==================================================================== CERT-Renater Note d'Information No. 2018/VULN087 _____________________________________________________________________ DATE : 01/03/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Xerces-C XML Parser library versions prior to V3.2.1. ===================================================================== http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt _____________________________________________________________________ CVE-2017-12627: Apache Xerces-C DTD vulnerability processing external paths Severity: Medium Vendor: The Apache Software Foundation Versions Affected: Apache Xerces-C XML Parser library versions prior to V3.2.1 Description: The Xerces-C XML parser mishandles certain kinds of external DTD references, resulting in dereference of a NULL pointer while processing the path to the DTD. The bug allows for a denial of service attack in applications that allow DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution. Mitigation: Applications that are using library versions older than V3.2.1 should upgrade as soon as possible. Distributors of older versions should apply the patch from this subversion revision: http://svn.apache.org/viewvc?view=revision&revision=1819998 Applications should strongly consider blocking remote entity resolution and/or outright disabling of DTD processing in light of the continued identification of bugs in this area of the library. Credit: This issue was reported by Alberto Garcia, Francisco Oca, and Suleman Ali of Offensive Research at Salesforce.com. References: http://xerces.apache.org/xerces-c/secadv/CVE-2017-12627.txt ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================