See tracker for (few) details, apparently xalan is bundled in openjdk, according to URL: "Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan."
https://openjdk.org/groups/vulnerability/advisories/2022-07-19 "These issues have been addressed, as applicable, in the following releases: 7u351, 8u342, 11.0.16, 13.0.12, 15.0.8, 17.0.4, and 18.0.2"
The vulnerability is in bcel, seems like that's bundled here as well.
(In reply to John Helmert III from comment #1) > https://openjdk.org/groups/vulnerability/advisories/2022-07-19 > > "These issues have been addressed, as applicable, in the following releases: > 7u351, 8u342, 11.0.16, 13.0.12, 15.0.8, 17.0.4, and 18.0.2" Hm, to be clear, these are tracked in bug 859376, not here.