CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input

Wessel, Keith kwessel at illinois.edu
Mon Mar 14 17:30:15 EDT 2016


Ah, so Red Hat did release a patch for this last week? Excellent!

Am I correct that an unpatched system is susceptible to a remote code execution, or is it just a service crash?

Keith


-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of Cantor, Scott
Sent: Monday, March 14, 2016 4:00 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input

> Our security guys are trying to figure out how big of a deal this is. Can this just
> crash things, or can it open up the server to remote code execution? The CVE
> seems to apply this.

I considered it a risk of RCE. I'm not really equipped to judge and I erred on the side of caution. Red Hat classified it Important, and did not treat it as one. They probably know better, but who knows?

> We're in a rough spot right now since the vendors, Red Hat in particular,
> seem to not have released a patch yet, in line with Scott's observation about
> how slow they were last time.

They did last week I think? Or before that...

I'm as critical as anybody, but I think they did ok this time.

> We need to know if we need to offer a
> patched RPM to campus non-Windows SP oeprators, but we're stuggling
> trying to figure out the severity. DOS attacks and crashing processes aren't
> good, but they're certainly not as bad as remote code execution.

Agreed, I personally treat DOS issues at this point as just irrelevant, though I don't apply that standard to the project and our treatment of them.

-- Scott

-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list