OSG-SEC-2022-10-07 HIGH expat use-after-free

Dear OSG Security Contacts,

A use-after-free vulnerability was found in the expat library in the doContent function in xmlparse.c. The library is widely used by open source software. The vulnerability is outlined in CVE-2022-40674. [1]

IMPACTED VERSIONS:

Versions of expat before 2.4.9.

WHAT ARE THE VULNERABILITIES:

With this flaw, it is possible to create a situation in which parsing is suspended while substituting in an internal entity so that XML_ResumeParser directly uses the internalEntityProcessor as its processor. If the subsequent parse includes some unclosed tags, this will return without calling storeRawNames to ensure that the raw versions of the tag names are stored in memory other than the parse buffer itself. Issues occur if the parse buffer is changed or reallocated (for example, if processing a file line by line), problems occur. Using this vulnerability in the doContent function allows an attacker to triage a denial of service or potentially arbitrary code execution. [7]

WHAT YOU SHOULD DO:

Update affected systems as patches become available.

Sites running RHEL should see [1]

Sites running CentOS should also see [1]

Sites running Ubuntu should see [2]

Sites running Scientific Linux should see [3]

Sites running Debian should see [4]

Sites running RockyLinux should see [5]

Sites running Almalinux should see [6]

REFERENCES

[1] https://access.redhat.com/security/cve/CVE-2022-40674

[2] https://ubuntu.com/security/CVE-2022-40674

[3] https://www.scientificlinux.org/category/sl-errata/

[4] https://security-tracker.debian.org/tracker

[5] https://errata.rockylinux.org/

[6] https://errata.almalinux.org/

[7] https://bugzilla.redhat.com/show_bug.cgi?id=2130769

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team