Bug 1723723 (CVE-2018-20843) - CVE-2018-20843 expat: large number of colons in input makes parser consume high amount of resources, leading to DoS
Summary: CVE-2018-20843 expat: large number of colons in input makes parser consume hi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-20843
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1723724 1723725 1723726 1773897 1773898 1773899
Blocks: 1723729
TreeView+ depends on / blocked
 
Reported: 2019-06-25 08:58 UTC by Marian Rehak
Modified: 2023-12-15 16:34 UTC (History)
49 users (show)

Fixed In Version: expat 2.2.7
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the "setElementTypePrefix()" function incorrectly extracted XML namespace prefixes. By tricking an application into processing a specially crafted XML file, an attacker could cause unusually high consumption of memory resources and possibly lead to a denial of service.
Clone Of:
Environment:
Last Closed: 2020-06-22 17:20:25 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2644 0 None None None 2020-06-22 12:26:32 UTC
Red Hat Product Errata RHSA-2020:2646 0 None None None 2020-06-22 13:08:41 UTC
Red Hat Product Errata RHSA-2020:3952 0 None None None 2020-09-29 20:04:27 UTC
Red Hat Product Errata RHSA-2020:4484 0 None None None 2020-11-04 01:23:16 UTC
Red Hat Product Errata RHSA-2020:4846 0 None None None 2020-11-04 04:20:29 UTC

Description Marian Rehak 2019-06-25 08:58:03 UTC 
In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks).

External References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931031

Upstream Issue:

https://github.com/libexpat/libexpat/issues/186
Comment 1 Marian Rehak 2019-06-25 08:58:28 UTC 
Created expat tracking bugs for this issue:

Affects: fedora-all [bug 1723724]


Created mingw-expat tracking bugs for this issue:

Affects: epel-7 [bug 1723726]
Affects: fedora-all [bug 1723725]
Comment 2 Joshua Padman 2019-07-24 10:24:58 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Enterprise Web Server 2
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 3 Stefan Cornelius 2019-11-19 09:01:45 UTC 
Patch:
https://github.com/libexpat/libexpat/commit/11f8838bf99ea0a6f0b76f9760c43704d00c4ff6
Comment 5 Stefan Cornelius 2019-11-19 09:38:57 UTC 
Statement:

When processing a specially crafted XML file, expat may use more memory than ultimately necessary, which can also lead to increased CPU usage and longer processing times. Depending on available system resources and configuration, this may also lead to the application triggering the Out-Of-Memory-Killer, causing the application to be terminated.
Comment 7 Mark Denihan 2020-01-27 14:59:42 UTC 
Is there any plan to provide a patch for expat in RHEL7 and RHEL8 for this moderate severity issue? If so is there an ETA for those patches?
Comment 16 errata-xmlrpc 2020-06-22 12:26:22 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6
  JBoss Core Services on RHEL 7

Via RHSA-2020:2644 https://access.redhat.com/errata/RHSA-2020:2644
Comment 17 errata-xmlrpc 2020-06-22 13:08:37 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2020:2646 https://access.redhat.com/errata/RHSA-2020:2646
Comment 18 Product Security DevOps Team 2020-06-22 17:20:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20843
Comment 19 errata-xmlrpc 2020-09-29 20:04:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3952 https://access.redhat.com/errata/RHSA-2020:3952
Comment 20 errata-xmlrpc 2020-11-04 01:23:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4484 https://access.redhat.com/errata/RHSA-2020:4484
Comment 21 errata-xmlrpc 2020-11-04 04:20:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4846 https://access.redhat.com/errata/RHSA-2020:4846
Note You need to log in before you can comment on or make changes to this bug.