Is EAP 7 really not affected by CVE-2022-40152?

Solution Verified - Updated -

Issue

If I understand correctly, CVE-2022-40152 was initially reported as a vulnerability in XStream but it was later discovered that it was actually a vulnerability in Woodstox.

CVE-2022-40152 lists EAP 7 as Not affected but only the package xstream is listed, no package woodstox is listed.

org.jboss.bom:eap-runtime-artifacts:7.4.7.GA lists a used version 6.0.3.redhat-00001 of woodstox.

The fix in Woodstox for CVE-2022-40152 seems to be this which includes a new recursion depth check in readContentSpec of FullDTDReader. A very short glance at https://maven.repository.redhat.com/ga/com/fasterxml/woodstox/woodstox-core/6.0.3.redhat-00001/woodstox-core-6.0.3.redhat-00001-sources.jar shows no such recursion check.

There seems to be a relatively high risk that the Not affected status on CVE-2022-40152 has not considered the vulnerability in Woodstox. Can you please double check whether EAP 7 is vulnerable or not?

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content