Bug 2322153 (CVE-2024-49761) - CVE-2024-49761 rexml: REXML ReDoS vulnerability [NEEDINFO]
Summary: CVE-2024-49761 rexml: REXML ReDoS vulnerability
Keywords:
Status: NEW
Alias: CVE-2024-49761
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-10-28 15:01 UTC by OSIDB Bzimport
Modified: 2025-06-11 20:35 UTC (History)
29 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
vondruch: needinfo? (darunesh)
kyoshida: needinfo? (prodsec-dev)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:10918 0 None None None 2024-12-10 11:54:45 UTC
Red Hat Product Errata RHBA-2024:10997 0 None None None 2024-12-12 12:29:01 UTC
Red Hat Product Errata RHBA-2024:11207 0 None None None 2024-12-17 03:14:39 UTC
Red Hat Product Errata RHBA-2024:11273 0 None None None 2024-12-17 16:51:19 UTC
Red Hat Product Errata RHBA-2024:11457 0 None None None 2024-12-18 20:14:16 UTC
Red Hat Product Errata RHBA-2024:11468 0 None None None 2024-12-18 21:42:11 UTC
Red Hat Product Errata RHSA-2024:10777 0 None None None 2024-12-04 02:44:58 UTC
Red Hat Product Errata RHSA-2024:10834 0 None None None 2024-12-05 10:14:59 UTC
Red Hat Product Errata RHSA-2024:10850 0 None None None 2024-12-05 14:19:23 UTC
Red Hat Product Errata RHSA-2024:10858 0 None None None 2024-12-05 15:37:26 UTC
Red Hat Product Errata RHSA-2024:10860 0 None None None 2024-12-05 16:29:00 UTC
Red Hat Product Errata RHSA-2024:10961 0 None None None 2024-12-11 16:44:11 UTC
Red Hat Product Errata RHSA-2024:10964 0 None None None 2024-12-11 17:15:13 UTC
Red Hat Product Errata RHSA-2024:10966 0 None None None 2024-12-11 19:08:22 UTC
Red Hat Product Errata RHSA-2024:10977 0 None None None 2024-12-12 07:09:54 UTC
Red Hat Product Errata RHSA-2024:10982 0 None None None 2024-12-12 09:04:34 UTC
Red Hat Product Errata RHSA-2024:10984 0 None None None 2024-12-12 09:16:13 UTC
Red Hat Product Errata RHSA-2024:11001 0 None None None 2024-12-12 13:36:35 UTC
Red Hat Product Errata RHSA-2024:11027 0 None None None 2024-12-12 22:47:43 UTC
Red Hat Product Errata RHSA-2024:11028 0 None None None 2024-12-12 22:55:32 UTC
Red Hat Product Errata RHSA-2024:11029 0 None None None 2024-12-12 22:57:51 UTC

Description OSIDB Bzimport 2024-10-28 15:01:18 UTC 
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.
Comment 2 Jun Aruga 2024-11-22 16:32:03 UTC 
The upstream Ruby's CVE page is below.
https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/

And some other info in addition to the first comment.

* Affect Ruby versions: Ruby 3.1 (and maybe older versions too).
* Ruby 3.1 latest version 3.1.6's bundled rexml version is 3.2.5.
Comment 3 Jun Aruga 2024-11-22 17:03:31 UTC 
Here is the upstream patch including the fix and test.
https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f
Comment 4 Dominik Rehák 2024-11-25 14:51:27 UTC 
Confirming that Ruby 2.5.9 is not affected. The test from the patch passes in scratch builds (tested on the stream-ruby-2.5-rhel-8.8.0 branch):

[ 2346/17497] REXMLTests::TestParseCharacterReference#test_gt_linear_performance_many_preceding_zeros = 0.00 s
[ 2347/17497] REXMLTests::TestParseCharacterReference#test_hex_precedding_zero = 0.00 s
Comment 10 Jun Aruga 2024-11-28 05:11:29 UTC 
(In reply to Dominik Rehák from comment #4)
> Confirming that Ruby 2.5.9 is not affected. The test from the patch passes
> in scratch builds (tested on the stream-ruby-2.5-rhel-8.8.0 branch):
> 
> [ 2346/17497]
> REXMLTests::
> TestParseCharacterReference#test_gt_linear_performance_many_preceding_zeros
> = 0.00 s
> [ 2347/17497]
> REXMLTests::TestParseCharacterReference#test_hex_precedding_zero = 0.00 s

In my investigation and testing, Ruby 2.5.9 is affected.
Comment 11 errata-xmlrpc 2024-12-04 02:44:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:10777 https://access.redhat.com/errata/RHSA-2024:10777
Comment 12 errata-xmlrpc 2024-12-05 10:14:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10834 https://access.redhat.com/errata/RHSA-2024:10834
Comment 13 errata-xmlrpc 2024-12-05 14:19:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10850 https://access.redhat.com/errata/RHSA-2024:10850
Comment 14 errata-xmlrpc 2024-12-05 15:37:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10858 https://access.redhat.com/errata/RHSA-2024:10858
Comment 15 errata-xmlrpc 2024-12-05 16:28:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10860 https://access.redhat.com/errata/RHSA-2024:10860
Comment 16 errata-xmlrpc 2024-12-11 16:44:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:10961 https://access.redhat.com/errata/RHSA-2024:10961
Comment 17 errata-xmlrpc 2024-12-11 17:15:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:10964 https://access.redhat.com/errata/RHSA-2024:10964
Comment 18 errata-xmlrpc 2024-12-11 19:08:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:10966 https://access.redhat.com/errata/RHSA-2024:10966
Comment 19 errata-xmlrpc 2024-12-12 07:09:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:10977 https://access.redhat.com/errata/RHSA-2024:10977
Comment 20 errata-xmlrpc 2024-12-12 09:04:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:10982 https://access.redhat.com/errata/RHSA-2024:10982
Comment 21 errata-xmlrpc 2024-12-12 09:16:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2024:10984 https://access.redhat.com/errata/RHSA-2024:10984
Comment 22 errata-xmlrpc 2024-12-12 13:36:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:11001 https://access.redhat.com/errata/RHSA-2024:11001
Comment 23 errata-xmlrpc 2024-12-12 22:47:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:11027 https://access.redhat.com/errata/RHSA-2024:11027
Comment 24 errata-xmlrpc 2024-12-12 22:55:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:11028 https://access.redhat.com/errata/RHSA-2024:11028
Comment 25 errata-xmlrpc 2024-12-12 22:57:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:11029 https://access.redhat.com/errata/RHSA-2024:11029
Comment 27 Vít Ondruch 2025-01-02 13:19:39 UTC 
@Dhananjay could you please elaborate why the rating was changed? Is that intentional or was it by accident?
Note You need to log in before you can comment on or make changes to this bug.