ID

VAR-202202-0050

CVE

CVE-2022-25235

TITLE

Expat  Encoding and escaping vulnerabilities in

DESCRIPTION

xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. Expat ( alias libexpat) Exists in encoding and escaping vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: xmlrpc-c security update Advisory ID: RHSA-2022:1539-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:1539 Issue date: 2022-04-26 CVE Names: CVE-2022-25235 ===================================================================== 1. Summary: An update for xmlrpc-c is now available for Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux BaseOS E4S (v. 8.1) - aarch64, ppc64le, s390x, x86_64 3. Description: XML-RPC is a remote procedure call (RPC) protocol that uses XML to encode its calls and HTTP as a transport mechanism. The xmlrpc-c packages provide a network protocol to allow a client program to make a simple RPC (remote procedure call) over the Internet. It converts an RPC into an XML document, sends it to a remote server using HTTP, and gets back the response in XML. Security Fix(es): * expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution 6. Package List: Red Hat Enterprise Linux BaseOS E4S (v. 8.1): Source: xmlrpc-c-1.51.0-5.el8_1.1.src.rpm aarch64: xmlrpc-c-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.aarch64.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.aarch64.rpm ppc64le: xmlrpc-c-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.ppc64le.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.ppc64le.rpm s390x: xmlrpc-c-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.s390x.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.s390x.rpm x86_64: xmlrpc-c-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-apps-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-c++-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-client++-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-client-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-client-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-debuginfo-1.51.0-5.el8_1.1.x86_64.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.i686.rpm xmlrpc-c-debugsource-1.51.0-5.el8_1.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYmga8dzjgjWX9erEAQgapw//XhcvNxYnp6Qtm/aJepfUAUEL5c3eXy4d u9bXtLD3mLIyJH6K698F74TxK8uIeC00t0jw/M5y57YORd+bMt13H1bgKf3DCBw7 G8MHTwWhwhT1ex8jJo3TcG05+ounKqs70J+MtlpxDNOpUEpbX8mDsWE53SYeYr76 l/ibI229I/nJO8vboz/Qmg3vcTI+k8iGJNnqVN2THRtgUXfZ4CnbNFzKe3x1VX8b uttEBxp6tOnXjqLJ4XCeywJbA1ef44nvD6BhIznxZ2MfUEgRBdLM63AcTzTFk8Ie 2slI9OfBtCVaJV9UnQxrrY12nY1RS6Vjp//NqhEMxEYcq2XozBLMXMitrHdXPwb7 rB8KUdtTdv7caHVWb6l94eOrTM8qAA6wgkQ8DYvzX+5CWj7cHSQUcduBp4OdL6b+ p4skOpKWVgQUgxvoEknT9wLuUzzD7hqoQbPTGxRtgBD4dAvWAKO+jAcHWcLtS/dw R537E4emI7BvPVXoT6OeLN9u8cr+0/nJIdB5JZwLqx2vQ+nkl5k0nyVDvIr2R6Cy yrFF0nZWDpKWD28TtlKZsa9NQe/YRPSbmrEW1fLD+NudzhuLQZcNb7/sRKZEuxv1 kXArqwtv1pU3+EUM70nvmmRRb2KH2a9983S4HfTb129fcSgXeglYIekTVHA3jARH rbuSYb0t5Ew= =NpRA -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. Bugs fixed (https://bugzilla.redhat.com/): 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 2000478 - Using deprecated 1.25 API calls 2022742 - NNCP creation fails when node of a cluster is unavailable 2024938 - CVE-2021-41190 opencontainers: OCI manifest and index parsing confusion 2028619 - policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+ 2029359 - NodeNetworkConfigurationPolicy refreshes all the conditions even if the policy has not gone to that state 2032837 - Add/remove label to priority class are not reconciled properly left HCO in Unknown status. 2033385 - Bug in kubernetes labels that are attached to the CNV logs 2038814 - [CNV-4.10-rhel9] hyperconverged-cluster-cli-download pod CrashLoopBackOff state 2039019 - Fix Top consumers dashboard 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2046686 - Importer pod keeps in retarting when dataimportcron has a reference to invalid image sha 2049990 - must-gather: must-gather is logging errors about upstream only namespaces 2053390 - No DataImportCron for CentOS 7 2054778 - PVC created with filesystem volume mode in some cases, instead of block volume mode 2054782 - DataImportCron status does not show failure when failing to create dataSource 2055304 - [4.10.z] nmstate interprets interface names as float64 and subsequently crashes on state update 2055950 - cnv installation should set empty node selector for openshift-cnv namespace 2056421 - non-privileged user cannot add disk as it cannot update resource "virtualmachines/addvolume" 2056464 - nmstate-webhook pods getting scheduled on the same node 2056619 - [4.10.z] kubemacpool-mac-controller-manager not ready 2057142 - CDI aggregate roles missing some types 2057148 - Cross namespace smart clone may get stuck in NamespaceTransferInProgress phase 2057613 - nmpolicy capture - race condition when appying teardown nncp; nnce fails 2059185 - must-gather: Must-gather gather_vms_details is not working when used with a list of vms 2059613 - Must-gather: for vms with longer name, gather_vms_details fails to collect qemu, dump xml logs 2062227 - sriovLiveMigration should not be enabled on sno clusters 2062321 - when update attempt of hco.spec with storage classes failed, csv git stuck in installing state 2063991 - On upgraded cluster, "v2v-vmware" is present under hco.status.relatedObject 2065308 - CNV disables LiveMigration FG, but leaves LiveMigration workloadUpdateStrategy enabled 2065743 - 4.10.1 containers 2065755 - 4.10.1 rpms 2066086 - DataImportCrons do not automatically recover from unconfigured default storage class 2066712 - [4.10.z] Migration of vm from VMware reports pvc not large enough 2069055 - [4.10.z] On an upgraded cluster NetworkAddonsConfig seems to be reconciling in a loop 2070050 - [4.10.1] Custom guest PCI address and boot order parameters are not respected in a list of multiple SR-IOV NICs 2073880 - Cannot create VM on SNO cluster as live migration feature is not enabled 2077920 - Migration in sequence can be reported as failed even when it succeeded 2078878 - SSP: Common templates fix to pick right templates 5. Summary: OpenShift Serverless version 1.22.0 contains a moderate security impact. This release includes security and bug fixes and enhancements. For more information, see the documentation linked in the Solution section. Bugs fixed (https://bugzilla.redhat.com/): 2020725 - CVE-2021-41771 golang: debug/macho: invalid dynamic symbol table command can cause panic 2020736 - CVE-2021-41772 golang: archive/zip: Reader.Open panics on empty string 5. References: https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2021-3999 https://access.redhat.com/security/cve/CVE-2021-23177 https://access.redhat.com/security/cve/CVE-2021-31566 https://access.redhat.com/security/cve/CVE-2021-41771 https://access.redhat.com/security/cve/CVE-2021-41772 https://access.redhat.com/security/cve/CVE-2021-45960 https://access.redhat.com/security/cve/CVE-2021-46143 https://access.redhat.com/security/cve/CVE-2022-0778 https://access.redhat.com/security/cve/CVE-2022-21426 https://access.redhat.com/security/cve/CVE-2022-21434 https://access.redhat.com/security/cve/CVE-2022-21443 https://access.redhat.com/security/cve/CVE-2022-21449 https://access.redhat.com/security/cve/CVE-2022-21476 https://access.redhat.com/security/cve/CVE-2022-21496 https://access.redhat.com/security/cve/CVE-2022-22822 https://access.redhat.com/security/cve/CVE-2022-22823 https://access.redhat.com/security/cve/CVE-2022-22824 https://access.redhat.com/security/cve/CVE-2022-22825 https://access.redhat.com/security/cve/CVE-2022-22826 https://access.redhat.com/security/cve/CVE-2022-22827 https://access.redhat.com/security/cve/CVE-2022-23218 https://access.redhat.com/security/cve/CVE-2022-23219 https://access.redhat.com/security/cve/CVE-2022-23308 https://access.redhat.com/security/cve/CVE-2022-23852 https://access.redhat.com/security/cve/CVE-2022-25235 https://access.redhat.com/security/cve/CVE-2022-25236 https://access.redhat.com/security/cve/CVE-2022-25315 For details about the security issues see these CVE pages: * https://access.redhat.com/security/updates/classification/#low * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index * https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index 6. Summary: The Migration Toolkit for Containers (MTC) 1.5.4 is now available. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Bugs fixed (https://bugzilla.redhat.com/): 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 5. Description: Red Hat Advanced Cluster Management for Kubernetes 2.3.8 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.3/html/release_notes/ Security updates: * nanoid: Information disclosure via valueOf() function (CVE-2021-23566) * nodejs-shelljs: improper privilege management (CVE-2022-0144) * follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155) * node-fetch: exposure of sensitive information to an unauthorized actor (CVE-2022-0235) * follow-redirects: Exposure of Sensitive Information via Authorization Header leak (CVE-2022-0536) Bug fix: * RHACM 2.3.8 images (Bugzilla #2062316) 3. Bugs fixed (https://bugzilla.redhat.com/): 2043535 - CVE-2022-0144 nodejs-shelljs: improper privilege management 2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor 2044591 - CVE-2022-0235 node-fetch: exposure of sensitive information to an unauthorized actor 2050853 - CVE-2021-23566 nanoid: Information disclosure via valueOf() function 2053259 - CVE-2022-0536 follow-redirects: Exposure of Sensitive Information via Authorization Header leak 2062316 - RHACM 2.3.8 images 5. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 Service Pack 10, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es): * expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution (CVE-2022-25235) * expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution (CVE-2022-25236) * expat: Integer overflow in storeRawNames() (CVE-2022-25315) * httpd: Request splitting via HTTP/2 method injection and mod_proxy (CVE-2021-33193) * httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path (CVE-2021-36160) * httpd: Out-of-bounds write in ap_escape_quotes() via malicious input (CVE-2021-39275) * httpd: NULL pointer dereference via crafted request during HTTP/2 request processing (CVE-2021-41524) * httpd: possible NULL dereference or SSRF in forward proxy configurations (CVE-2021-44224) * expat: Large number of prefixed XML attributes on a single tag can crash libexpat (CVE-2021-45960) * expat: Integer overflow in doProlog in xmlparse.c (CVE-2021-46143) * expat: Integer overflow in addBinding in xmlparse.c (CVE-2022-22822) * expat: Integer overflow in build_model in xmlparse.c (CVE-2022-22823) * expat: Integer overflow in defineAttribute in xmlparse.c (CVE-2022-22824) * expat: Integer overflow in lookup in xmlparse.c (CVE-2022-22825) * expat: Integer overflow in nextScaffoldPart in xmlparse.c (CVE-2022-22826) * expat: Integer overflow in storeAtts in xmlparse.c (CVE-2022-22827) * expat: Integer overflow in function XML_GetBuffer (CVE-2022-23852) * expat: stack exhaustion in doctype parsing (CVE-2022-25313) * expat: integer overflow in copyString() (CVE-2022-25314) * expat: integer overflow in the doProlog function (CVE-2022-23990) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. After installing the updated packages, the httpd daemon will be restarted automatically. Bugs fixed (https://bugzilla.redhat.com/): 1966728 - CVE-2021-33193 httpd: Request splitting via HTTP/2 method injection and mod_proxy 2005119 - CVE-2021-39275 httpd: Out-of-bounds write in ap_escape_quotes() via malicious input 2005124 - CVE-2021-36160 httpd: mod_proxy_uwsgi: out-of-bounds read via a crafted request uri-path 2010934 - CVE-2021-41524 httpd: NULL pointer dereference via crafted request during HTTP/2 request processing 2034672 - CVE-2021-44224 httpd: possible NULL dereference or SSRF in forward proxy configurations 2044451 - CVE-2021-45960 expat: Large number of prefixed XML attributes on a single tag can crash libexpat 2044455 - CVE-2021-46143 expat: Integer overflow in doProlog in xmlparse.c 2044457 - CVE-2022-22822 expat: Integer overflow in addBinding in xmlparse.c 2044464 - CVE-2022-22823 expat: Integer overflow in build_model in xmlparse.c 2044467 - CVE-2022-22824 expat: Integer overflow in defineAttribute in xmlparse.c 2044479 - CVE-2022-22825 expat: Integer overflow in lookup in xmlparse.c 2044484 - CVE-2022-22826 expat: Integer overflow in nextScaffoldPart in xmlparse.c 2044488 - CVE-2022-22827 expat: Integer overflow in storeAtts in xmlparse.c 2044613 - CVE-2022-23852 expat: Integer overflow in function XML_GetBuffer 2048356 - CVE-2022-23990 expat: integer overflow in the doProlog function 2056350 - CVE-2022-25313 expat: stack exhaustion in doctype parsing 2056354 - CVE-2022-25314 expat: integer overflow in copyString() 2056363 - CVE-2022-25315 expat: Integer overflow in storeRawNames() 2056366 - CVE-2022-25235 expat: Malformed 2- and 3-byte UTF-8 sequences can lead to arbitrary code execution 2056370 - CVE-2022-25236 expat: Namespace-separator characters in "xmlns[:prefix]" attribute values can lead to arbitrary code execution 6. Description: Expat is a C library for parsing XML documents

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

overflow, code execution

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-12-22T21:48:13.972000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE