-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 CVE-2018-1311: Apache Xerces-C use-after-free vulnerability processing external DTD Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Xerces-C XML Parser library < 3.2.5 Description: The Xerces-C XML parser contains a use-after-free error triggered during the scanning of external DTDs. The bug allows for a denial of service attack in applications that allow external DTD processing and do not prevent external DTD usage, and could conceivably result in remote code execution if the heap were groomed. Mitigation: This flaw has not been addressed in the maintained version of the library and has no current mitigation other than to disable DTD processing. This can be accomplished via the DOM using a standard parser feature, or via SAX using the XERCES_DISABLE_DTD environment variable. Applications should strongly consider blocking remote entity resolution and/or disabling of DTD processing in light of the continued identification of bugs in this area of the library. Credit: This issue was reported by the UK's National Cyber Security Centre (NCSC). References: http://xerces.apache.org/xerces-c/secadv/CVE-2018-1311.txt Last Updated: 2023-12-20 - Update affected versions. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE3KoVAHvtneaQzZUjN4uEVAIneWIFAmWC+3EACgkQN4uEVAIn eWLzzg/+NEpOsgN/YIC1ARsNdrf90CW4NnJa/RCKIrZJkmbYsanC7n2Fq837p6VE P+I6HBo/K8BAJDul3z3k5QgVAIGDTeq6wi2cnOp6t2oC4jgwGQmzPcM8hy/1CKOd szTCF1ppWSkduoGmkTDDjppRbSf+qbH1cYcFGSy4Qdd+V3/lWbc0m/rGUbGtvK5l h39fqPk8naEoBe0E5UWB+rH2jxus4jGFsCk+eGPFG6tAJUDQ9g94R5LpBJujQqaA KjJQCph8I3uFjgWKg6aoarfU6MfNuWajc7AeThmagzbAzPpzycV3qLZN7fvz74pS 1Z683a/HhLMagwXRph2Zt0rpPaRGR8AsVAwcIYnG4Ig/mR+8vRsuWZkkpymAIqwX MAisANWmPgwG6bl4m7LzKOUOcZDnvtxSGjoHKt4MF26TNbrY4HxXscdf+ONB23eA 4ucGblq0kSmQvs+h6GRSK02xOyJLcmaBQjtte6GMCFpiOVZ3eNP0Nt2g7XhJ5f4I fWFz75T+kQ5mcRcadpD1XQGli1eyzsNDoLL5QnwY48ZJLru/F5detTqIvHJLOStd VzgIr2/XApzLsvGYtfMCA3XR1r/6hZ7ld5rzPRAMLlDZjG+c+K8FY9KpVqIHPHLu Q7nVioRPKZRYIW8cXqTl0bRL155nHJyUlDRBkuKoqm23mMA9se8= =pkfd -----END PGP SIGNATURE-----