2136128 – (CVE-2022-41852) CVE-2022-41852 JXPath: untrusted XPath expressions may lead to RCE attack

Bug 2136128 (CVE-2022-41852) - CVE-2022-41852 JXPath: untrusted XPath expressions may lead to RCE attack

Summary: CVE-2022-41852 JXPath: untrusted XPath expressions may lead to RCE attack

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-41852
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2136132 2136133 2138736 2138737 2138738 2138739 2138740 2138741
Blocks:	2136129
TreeView+	depends on / blocked

Reported:	2022-10-19 12:04 UTC by Patrick Del Bello
Modified:	2023-05-03 18:44 UTC (History)
CC List:	56 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2023-05-03 18:44:36 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:2100	0	None	None	None	2023-05-03 14:06:18 UTC

Description Patrick Del Bello 2022-10-19 12:04:54 UTC

Those using JXPath to interpret untrusted XPath expressions may be vulnerable to a remote code execution attack. All JXPathContext class functions processing a XPath string are vulnerable except compile() and compilePath() function. The XPath expression can be used by an attacker to load any Java class from the classpath resulting in code execution.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133

Comment 1 Patrick Del Bello 2022-10-19 12:11:37 UTC

Created apache-commons-jxpath tracking bugs for this issue:

Affects: fedora-all [bug 2136132]


Created javapackages-bootstrap tracking bugs for this issue:

Affects: fedora-all [bug 2136133]

Comment 4 Marián Konček 2022-10-24 10:22:47 UTC

There is an ongoing discussion in the upstream project https://github.com/apache/commons-jxpath/pull/25.
It boils don to whether a change in behaviour is acceptable and whether to implements whitelists / blacklists and whether to enable them by default.
I don't know what position to take, I would like ask the security team for opinion.

Comment 6 Marián Konček 2022-10-26 11:25:03 UTC

FYI, no package in Fedora requires apache-commons-jxpath.

Comment 7 Marián Konček 2022-10-26 11:27:15 UTC

Correction: maven BuildRequires this package.

Comment 14 errata-xmlrpc 2023-05-03 14:06:15 UTC

This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100

Comment 15 Product Security DevOps Team 2023-05-03 18:44:31 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41852

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alazarot
asoldano
balejosg
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dkreling
dosoudil
emingora
etirelli
fjuma
fmongiar
gjospin
gmalinko
hhorak
ibek
iweiss
janstey
jnethert
jochrist
jolee
jorton
jpavlik
jpoth
jrokos
jross
jschatte
jscholz
jwon
kverlaen
lgao
mizdebsk
mkoncek
mmclaugh
mnovotny
mokumar
mosmerov
msochure
msvehla
nwallace
pantinor
pdelbell
peholase
pjindal
pmackay
rguimara
rrajasek
rstancel
smaestri
tcunning
tom.jenkinson
yfang