ALAS2-2024-2649

Amazon Linux 2 Security Advisory: ALAS2-2024-2649
Advisory Released Date: 2024-10-02
Advisory Updated Date: 2025-05-05

Severity: Medium

References: CVE-2012-0881 CVE-2022-23437
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions. (CVE-2012-0881)

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. (CVE-2022-23437)

Affected Packages:

xerces-j2

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update xerces-j2 to update your system.

New Packages:

noarch:
    xerces-j2-2.11.0-17.amzn2.0.2.noarch
    xerces-j2-javadoc-2.11.0-17.amzn2.0.2.noarch
    xerces-j2-demo-2.11.0-17.amzn2.0.2.noarch

src:
    xerces-j2-2.11.0-17.amzn2.0.2.src

Changelog:

2025-05-05: CVE-2022-23437 was added to this advisory.

Additional References

Release Notes: Amazon Linux 2 Release Notes

Red Hat: CVE-2012-0881, CVE-2022-23437

Mitre: CVE-2012-0881, CVE-2022-23437