The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Xerces-C: buffer overflow

Synthesis of the vulnerability 

An attacker can generate a buffer overflow of Apache Xerces-C, in order to trigger a denial of service, and possibly to run code.
Vulnerable software: Xerces-C++, Debian, Fedora, Db2 UDB, Notes by IBM, openSUSE, openSUSE Leap, Oracle Communications, RHEL, Shibboleth SP.
Severity of this announce: 3/4.
Creation date: 25/02/2016.
Références of this computer vulnerability: 1610582, 1983969, 1984073, 1987066, 1990410, 2002647, cpuapr2017, cpuoct2018, CVE-2016-0729, DSA-3493-1, FEDORA-2016-0a061f6dd9, FEDORA-2016-7615febbd6, FEDORA-2016-87e8468465, FEDORA-2016-880b91c090, FEDORA-2016-ae9ac16cf3, openSUSE-SU-2016:0966-1, openSUSE-SU-2016:1121-1, RHSA-2016:0430-01, VIGILANCE-VUL-19033.

Description of the vulnerability 

The Apache Xerces-C product analyzes XML data.

However, if the size of data is greater than the size of the storage array, an overflow occurs.

An attacker can therefore generate a buffer overflow of Apache Xerces-C, in order to trigger a denial of service, and possibly to run code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat note impacts software or systems such as Xerces-C++, Debian, Fedora, Db2 UDB, Notes by IBM, openSUSE, openSUSE Leap, Oracle Communications, RHEL, Shibboleth SP.

Our Vigil@nce team determined that the severity of this weakness alert is important.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer weakness note.

Solutions for this threat 

Apache Xerces-C: version 3.1.3.
The version 3.1.3 is fixed:
  https://xerces.apache.org/xerces-c/

Apache Xerces-C: patch.
A patch is available:
  http://svn.apache.org/viewvc?view=revision&revision=1727978

Debian: new xerces-c packages.
New packages are available:
  Debian 7: xerces-c 3.1.1-3+deb7u2
  Debian 8: xerces-c 3.1.1-5.1+deb8u1

Fedora: new mingw-xerces-c packages.
New packages are available:
  Fedora 24: mingw-xerces-c 3.1.4-1.fc24
  Fedora 23: mingw-xerces-c 3.1.4-1.fc23
  Fedora 22: mingw-xerces-c 3.1.4-1.fc22

Fedora: new xerces-c packages.
New packages are available:
  Fedora 22: xerces-c 3.1.3-1.fc22
  Fedora 23: xerces-c 3.1.3-1.fc23

IBM BigFix Platform: solution for Apache Xerces-C.
The solution is indicated in information sources.

IBM DB2: version 10.1 Fix Pack 6.
The version 10.1 Fix Pack 6 is fixed.

IBM Notes: version 9.0.1 FP7.
The version 9.0.1 FP7 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24037141

openSUSE 13.2: new xerces-c packages.
New packages are available:
  openSUSE 13.2: xerces-c 3.1.1-13.3.1

openSUSE Leap 42.1: new xerces-c packages.
New packages are available:
  openSUSE Leap 42.1: xerces-c 3.1.1-16.1

Oracle Communications: CPU of April 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2247453.1
  https://support.oracle.com/rs?type=doc&id=2248470.1
  https://support.oracle.com/rs?type=doc&id=2251718.1
  https://support.oracle.com/rs?type=doc&id=2245233.1
  https://support.oracle.com/rs?type=doc&id=2248526.1
  https://support.oracle.com/rs?type=doc&id=2250567.1

Oracle Communications: CPU of Octobre 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2451363.1
  https://support.oracle.com/rs?type=doc&id=2450339.1
  https://support.oracle.com/rs?type=doc&id=2450354.1
  https://support.oracle.com/rs?type=doc&id=2450340.1
  https://support.oracle.com/rs?type=doc&id=2452772.1
  https://support.oracle.com/rs?type=doc&id=2451007.1

RHEL 7.2: new xerces-c packages.
New packages are available:
  RHEL 7: xerces-c 3.1.1-8.el7_2

Shibboleth Service Provider: version 2.5.6.
The version 2.5.6 is fixed:
  http://shibboleth.net/downloads/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computer security analysis. The technology watch team tracks security threats targeting the computer system.