CVE-2022-34169: 
Java vulnerability analysis and mitigation

The Apache Xalan Java XSLT library was found to be vulnerable to an integer truncation issue when processing malicious XSLT stylesheets (CVE-2022-34169). The vulnerability was discovered by Felix Wilhelm from Google Project Zero and disclosed on July 19, 2022. The vulnerability affects the Apache Xalan Java XSLT library and its repackaged copies included in Java runtimes such as OpenJDK (OSS Security).

The vulnerability is an integer truncation issue that occurs when processing malicious XSLT stylesheets. This vulnerability can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The vulnerability has a CVSS score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating it can be exploited remotely without authentication (NVD).

Successful exploitation of this vulnerability could allow an attacker to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. This could potentially lead to remote code execution on affected systems (MITRE CVE).

Users are recommended to update to Apache Xalan Java version 2.7.3 or later. For Java runtimes that include repackaged copies of Xalan (such as OpenJDK), users should update to the latest security patches provided by their vendors. OpenJDK has released patches for this vulnerability in their July 2022 security update (OpenJDK Advisory).

The Apache Xalan Java project was noted to be dormant and in the process of being retired at the time of the vulnerability disclosure. No future releases of Apache Xalan Java to address this issue were expected from the project itself (OSS Security).