OSG-SEC-2022-03-31 CRITICAL Expat XML parser arbitrary code execution vulnerability
Dear OSG Security Contacts,
Vulnerabilities have been found concerning the expat XML parser, including two which may lead to arbitrary code execution. The expat XML parser is a library, written in C, which is a dependency for various other software, including VOMS server and client.
xmltok_impl.c in Expat (aka libexpat) before 2.4.5
WHAT ARE THE VULNERABILITIES:
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.
Of principal concern are VOMS client and server packages, as well as HTCondor which also utilizes the VOMS library.
WHAT YOU SHOULD DO:
Sites running software which is dependent on expat should update urgently, including those running a VOMS server or client. They should then restart the updated service .
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team