In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).
Weakness
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libexpat | Libexpat_project | * | 2.2.7 (excluding) |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-curl-0:7.64.1-36.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el6 | * |
| JBoss Core Services on RHEL 6 | RedHat | jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el6 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-curl-0:7.64.1-36.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-httpd-0:2.4.37-57.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_cluster-native-0:1.3.14-4.Final_redhat_2.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_http2-0:1.15.7-3.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_jk-0:1.2.48-4.redhat_1.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_md-1:2.0.8-24.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-mod_security-0:2.9.2-51.GA.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-nghttp2-0:1.39.2-25.jbcs.el7 | * |
| JBoss Core Services on RHEL 7 | RedHat | jbcs-httpd24-openssl-pkcs11-0:0.4.10-7.jbcs.el7 | * |
| Red Hat Enterprise Linux 7 | RedHat | expat-0:2.1.0-12.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | mingw-expat-0:2.2.4-5.el8 | * |
| Red Hat Enterprise Linux 8 | RedHat | expat-0:2.2.5-4.el8 | * |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | RedHat | expat-0:2.2.10-1.el8_2 | * |
| Red Hat OpenShift Do | RedHat | openshiftdo/odo-init-image-rhel7:1.1.3-2 | * |
| Text-Only JBCS | RedHat | expat | * |
| Apache2 | Ubuntu | trusty | * |
| Apr-util | Ubuntu | trusty | * |
| Audacity | Ubuntu | kinetic | * |
| Audacity | Ubuntu | lunar | * |
| Audacity | Ubuntu | mantic | * |
| Audacity | Ubuntu | trusty | * |
| Ayttm | Ubuntu | trusty | * |
| Ayttm | Ubuntu | xenial | * |
| Cableswig | Ubuntu | trusty | * |
| Cableswig | Ubuntu | xenial | * |
| Cadaver | Ubuntu | bionic | * |
| Cadaver | Ubuntu | cosmic | * |
| Cadaver | Ubuntu | disco | * |
| Cadaver | Ubuntu | eoan | * |
| Cadaver | Ubuntu | focal | * |
| Cadaver | Ubuntu | groovy | * |
| Cadaver | Ubuntu | hirsute | * |
| Cadaver | Ubuntu | impish | * |
| Cadaver | Ubuntu | kinetic | * |
| Cadaver | Ubuntu | lunar | * |
| Cadaver | Ubuntu | mantic | * |
| Cadaver | Ubuntu | oracular | * |
| Cadaver | Ubuntu | plucky | * |
| Cadaver | Ubuntu | trusty | * |
| Cadaver | Ubuntu | xenial | * |
| Cmake | Ubuntu | trusty | * |
| Coin3 | Ubuntu | bionic | * |
| Coin3 | Ubuntu | cosmic | * |
| Coin3 | Ubuntu | disco | * |
| Coin3 | Ubuntu | eoan | * |
| Coin3 | Ubuntu | esm-apps/bionic | * |
| Coin3 | Ubuntu | esm-apps/xenial | * |
| Coin3 | Ubuntu | esm-infra-legacy/trusty | * |
| Coin3 | Ubuntu | groovy | * |
| Coin3 | Ubuntu | trusty | * |
| Coin3 | Ubuntu | trusty/esm | * |
| Coin3 | Ubuntu | xenial | * |
| Expat | Ubuntu | bionic | * |
| Expat | Ubuntu | cosmic | * |
| Expat | Ubuntu | devel | * |
| Expat | Ubuntu | disco | * |
| Expat | Ubuntu | eoan | * |
| Expat | Ubuntu | esm-infra-legacy/trusty | * |
| Expat | Ubuntu | esm-infra/bionic | * |
| Expat | Ubuntu | esm-infra/focal | * |
| Expat | Ubuntu | esm-infra/xenial | * |
| Expat | Ubuntu | focal | * |
| Expat | Ubuntu | groovy | * |
| Expat | Ubuntu | hirsute | * |
| Expat | Ubuntu | impish | * |
| Expat | Ubuntu | jammy | * |
| Expat | Ubuntu | kinetic | * |
| Expat | Ubuntu | lunar | * |
| Expat | Ubuntu | mantic | * |
| Expat | Ubuntu | noble | * |
| Expat | Ubuntu | oracular | * |
| Expat | Ubuntu | plucky | * |
| Expat | Ubuntu | questing | * |
| Expat | Ubuntu | trusty | * |
| Expat | Ubuntu | trusty/esm | * |
| Expat | Ubuntu | upstream | * |
| Expat | Ubuntu | xenial | * |
| Firefox | Ubuntu | cosmic | * |
| Firefox | Ubuntu | disco | * |
| Firefox | Ubuntu | trusty | * |
| Gdcm | Ubuntu | trusty | * |
| Ghostscript | Ubuntu | trusty | * |
| Insighttoolkit | Ubuntu | trusty | * |
| Insighttoolkit | Ubuntu | xenial | * |
| Insighttoolkit4 | Ubuntu | esm-apps/xenial | * |
| Insighttoolkit4 | Ubuntu | trusty | * |
| Insighttoolkit4 | Ubuntu | xenial | * |
| Libxmltok | Ubuntu | bionic | * |
| Libxmltok | Ubuntu | esm-apps/bionic | * |
| Libxmltok | Ubuntu | esm-apps/focal | * |
| Libxmltok | Ubuntu | esm-apps/jammy | * |
| Libxmltok | Ubuntu | esm-apps/noble | * |
| Libxmltok | Ubuntu | esm-apps/xenial | * |
| Libxmltok | Ubuntu | focal | * |
| Libxmltok | Ubuntu | hirsute | * |
| Libxmltok | Ubuntu | impish | * |
| Libxmltok | Ubuntu | jammy | * |
| Libxmltok | Ubuntu | kinetic | * |
| Libxmltok | Ubuntu | lunar | * |
| Libxmltok | Ubuntu | mantic | * |
| Libxmltok | Ubuntu | noble | * |
| Libxmltok | Ubuntu | oracular | * |
| Libxmltok | Ubuntu | plucky | * |
| Libxmltok | Ubuntu | trusty | * |
| Libxmltok | Ubuntu | upstream | * |
| Libxmltok | Ubuntu | xenial | * |
| Matanza | Ubuntu | bionic | * |
| Matanza | Ubuntu | cosmic | * |
| Matanza | Ubuntu | devel | * |
| Matanza | Ubuntu | disco | * |
| Matanza | Ubuntu | eoan | * |
| Matanza | Ubuntu | esm-apps/bionic | * |
| Matanza | Ubuntu | esm-apps/focal | * |
| Matanza | Ubuntu | esm-apps/jammy | * |
| Matanza | Ubuntu | esm-apps/noble | * |
| Matanza | Ubuntu | esm-apps/xenial | * |
| Matanza | Ubuntu | focal | * |
| Matanza | Ubuntu | groovy | * |
| Matanza | Ubuntu | hirsute | * |
| Matanza | Ubuntu | impish | * |
| Matanza | Ubuntu | jammy | * |
| Matanza | Ubuntu | kinetic | * |
| Matanza | Ubuntu | lunar | * |
| Matanza | Ubuntu | mantic | * |
| Matanza | Ubuntu | noble | * |
| Matanza | Ubuntu | oracular | * |
| Matanza | Ubuntu | plucky | * |
| Matanza | Ubuntu | questing | * |
| Matanza | Ubuntu | trusty | * |
| Matanza | Ubuntu | xenial | * |
| Poco | Ubuntu | trusty | * |
| Simgear | Ubuntu | trusty | * |
| Sitecopy | Ubuntu | oracular | * |
| Sitecopy | Ubuntu | plucky | * |
| Sitecopy | Ubuntu | trusty | * |
| Smart | Ubuntu | trusty | * |
| Swish-e | Ubuntu | bionic | * |
| Swish-e | Ubuntu | cosmic | * |
| Swish-e | Ubuntu | disco | * |
| Swish-e | Ubuntu | eoan | * |
| Swish-e | Ubuntu | focal | * |
| Swish-e | Ubuntu | groovy | * |
| Swish-e | Ubuntu | hirsute | * |
| Swish-e | Ubuntu | impish | * |
| Swish-e | Ubuntu | kinetic | * |
| Swish-e | Ubuntu | lunar | * |
| Swish-e | Ubuntu | mantic | * |
| Swish-e | Ubuntu | oracular | * |
| Swish-e | Ubuntu | plucky | * |
| Swish-e | Ubuntu | trusty | * |
| Swish-e | Ubuntu | xenial | * |
| Tdom | Ubuntu | cosmic | * |
| Tdom | Ubuntu | trusty | * |
| Texlive-bin | Ubuntu | trusty | * |
| Thunderbird | Ubuntu | cosmic | * |
| Thunderbird | Ubuntu | disco | * |
| Thunderbird | Ubuntu | trusty | * |
| Vnc4 | Ubuntu | bionic | * |
| Vnc4 | Ubuntu | cosmic | * |
| Vnc4 | Ubuntu | esm-apps/bionic | * |
| Vnc4 | Ubuntu | esm-apps/xenial | * |
| Vnc4 | Ubuntu | esm-infra-legacy/trusty | * |
| Vnc4 | Ubuntu | trusty | * |
| Vnc4 | Ubuntu | trusty/esm | * |
| Vnc4 | Ubuntu | upstream | * |
| Vnc4 | Ubuntu | xenial | * |
| Vtk | Ubuntu | esm-apps/xenial | * |
| Vtk | Ubuntu | esm-infra-legacy/trusty | * |
| Vtk | Ubuntu | trusty | * |
| Vtk | Ubuntu | trusty/esm | * |
| Vtk | Ubuntu | xenial | * |
| Wbxml2 | Ubuntu | trusty | * |
| Wxwidgets2.8 | Ubuntu | trusty | * |
| Xmlrpc-c | Ubuntu | bionic | * |
| Xmlrpc-c | Ubuntu | cosmic | * |
| Xmlrpc-c | Ubuntu | disco | * |
| Xmlrpc-c | Ubuntu | eoan | * |
| Xmlrpc-c | Ubuntu | focal | * |
| Xmlrpc-c | Ubuntu | groovy | * |
| Xmlrpc-c | Ubuntu | hirsute | * |
| Xmlrpc-c | Ubuntu | impish | * |
| Xmlrpc-c | Ubuntu | kinetic | * |
| Xmlrpc-c | Ubuntu | lunar | * |
| Xmlrpc-c | Ubuntu | mantic | * |
| Xmlrpc-c | Ubuntu | oracular | * |
| Xmlrpc-c | Ubuntu | plucky | * |
| Xmlrpc-c | Ubuntu | trusty | * |
| Xmlrpc-c | Ubuntu | trusty/esm | * |
| Xmlrpc-c | Ubuntu | xenial | * |
Potential Mitigations
Related Attack Patterns
References
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226
- https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
- https://github.com/libexpat/libexpat/issues/186
- https://github.com/libexpat/libexpat/pull/262
- https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
- https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/
- https://seclists.org/bugtraq/2019/Jun/39
- https://security.gentoo.org/glsa/201911-08
- https://security.netapp.com/advisory/ntap-20190703-0001/
- https://support.f5.com/csp/article/K51011533
- https://usn.ubuntu.com/4040-1/
- https://usn.ubuntu.com/4040-2/
- https://www.debian.org/security/2019/dsa-4472
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2021-11
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00039.html
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=5226
- https://github.com/libexpat/libexpat/blob/R_2_2_7/expat/Changes
- https://github.com/libexpat/libexpat/issues/186
- https://github.com/libexpat/libexpat/pull/262
- https://github.com/libexpat/libexpat/pull/262/commits/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
- https://lists.debian.org/debian-lts-announce/2019/06/msg00028.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CEJJSQSG3KSUQY4FPVHZ7ZTT7FORMFVD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IDAUGEB3TUP6NEKJDBUBZX7N5OAUOOOK/
- https://seclists.org/bugtraq/2019/Jun/39
- https://security.gentoo.org/glsa/201911-08
- https://security.netapp.com/advisory/ntap-20190703-0001/
- https://support.f5.com/csp/article/K51011533
- https://usn.ubuntu.com/4040-1/
- https://usn.ubuntu.com/4040-2/
- https://www.debian.org/security/2019/dsa-4472
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2021-11