The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Expat: infinite loop via XML Names Large Colons

Synthesis of the vulnerability 

An attacker can trigger an infinite loop via XML Names Large Colons of Expat, in order to trigger a denial of service.
Impacted products: Debian, BIG-IP Hardware, TMOS, Fedora, WebSphere AS Traditional, Juniper SBR, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle OIT, Solaris, WebLogic, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this bulletin: 2/4.
Creation date: 27/06/2019.
Références of this threat: 964768, bulletinoct2019, cpuapr2020, cpuoct2020, CVE-2018-20843, DLA-1839-1, DSA-4472-1, FEDORA-2019-139fcda84d, FEDORA-2019-18868e1715, JSA11074, K51011533, openSUSE-SU-2019:1777-1, RHSA-2020:3952-01, SUSE-SU-2019:1834-1, SUSE-SU-2019:1835-1, USN-4040-1, USN-4040-2, VIGILANCE-VUL-29637.

Description of the vulnerability 

An attacker can trigger an infinite loop via XML Names Large Colons of Expat, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat note impacts software or systems such as Debian, BIG-IP Hardware, TMOS, Fedora, WebSphere AS Traditional, Juniper SBR, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle OIT, Solaris, WebLogic, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer weakness note.

Solutions for this threat 

Debian 8: new expat packages.
New packages are available:
  Debian 8: expat 2.1.0-6+deb8u5

Debian 9: new expat packages.
New packages are available:
  Debian 9: expat 2.2.0-2+deb9u2

Fedora: new expat packages.
New packages are available:
  Fedora 29: expat 2.2.7-1.fc29
  Fedora 30: expat 2.2.7-1.fc30

IBM WebSphere Application Server: patch for Apache httpd.
A patch is available:
  Interim Fix PH14974 https://www.ibm.com/support/pages/node/1074154

Juniper Networks SBR Carrier: fixed versions for Third-party Software.
Fixed versions are indicated in information sources.

openSUSE Leap: new expat packages.
New packages are available:
  openSUSE Leap 15.0: expat 2.2.5-lp150.2.3.1
  openSUSE Leap 15.1: expat 2.2.5-lp151.3.3.1

Oracle Database: CPU of October 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2694898.1

Oracle Fusion Middleware: CPU of April 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2633852.1

Oracle Solaris: patch for third party software of October 2019 v1.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

RHEL 7.8: new expat packages.
New packages are available:
  RHEL 7.0-7.8: expat 2.1.0-12.el7

SUSE LE 12 SP4: new expat packages.
New packages are available:
  SUSE LE 12 SP4: expat 2.1.0-21.6.1

SUSE LE 15: new expat packages.
New packages are available:
  SUSE LE 15 RTM: expat 2.2.5-3.3.1
  SUSE LE 15 SP1: expat 2.2.5-3.3.1

Ubuntu: new libexpat1 packages.
New packages are available:
  Ubuntu 19.04: libexpat1 2.2.6-1ubuntu0.19.04
  Ubuntu 18.10: libexpat1 2.2.6-1ubuntu0.18.10
  Ubuntu 18.04 LTS: libexpat1 2.2.5-3ubuntu0.1
  Ubuntu 16.04 LTS: libexpat1 2.1.0-7ubuntu0.16.04.4
  Ubuntu 14.04 ESM: libexpat1 2.1.0-4ubuntu1.4+esm1
  Ubuntu 12.04 ESM: libexpat1 2.0.1-7.2ubuntu1.6

Wind River Linux: version 10.18.44.9.
The version 10.18.44.9 is fixed:
  https://support2.windriver.com/
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a cybersecurity watch. The Vigil@nce vulnerability database contains several thousand vulnerabilities.