Headline
CVE-2018-1311: 'Xerces-C Security Advisory [CVE-2018-1311]' - MARC
The Apache Xerces-C 3.0.0 to 3.2.3 XML parser contains a use-after-free error triggered during the scanning of external DTDs. This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.
[prev in list] [next in list] [prev in thread] [next in thread] List: xerces-c-users Subject: Xerces-C Security Advisory [CVE-2018-1311] From: “Cantor, Scott” <cantor.2 () osu ! edu> Date: 2019-12-16 23:19:48 Message-ID: 66B4F0F4-7968-442B-89D7-4A7A6305B3ED () osu ! edu [Download RAW message or body]
The below advisory is being publically announced at the request of the Apache \ security team as a result of it having gone unfixed for over a year, with no \ volunteer at present to work on the bug.
I have publically posted the advisory at the referenced URL, and updated the advisory \ page on the website to reflect the status of the issue. I have also filed a public \ JIRA issue regarding the bug, XERCESC-2188.
Future unfixed issues will be posted in the same manner if the chance of a fix is \ deemed unlikely by the PMC after a reasonable amount of time.
Scott Cantor [email protected] Enterprise Security The Ohio State University
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
CVE-2018-1311: Apache Xerces-C use-after-free vulnerability processing external DTD
Severity: High
Vendor: The Apache Software Foundation
Versions Affected: Apache Xerces-C XML Parser library (all known versions)
Description: The Xerces-C XML parser contains a use-after-free error triggered during the scanning of external DTDs.
The bug allows for a denial of service attack in applications that allow external DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution if the heap were groomed.
Mitigation: This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable.
Applications should strongly consider blocking remote entity resolution and/or disabling of DTD processing in light of the continued identification of bugs in this area of the library.
Credit: This issue was reported by the UK’s National Cyber Security Centre (NCSC).
References: http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAl34DFIACgkQN4uEVAIn eWIbtQ/9Gv7gURR24J5yx+R69O4bnGsgHPaHea7VWh4bs4H/mYli3ewZBwzkuTz1 +Ib6RN8QXT9FA4+TVBCQua2/EBlpnpNMHPp6+GDWISrPYworJGV9FDrCDfqB+BR2 Li68pH/wlFgqCLMsdUSm7lKU9n+rflW8kx3AsqBlggcrfGTh7XJaImHelOXuRqw/ QumnckDQQkEgPHxGVE5h2uYvwj1HsyU/czqqWVAHC1rzdXI9syGGOO9xoNCjB70d rMi+XEDTuyzqY6SIjM1NLbFyX8cs9CDM4IhQeG+XNQUE9VnvLu1dHY/IqvS9jDrO HD4J0ID/rnbxSou3BTaMKGr/TkJHanniZhXJxZujDI7ksEbMBemB7ROwCcQLQ8Z8 B3QKfCQwjIGmBMaDafElyrbIp74+Vpq3eY6itFOGCQE7f+rXu3qxEk5njsdBsJYV s47v9f0v65O0FE5l7yPi3zhkonCfHaMTw08SboY2YqWJf9A1YJZOs1PF1SNU+D/p rM2ydwP5F9OPlwm/uLCfRd+hl2etM0UJBcL1V/tP0ORoEZUF1+ZEZckDQ9Cnr2eY 6Dgd+dmTk5nxjPmsQZPHb4QXsQHbq1HCU5/oJug56SatJ0H0ffj48XXjd1UlBEIk v5Eo3+ahPxXBuSgc77naLcisSy3H3+qL6VDMpq6qK1IC/PXvaz0= =zDeT -----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic
Related news
Ubuntu Security Notice 6590-1 - It was discovered that Xerces-C++ was not properly handling memory management operations when parsing XML data containing external DTDs, which could trigger a use-after-free error. If a user or automated system were tricked into processing a specially crafted XML document, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. It was discovered that Xerces-C++ was not properly performing bounds checks when processing XML Schema Definition files, which could lead to an out-of-bounds access via an HTTP request. If a user or automated system were tricked into processing a specially crafted XSD file, a remote attacker could possibly use this issue to cause a denial of service.
Ubuntu Security Notice 6579-2 - USN-6579-1 fixed a vulnerability in Xerces-C++. This update provides the corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 23.04 and Ubuntu 23.10. It was discovered that Xerces-C++ was not properly handling memory management operations when parsing XML data containing external DTDs, which could trigger a use-after-free error. If a user or automated system were tricked into processing a specially crafted XML document, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Ubuntu Security Notice 6579-1 - It was discovered that Xerces-C++ was not properly handling memory management operations when parsing XML data containing external DTDs, which could trigger a use-after-free error. If a user or automated system were tricked into processing a specially crafted XML document, an attacker could possibly use this issue to cause a denial of service or execute arbitrary code.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Pexip Infinity before 28.1 allows remote attackers to trigger a software abort via G.719.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via the Session Initiation Protocol.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via One Touch Join.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via H.323.
Pexip Infinity 27.x before 27.3 allows remote attackers to trigger a software abort via HTTP.
Pexip Infinity before 27.3 allows remote attackers to trigger a software abort via Epic Telehealth.
Pexip Infinity before 27.3 allows remote attackers to trigger excessive resource consumption via H.264.
Pexip Infinity before 27.3 allows remote attackers to force a software abort via HTTP.
Pexip Infinity 27.x before 27.3 has Improper Input Validation. The client API allows remote attackers to trigger a software abort via a gateway call into Teams.