Skip to content

OSG-SEC-2022-03-31 CRITICAL Expat XML parser arbitrary code execution vulnerability

Dear OSG Security Contacts,

Vulnerabilities have been found concerning the expat XML parser, including two which may lead to arbitrary code execution[1][2][3]. The expat XML parser is a library, written in C, which is a dependency for various other software, including VOMS server and client.

IMPACTED VERSIONS:

xmltok_impl.c in Expat (aka libexpat) before 2.4.5

WHAT ARE THE VULNERABILITIES:

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs.

Of principal concern are VOMS client and server packages, as well as HTCondor which also utilizes the VOMS library.

WHAT YOU SHOULD DO:

Sites running software which is dependent on expat should update urgently, including those running a VOMS server or client. They should then restart the updated service [4][5][6].

REFERENCES

[1] https://access.redhat.com/errata/RHSA-2022:1069

[2] https://access.redhat.com/security/cve/cve-2022-25235

[3] https://access.redhat.com/security/cve/cve-2022-25235

[4] http://mirror.centos.org/centos/7/updates/x86_64/Packages/

[5] https://security-tracker.debian.org/tracker/CVE-2022-25235

[6] https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-25235

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team