libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).
Weakness
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Libexpat | Libexpat_project | * | 2.6.2 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | expat-0:2.5.0-1.el8_10 | * |
| Red Hat Enterprise Linux 9 | RedHat | expat-0:2.5.0-2.el9_4 | * |
| Red Hat Enterprise Linux 9 | RedHat | expat-0:2.5.0-1.el9_3.1 | * |
| Red Hat Enterprise Linux 9 | RedHat | expat-0:2.5.0-2.el9_4 | * |
| Red Hat Enterprise Linux 9 | RedHat | expat-0:2.5.0-1.el9_3.1 | * |
| Red Hat Enterprise Linux 9.2 Extended Update Support | RedHat | expat-0:2.5.0-1.el9_2.1 | * |
| Red Hat OpenShift Container Platform 4.13 | RedHat | rhcos-413.92.202604080111-0 | * |
| Red Hat OpenShift Container Platform 4.14 | RedHat | rhcos-414.92.202603110216-0 | * |
| Red Hat OpenShift Container Platform 4.15 | RedHat | rhcos-415.92.202603101737-0 | * |
| Red Hat OpenShift Container Platform 4.16 | RedHat | rhcos-416.94.202603112010-0 | * |
| Red Hat OpenShift Container Platform 4.17 | RedHat | rhcos-417.94.202603102246-0 | * |
| Red Hat OpenShift Container Platform 4.18 | RedHat | rhcos-418.94.202603021444-0 | * |
| Red Hat OpenShift Container Platform 4.19 | RedHat | rhcos-4.19.9.6.202604080618-0 | * |
| Ayttm | Ubuntu | esm-apps/xenial | * |
| Cableswig | Ubuntu | esm-apps/xenial | * |
| Cadaver | Ubuntu | esm-apps/xenial | * |
| Cadaver | Ubuntu | focal | * |
| Cadaver | Ubuntu | mantic | * |
| Cadaver | Ubuntu | oracular | * |
| Cadaver | Ubuntu | plucky | * |
| Coin3 | Ubuntu | esm-apps/xenial | * |
| Coin3 | Ubuntu | trusty/esm | * |
| Expat | Ubuntu | esm-infra-legacy/trusty | * |
| Expat | Ubuntu | esm-infra-legacy/xenial | * |
| Expat | Ubuntu | esm-infra/bionic | * |
| Expat | Ubuntu | esm-infra/focal | * |
| Expat | Ubuntu | esm-infra/xenial | * |
| Expat | Ubuntu | focal | * |
| Expat | Ubuntu | jammy | * |
| Expat | Ubuntu | mantic | * |
| Expat | Ubuntu | trusty/esm | * |
| Gdcm | Ubuntu | esm-apps/xenial | * |
| Insighttoolkit4 | Ubuntu | esm-apps/xenial | * |
| Insighttoolkit4 | Ubuntu | focal | * |
| Libxmltok | Ubuntu | esm-apps-legacy/xenial | * |
| Libxmltok | Ubuntu | esm-apps/bionic | * |
| Libxmltok | Ubuntu | esm-apps/focal | * |
| Libxmltok | Ubuntu | esm-apps/jammy | * |
| Libxmltok | Ubuntu | esm-apps/noble | * |
| Libxmltok | Ubuntu | esm-apps/xenial | * |
| Libxmltok | Ubuntu | focal | * |
| Libxmltok | Ubuntu | jammy | * |
| Libxmltok | Ubuntu | mantic | * |
| Libxmltok | Ubuntu | noble | * |
| Libxmltok | Ubuntu | oracular | * |
| Libxmltok | Ubuntu | plucky | * |
| Matanza | Ubuntu | devel | * |
| Matanza | Ubuntu | esm-apps-legacy/xenial | * |
| Matanza | Ubuntu | esm-apps/bionic | * |
| Matanza | Ubuntu | esm-apps/focal | * |
| Matanza | Ubuntu | esm-apps/jammy | * |
| Matanza | Ubuntu | esm-apps/noble | * |
| Matanza | Ubuntu | esm-apps/resolute | * |
| Matanza | Ubuntu | esm-apps/xenial | * |
| Matanza | Ubuntu | focal | * |
| Matanza | Ubuntu | jammy | * |
| Matanza | Ubuntu | mantic | * |
| Matanza | Ubuntu | noble | * |
| Matanza | Ubuntu | oracular | * |
| Matanza | Ubuntu | plucky | * |
| Matanza | Ubuntu | questing | * |
| Matanza | Ubuntu | resolute | * |
| Smart | Ubuntu | esm-apps/xenial | * |
| Swish-e | Ubuntu | esm-apps/xenial | * |
| Swish-e | Ubuntu | focal | * |
| Swish-e | Ubuntu | mantic | * |
| Swish-e | Ubuntu | oracular | * |
| Swish-e | Ubuntu | plucky | * |
| Tdom | Ubuntu | esm-apps/xenial | * |
| Tdom | Ubuntu | focal | * |
| Tdom | Ubuntu | mantic | * |
| Tdom | Ubuntu | oracular | * |
| Tdom | Ubuntu | plucky | * |
| Vnc4 | Ubuntu | esm-apps/xenial | * |
| Vnc4 | Ubuntu | trusty/esm | * |
| Vtk | Ubuntu | esm-apps/xenial | * |
| Vtk | Ubuntu | trusty/esm | * |
| Wbxml2 | Ubuntu | esm-apps/xenial | * |
| Wbxml2 | Ubuntu | focal | * |
| Wbxml2 | Ubuntu | mantic | * |
| Wbxml2 | Ubuntu | oracular | * |
| Wbxml2 | Ubuntu | plucky | * |
| Xmlrpc-c | Ubuntu | esm-apps/xenial | * |
| Xmlrpc-c | Ubuntu | focal | * |
| Xmlrpc-c | Ubuntu | mantic | * |
| Xmlrpc-c | Ubuntu | oracular | * |
| Xmlrpc-c | Ubuntu | plucky | * |
| Xmlrpc-c | Ubuntu | trusty/esm | * |
Potential Mitigations
Related Attack Patterns
References
- http://www.openwall.com/lists/oss-security/2024/03/15/1
- https://github.com/libexpat/libexpat/issues/839
- https://github.com/libexpat/libexpat/pull/842
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/
- https://security.netapp.com/advisory/ntap-20240322-0001/
- http://www.openwall.com/lists/oss-security/2024/03/15/1
- https://github.com/libexpat/libexpat/issues/839
- https://github.com/libexpat/libexpat/pull/842
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FPLC6WDSRDUYS7F7JWAOVOHFNOUQ43DD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKJ7V5F6LJCEQJXDBWGT27J7NAP3E3N7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VK2O34GH43NTHBZBN7G5Y6YKJKPUCTBE/
- https://security.netapp.com/advisory/ntap-20240322-0001/