The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Xerces-C: denial of service via a deeply nested DTD

Synthesis of the vulnerability 

An attacker can submit an XML document including a deeply nested DTD to Apache Xerces-C, in order to trigger a denial of service.
Impacted products: Xerces-C++, Debian, BIG-IP Hardware, TMOS, Fedora, Notes by IBM, McAfee Web Gateway, openSUSE, openSUSE Leap, Oracle Communications, RHEL, Shibboleth SP, SUSE Linux Enterprise Desktop, SLES.
Severity of this bulletin: 2/4.
Creation date: 30/06/2016.
Références of this threat: 1983969, 1984073, 1987066, 1990410, cpujul2018, CVE-2016-4463, DLA-535-1, DSA-3610-1, FEDORA-2016-0a061f6dd9, FEDORA-2016-7615febbd6, FEDORA-2016-84373c5f4f, FEDORA-2016-87e8468465, FEDORA-2016-9284772686, FEDORA-2016-d2d6890690, FEDORA-2018-51ce232320, openSUSE-SU-2016:1808-1, openSUSE-SU-2016:2232-1, RHSA-2018:3335-01, RHSA-2018:3506-01, RHSA-2018:3514-01, SB10276, SOL70191975, SUSE-SU-2018:3277-1, VIGILANCE-VUL-20001.

Description of the vulnerability 

The Apache Xerces-C XML parser handles Document Type Definition, including the internal part in an XML document.

DTDs are recursively parsed. However, Xerces does not limit the depth of the element definitions in the DTD. So a very deeply nested DTD can make the parser stack grow until its limit. This overflow kills the application process.

An attacker can therefore submit an XML document including a deeply nested DTD to Apache Xerces-C, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat note impacts software or systems such as Xerces-C++, Debian, BIG-IP Hardware, TMOS, Fedora, Notes by IBM, McAfee Web Gateway, openSUSE, openSUSE Leap, Oracle Communications, RHEL, Shibboleth SP, SUSE Linux Enterprise Desktop, SLES.

Our Vigil@nce team determined that the severity of this weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer weakness note.

Solutions for this threat 

Apache Xerces-C: version 3.1.4.
The version 3.1.4 is fixed:
  http://apache.trisect.eu//xerces/c/3/sources/xerces-c-3.1.4.tar.gz

Debian: new xerces-c packages.
New packages are available:
  Debian 8: xerces-c 3.1.1-5.1+deb8u3
  Debian 7: xerces-c 3.1.1-3+deb7u4

F5 BIG-IP: fixed versions for Xerces.
Fixed versions are indicated in information sources.

Fedora 29: new xerces-c27 packages.
New packages are available:
  Fedora 29: xerces-c27 2.7.0-28.fc29

Fedora: new mingw-xerces-c packages.
New packages are available:
  Fedora 24: mingw-xerces-c 3.1.4-1.fc24
  Fedora 23: mingw-xerces-c 3.1.4-1.fc23
  Fedora 22: mingw-xerces-c 3.1.4-1.fc22

Fedora: new xerces-c packages.
New packages are available:
  Fedora 24: xerces-c 3.1.4-1.fc24
  Fedora 23: xerces-c 3.1.4-1.fc23
  Fedora 22: xerces-c 3.1.4-1.fc22

IBM Notes: version 9.0.1 FP7.
The version 9.0.1 FP7 is fixed:
  http://www-01.ibm.com/support/docview.wss?uid=swg24037141

McAfee Web Gateway: fixed versions for OSS Software.
Fixed versions are indicated in information sources.

openSUSE 13.2: new xerces-c packages.
New packages are available:
  openSUSE 13.2: xerces-c 3.1.4-13.9.2

openSUSE Leap 42.1: new xerces-c packages.
New packages are available:
  openSUSE Leap 42.1: xerces-c 3.1.1-19.1

Oracle Communications: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2410237.1
  https://support.oracle.com/rs?type=doc&id=2406191.1
  https://support.oracle.com/rs?type=doc&id=2410234.1
  https://support.oracle.com/rs?type=doc&id=2408211.1
  https://support.oracle.com/rs?type=doc&id=2406689.1
  https://support.oracle.com/rs?type=doc&id=2408212.1
  https://support.oracle.com/rs?type=doc&id=2410243.1
  https://support.oracle.com/rs?type=doc&id=2410198.1

RHEL 7.4: new xerces-c packages.
New packages are available:
  RHEL 7: xerces-c 3.1.1-8.el7_4.1

RHEL 7.5: new xerces-c packages.
New packages are available:
  RHEL 7: xerces-c 3.1.1-8.el7_5.1

RHEL 7: new xerces-c packages.
New packages are available:
  RHEL 7: xerces-c 3.1.1-9.el7

Shibboleth Service Provider: version 2.6.0.
The version 2.6.0 is fixed.

SUSE LE 11 SP4: new Xerces-c packages.
New packages are available:
  SUSE LE 11 SP4: Xerces-c 2.8.0-29.17.5.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides networks vulnerabilities alerts. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.