Summary
Nokogiri JRuby users are not vulnerable to CVE-2022-34169 when using default options to parse XSLT stylesheets.
Users may be vulnerable if the javax.xml.transform.TransformerFactory system property is set to org.apache.xalan.xsltc.trax.TransformerFactoryImpl. Nokogiri maintainers recommend leaving this property set to the default interpreting XSLT processor.
Context
On 2022-07-19, CVE-2022-34169 was published describing a vulnerability in the Apache Xalan Java XSLT library related to processing malicious XSLT stylesheets.
The Apache Xalan Java project is dormant, in the process of being retired, and no future releases to address this issue are expected.
Nokogiri's JRuby implementation has used Xalan-J for XSLT functionality since the native Java backend was introduced in Nokogiri v1.5.0 in 2010, and so the Nokogiri and JRuby maintainers collaborated on an investigation into whether Nokogiri users were vulnerable.
Conclusions
Nokogiri and JRuby maintainers have looked into CVE-2022-34169 and determined that it does not affect Nokogiri JRuby users as long as they run with default settings. The XSLT compiler is not enabled unless configured via the JVM property javax.xml.transform.TransformerFactory, and we recommend leaving it set to the default interpretive XSLT processor.
See the following Xalan API documentation link for more information about this JVM property: https://xalan.apache.org/xalan-j/xsltc_usage.html#api
Other considerations
Nokogiri maintainers have begun exploring replacements for Xalan-J (see #1829), but no firm timeline has been set for investing in this work. We invite members of the JRuby community to reach out via comment on that issue if they are able to help.
Thanks
The Nokogiri maintainers would like to thank @jsvd, @headius, @enebo, and @kares for their assistance in this investigation.
Summary
Nokogiri JRuby users are not vulnerable to CVE-2022-34169 when using default options to parse XSLT stylesheets.
Users may be vulnerable if the
javax.xml.transform.TransformerFactorysystem property is set toorg.apache.xalan.xsltc.trax.TransformerFactoryImpl. Nokogiri maintainers recommend leaving this property set to the default interpreting XSLT processor.Context
On 2022-07-19, CVE-2022-34169 was published describing a vulnerability in the Apache Xalan Java XSLT library related to processing malicious XSLT stylesheets.
The Apache Xalan Java project is dormant, in the process of being retired, and no future releases to address this issue are expected.
Nokogiri's JRuby implementation has used Xalan-J for XSLT functionality since the native Java backend was introduced in Nokogiri v1.5.0 in 2010, and so the Nokogiri and JRuby maintainers collaborated on an investigation into whether Nokogiri users were vulnerable.
Conclusions
Nokogiri and JRuby maintainers have looked into CVE-2022-34169 and determined that it does not affect Nokogiri JRuby users as long as they run with default settings. The XSLT compiler is not enabled unless configured via the JVM property
javax.xml.transform.TransformerFactory, and we recommend leaving it set to the default interpretive XSLT processor.See the following Xalan API documentation link for more information about this JVM property: https://xalan.apache.org/xalan-j/xsltc_usage.html#api
Other considerations
Nokogiri maintainers have begun exploring replacements for Xalan-J (see #1829), but no firm timeline has been set for investing in this work. We invite members of the JRuby community to reach out via comment on that issue if they are able to help.
Thanks
The Nokogiri maintainers would like to thank @jsvd, @headius, @enebo, and @kares for their assistance in this investigation.