSLT stylesheet sources to trusted origins only
Patch Information
Users of Apache Xalan-Java should upgrade to version 2.7.3 or later. Oracle addressed this vulnerability in the July 2022 Critical Patch Update, providing patches for Oracle JDK, JRE, OpenJDK, and GraalVM. Debian has released security advisories DSA-5188, DSA-5192, and DSA-5256. Fedora users should apply updates via the package manager. NetApp has published advisory ntap-20220729-0009 with guidance for affected products. Azul Zulu users should update to the latest supported versions.
Workarounds
- Disable XSLT processing entirely in applications where it is not required
- Restrict XSLT stylesheet processing to trusted, pre-validated stylesheets only
- Implement sandboxing or containerization for applications that must process untrusted XSLT content
- Configure Java Security Manager policies to restrict bytecode generation and class loading capabilities
# Verify Java version and check for patched status
java -version
# For Maven projects, update Xalan dependency in pom.xml
# <dependency>
# <groupId>xalan</groupId>
# <artifactId>xalan</artifactId>
# <version>2.7.3</version>
# </dependency>
# On Debian/Ubuntu, update Java packages
sudo apt update && sudo apt upgrade openjdk-11-jdk
# On Fedora, update Java packages
sudo dnf update java-11-openjdk
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
