Problem

A vulnerability was discovered in the Apache Xalan Java XSLT library that can potentially lead to unauthenticated remote code execution: https://nvd.nist.gov/vuln/detail/CVE-2022-34169.
The current article intends to provide recommendations and technical clarifications with regards to the impact of CVE-2022-34169 in TSIM.

Exposure:

This vulnerability is applicable for TFL and TFXSLT maps that use translates (jar files) compiled with Apache Xalan Java XSLT library.

Resolution

How to avoid exposure:
Do not compile/deploy new maps that use Apache Xalan Java XSLT library

Permanent solution:
Since no future releases for Apache Xalan library are currently expected, starting with SP27 TSIM will have a new Java version that comes with an in-house built Xalan solution which will completely replace the Apache Xalan Java XSLT library used in previous versions.

As a consequence of this needed change, translets maps compiled with Apache Xalan Java XSLT library will no longer function and they will need to be compiled using Saxon. It will be mandatory for the customers to use Saxon for XLST transformations.

Perform the following searches to identify the maps that are using Xalan and Xalan translet:

- find . -type f -name '*bpj' -exec grep -iRH 'org.apache.xalan.xsltc.trax.TransformerFactoryImpl' {} \;-> for Xalan maps with translet

- find . -type f -name '*bpj' -exec grep -iRH 'org.apache.xalan.processor.TransformerFactoryImpl' {} \; - > for Xalan maps

For BOM, we recommend to compile newly created maps or updated maps using Saxon in order to avoid the exposure. In the following BOM versions, Xalan compiling option will be disabled from BOM.