The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Xerces-C++: unreachable memory reading via XMLReader.cpp

Synthesis of the vulnerability 

An attacker can force a read at an invalid address in XMLReader.cpp of Apache Xerces-C++, in order to trigger a denial of service.
Impacted software: Xerces-C++, Debian, Fedora, openSUSE, Oracle Communications, RHEL.
Severity of this computer vulnerability: 2/4.
Creation date: 20/03/2015.
Revision date: 04/05/2015.
Références of this announce: cpuoct2018, CVE-2015-0252, DSA-3199-1, FEDORA-2015-4228, FEDORA-2015-4251, FEDORA-2015-4285, FEDORA-2015-4321, openSUSE-SU-2016:0966-1, RHSA-2015:1193-01, VIGILANCE-VUL-16432.

Description of the vulnerability 

The Apache Xerces-C++ product uses the src/xercesc/internal/XMLReader.cpp file to analyze XML data.

However, several XMLReader.cpp finction try to read a memory area which is not reachable, which triggers a fatal error.

An attacker can therefore force a read at an invalid address in XMLReader.cpp of Apache Xerces-C++, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity vulnerability impacts software or systems such as Xerces-C++, Debian, Fedora, openSUSE, Oracle Communications, RHEL.

Our Vigil@nce team determined that the severity of this vulnerability is medium.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this weakness alert.

Solutions for this threat 

Apache Xerces-C++: version 3.1.2.
The version 3.1.2 is fixed:
  http://xerces.apache.org/xerces-c/

Apache Xerces-C++: patch for XMLReader.cpp.
A patch is available in information sources.

Debian: new xerces-c packages.
New packages are available:
  Debian 7: xerces-c 3.1.1-3+deb7u1

Fedora: new mingw-xerces-c packages.
New packages are available:
  Fedora 20: mingw-xerces-c 3.1.1-9.fc20
  Fedora 21: mingw-xerces-c 3.1.1-11.fc21

Fedora: new xerces-c packages.
New packages are available:
  Fedora 20: xerces-c 3.1.1-6.fc20
  Fedora 21: xerces-c 3.1.1-8.fc21

openSUSE 13.2: new xerces-c packages.
New packages are available:
  openSUSE 13.2: xerces-c 3.1.1-13.3.1

Oracle Communications: CPU of Octobre 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2451363.1
  https://support.oracle.com/rs?type=doc&id=2450339.1
  https://support.oracle.com/rs?type=doc&id=2450354.1
  https://support.oracle.com/rs?type=doc&id=2450340.1
  https://support.oracle.com/rs?type=doc&id=2452772.1
  https://support.oracle.com/rs?type=doc&id=2451007.1

RHEL 7.1: new xerces-c packages.
New packages are available:
  RHEL 7: xerces-c 3.1.1-7.el7_1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a cybersecurity workaround. The technology watch team tracks security threats targeting the computer system.