| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA512 |
| |
| |
| CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths |
| |
| Severity: Medium |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: Apache Xerces-C XML Parser library versions |
| prior to V3.2.1 |
| |
| Description: The Xerces-C XML parser mishandles certain kinds of external |
| DTD references, resulting in dereference of a NULL pointer while processing |
| the path to the DTD. The bug allows for a denial of service attack in |
| applications that allow DTD processing and do not prevent external DTD |
| usage, and could conceivably result in remote code execution. |
| |
| Mitigation: Applications that are using library versions older than |
| V3.2.1 should upgrade as soon as possible. Distributors of older versions |
| should apply the patch from this subversion revision: |
| |
| http://svn.apache.org/viewvc?view=revision&revision=1819998 |
| |
| Applications should strongly consider blocking remote entity resolution |
| and/or outright disabling of DTD processing in light of the continued |
| identification of bugs in this area of the library. |
| |
| Credit: This issue was reported by Alberto Garcia, Francisco Oca, |
| and Suleman Ali of Offensive Research at Salesforce.com. |
| |
| References: |
| http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt |
| |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAlqXX9QACgkQN4uEVAIn |
| eWIQaBAAikR87i0rxicryFO8xVkhEnrneWn4AM1h55HZNlIdYXzkzfcQqeLbtVSO |
| bJey5xZIiL6lo+ybMKXyoIrqjtkD1LjqnHcyFPNCFZMD59vS+B47c86U2JU7jEPI |
| N+Q33U8g8H0fAPhdop0XnhUiXBBvfpWIflunUWefLE+ybd8J5/B7CK54feC0/8CK |
| Q47Lmj0aMKDtCM37gADbd6gI6PMJ7Kqjf5yb45okp2qhUZFp+8zrbczVmk/W9Opt |
| JcuoxJFx+yfquMvs+yEelOr0m8vGtVJSFEJILZYEpbiMjMFvvBbXNCSQsPp7c7B9 |
| idLSect9ZDh5f/r3vEWKWq63dILxNBVm3D6K9PyEsYMk3rOTLeYin4KM5RRsmRV6 |
| 8QUC0LS5y7q8ZsE8ou3XoFnBNwckHY3yixZ99kplM7SnzAN7N1EHBlQsGYOsEoQ+ |
| rqIWSPrbRE6Axdbrqo8FMjwq+kBB3zu4/AVl9VbUrV9o1dQGppWxqpRthUAIz6hS |
| 7abqQXrdrpXwVOx/dPN9/VK8EwmiBLcvgGIGmloABkPrzt7DqgqQfUUeNSUbQlBD |
| exhckp4ivJre/F2lbdNcYq4ETSBybB++RCJF74DKhp6EwuFddCQfV5bqjeioCu9K |
| cYjTbzLboz8jVrXTiavqY1Rpazv2agp+bv1jTU+nV0WQVaoSd0c= |
| =4BQ4 |
| -----END PGP SIGNATURE----- |