Bug 2221261 (CVE-2023-34104)

Summary: CVE-2023-34104 fast-xml-parser: Regex Injection via Doctype Entities
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dcadzow, dkenigsb, dkuc, dsimansk, fdeutsch, fjansen, lball, matzew, oramraz, rhuss, rjohnson, sgott, skontopo, smullick
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fast-xml-parser 4.2.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the fast-XML-parser. The affected versions of fast-XML-parser are vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in the Doctype Entities. By sending a specially crafted regex input, a remote attacker can cause a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-14 05:50:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2221262, 2221263    
Bug Blocks: 2221264    

Description Pedro Sampaio 2023-07-07 16:57:33 UTC 
fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the `processEntities: false` option.

References:

https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-6w63-h3fj-q4vw
https://github.com/NaturalIntelligence/fast-xml-parser/commit/39b0e050bb909e8499478657f84a3076e39ce76c
Comment 3 errata-xmlrpc 2023-08-14 01:03:03 UTC 
This issue has been addressed in the following products:

  MTA-6.2-RHEL-9
  MTA-6.2-RHEL-8

Via RHSA-2023:4627 https://access.redhat.com/errata/RHSA-2023:4627
Comment 4 Product Security DevOps Team 2023-08-14 05:50:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-34104