製品・ソフトウェアに関する情報

JVN脆弱性詳細

libxml2 における解放済みメモリの使用に関する脆弱性

Title	libxml2 における解放済みメモリの使用に関する脆弱性
Summary	libxml2 には、解放済みメモリの使用に関する脆弱性が存在します。
Possible impacts	サービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 20, 2022, midnight
Registration Date	July 12, 2023, 10:08 a.m.
Last Update	May 15, 2025, 5:17 p.m.

CVSS3.0 : 重要
Score	7.5
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:N/A:P

Affected System

オラクル

Oracle Communications Cloud Native Core Binding Support Function

アップル

Apple Mac OS X

iOS

iPadOS

macOS

tvOS

日立

Job Management Partner 1/IT Desktop Management - Manager

Job Management Partner 1/IT Desktop Management 2 - Manager

JP1/IT Desktop Management - Manager

JP1/IT Desktop Management 2 - Manager

JP1/IT Desktop Management 2 - Operations Director

Debian

Debian GNU/Linux

Fedora Project

Fedora

xmlsoft.org

libxml2 2.9.13 未満

NetApp

Active IQ Unified Manager

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2022-23308	https://www.cve.org/CVERecord?id=CVE-2022-23308
National Vulnerability Database (NVD)
2	CVE-2022-23308	https://nvd.nist.gov/vuln/detail/CVE-2022-23308

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-416	https://cwe.mitre.org/data/definitions/416.html

ベンダー情報

No	Name	URL
Apple セキュリティアップデート
1	HT213253	https://support.apple.com/ja-jp/HT213253
2	HT213254	https://support.apple.com/ja-jp/HT213254
3	HT213255	https://support.apple.com/ja-jp/HT213255
4	HT213256	https://support.apple.com/ja-jp/HT213256
5	HT213257	https://support.apple.com/ja-jp/HT213257
6	HT213258	https://support.apple.com/ja-jp/HT213258
Debian
7	[SECURITY] [DLA 2972-1] libxml2 security update	https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html
Fedora Update Notification
8	FEDORA-2022-050c712ed7	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/
GitHub
9	[CVE-2022-23308] Use-after-free of ID and IDREF attributes	https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e
GNOME GIT REPOSITORY
10	Update news and rebuild documentation	https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS
Hitachi Software Vulnerability Information
11	hitachi-sec-2025-122	https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-122/index.html
NetApp Advisory
12	NTAP-20220331-0008	https://security.netapp.com/advisory/ntap-20220331-0008/
Oracle Critical Patch Update
13	Oracle Critical Patch Update Advisory - July 2022	https://www.oracle.com/security-alerts/cpujul2022.html
ソフトウェア製品セキュリティ情報
14	hitachi-sec-2025-122	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2025-122/index.html

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-23-075-01	https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-01
2	ICSA-23-166-12	https://www.cisa.gov/news-events/ics-advisories/icsa-23-166-12
JVN
3	JVNVU#99464755	http://jvn.jp/vu/JVNVU99464755/index.html
4	JVNVU#99752892	http://jvn.jp/vu/JVNVU99752892/index.html

Change Log

No	Changed Details	Date of change
1	[2023年07月12日] 掲載	July 12, 2023, 10:08 a.m.
2	[2025年05月15日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日立 (hitachi-sec-2025-122) を追加	May 15, 2025, 1:38 p.m.

NVD Vulnerability Information

CVE-2022-23308

Summary	valid.c in libxml2 before 2.9.13 has a use-after-free of ID and IDREF attributes.
Publication Date	Feb. 26, 2022, 2:15 p.m.
Registration Date	Feb. 26, 2022, 4 p.m.
Last Update	Nov. 21, 2024, 3:48 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:xmlsoft:libxml2::::::::					2.9.13

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:::::::*
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-004::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-005::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-006::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-008::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-007::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-001::::::
cpe:2.3:o:apple:mac_os_x::::::::	10.15.0			10.15.7
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-003::::::
cpe:2.3:o:apple:iphone_os::::::::				15.5
cpe:2.3:o:apple:watchos::::::::				8.6
cpe:2.3:o:apple:tvos::::::::				15.5
cpe:2.3:o:apple:ipados::::::::				15.5
cpe:2.3:o:apple:macos::::::::	12.0			12.4
cpe:2.3:o:apple:macos::::::::	11.6.0			11.6.6

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:netapp:snapdrive:-:::::unix::
cpe:2.3:a:netapp:snapmanager:-:::::oracle::
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*
cpe:2.3:a:netapp:smi-s_provider:-:::::::*
cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:::::::*
cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
cpe:2.3:a:netapp:manageability_software_development_kit:-:::::::*
cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:::::::*

Configuration6		or higher	or less	more than	less than
cpe:2.3:o:netapp:bootstrap_os:-:::::::*
execution environment
1	cpe:2.3:h:netapp:hci_compute_node:-:::::::*

Configuration7		or higher	or less	more than	less than
cpe:2.3:o:netapp:h300s_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h300s:-:::::::*

Configuration8		or higher	or less	more than	less than
cpe:2.3:o:netapp:h500s_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h500s:-:::::::*

Configuration9		or higher	or less	more than	less than
cpe:2.3:o:netapp:h700s_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h700s:-:::::::*

Configuration10		or higher	or less	more than	less than
cpe:2.3:o:netapp:h300e_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h300e:-:::::::*

Configuration11		or higher	or less	more than	less than
cpe:2.3:o:netapp:h500e_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h500e:-:::::::*

Configuration12		or higher	or less	more than	less than
cpe:2.3:o:netapp:h700e_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h700e:-:::::::*

Configuration13		or higher	or less	more than	less than
cpe:2.3:o:netapp:h410s_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h410s:-:::::::*

Configuration14		or higher	or less	more than	less than
cpe:2.3:o:netapp:h410c_firmware:-:::::::*
execution environment
1	cpe:2.3:h:netapp:h410c:-:::::::*

Configuration15	or higher	or less	more than	less than
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.2.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:::::::*
cpe:2.3:a:oracle:mysql_workbench::::::::		8.0.29

Related information, measures and tools

No	URL	タグ
1	http://seclists.org/fulldisclosure/2022/May/33	Mailing List Third Party Advisory
2	http://seclists.org/fulldisclosure/2022/May/33	Mailing List Third Party Advisory
3	http://seclists.org/fulldisclosure/2022/May/34	Mailing List Third Party Advisory
4	http://seclists.org/fulldisclosure/2022/May/34	Mailing List Third Party Advisory
5	http://seclists.org/fulldisclosure/2022/May/35	Mailing List Third Party Advisory
6	http://seclists.org/fulldisclosure/2022/May/35	Mailing List Third Party Advisory
7	http://seclists.org/fulldisclosure/2022/May/36	Mailing List Third Party Advisory
8	http://seclists.org/fulldisclosure/2022/May/36	Mailing List Third Party Advisory
9	http://seclists.org/fulldisclosure/2022/May/37	Mailing List Third Party Advisory
10	http://seclists.org/fulldisclosure/2022/May/37	Mailing List Third Party Advisory
11	http://seclists.org/fulldisclosure/2022/May/38	Mailing List Third Party Advisory
12	http://seclists.org/fulldisclosure/2022/May/38	Mailing List Third Party Advisory
13	https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e	Patch Third Party Advisory
14	https://github.com/GNOME/libxml2/commit/652dd12a858989b14eed4e84e453059cd3ba340e	Patch Third Party Advisory
15	https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS	Release Notes Third Party Advisory
16	https://gitlab.gnome.org/GNOME/libxml2/-/blob/v2.9.13/NEWS	Release Notes Third Party Advisory
17	https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html	Mailing List Third Party Advisory
18	https://lists.debian.org/debian-lts-announce/2022/04/msg00004.html	Mailing List Third Party Advisory
19	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/
20	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LA3MWWAYZADWJ5F6JOUBX65UZAMQB7RF/
21	https://security.gentoo.org/glsa/202210-03	Third Party Advisory
22	https://security.gentoo.org/glsa/202210-03	Third Party Advisory
23	https://security.netapp.com/advisory/ntap-20220331-0008/	Third Party Advisory
24	https://security.netapp.com/advisory/ntap-20220331-0008/	Third Party Advisory
25	https://support.apple.com/kb/HT213253	Third Party Advisory
26	https://support.apple.com/kb/HT213253	Third Party Advisory
27	https://support.apple.com/kb/HT213254	Third Party Advisory
28	https://support.apple.com/kb/HT213254	Third Party Advisory
29	https://support.apple.com/kb/HT213255	Third Party Advisory
30	https://support.apple.com/kb/HT213255	Third Party Advisory
31	https://support.apple.com/kb/HT213256	Third Party Advisory
32	https://support.apple.com/kb/HT213256	Third Party Advisory
33	https://support.apple.com/kb/HT213257	Third Party Advisory
34	https://support.apple.com/kb/HT213257	Third Party Advisory
35	https://support.apple.com/kb/HT213258	Third Party Advisory
36	https://support.apple.com/kb/HT213258	Third Party Advisory
37	https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory
38	https://www.oracle.com/security-alerts/cpujul2022.html	Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-416	解放済みメモリの使用	https://cwe.mitre.org/data/definitions/416.html

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2020-001::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-001::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-002::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:::::::*
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-003::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-004::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-005::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-006::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-008::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2021-007::::::
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-001::::::
cpe:2.3:o:apple:mac_os_x::::::::	10.15.0			10.15.7
cpe:2.3:o:apple:mac_os_x:10.15.7:security_update_2022-003::::::
cpe:2.3:o:apple:iphone_os::::::::				15.5
cpe:2.3:o:apple:watchos::::::::				8.6
cpe:2.3:o:apple:tvos::::::::				15.5
cpe:2.3:o:apple:ipados::::::::				15.5
cpe:2.3:o:apple:macos::::::::	12.0			12.4
cpe:2.3:o:apple:macos::::::::	11.6.0			11.6.6

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:netapp:snapdrive:-:::::unix::
cpe:2.3:a:netapp:snapmanager:-:::::oracle::
cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::*
cpe:2.3:a:netapp:clustered_data_ontap:-:::::::*
cpe:2.3:a:netapp:smi-s_provider:-:::::::*
cpe:2.3:a:netapp:clustered_data_ontap_antivirus_connector:-:::::::*
cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager:-:::::vmware_vsphere::
cpe:2.3:a:netapp:manageability_software_development_kit:-:::::::*
cpe:2.3:a:netapp:solidfire\,_enterprise_sds_\&_hci_storage_node:-:::::::*

Configuration15	or higher	or less	more than	less than
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:22.1.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.2.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:22.1.2:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:22.2.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:22.2.0:::::::*
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:22.1.1:::::::*
cpe:2.3:a:oracle:mysql_workbench::::::::		8.0.29