ID

VAR-202408-2626

CVE

CVE-2024-45490

TITLE

libexpat project  of  libexpat  In  XML  External entity vulnerabilities

DESCRIPTION

An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. libexpat project of libexpat for, XML There is a vulnerability in an external entity.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The RUGGEDCOM RST2428P is a Layer 2 Ethernet switch based on the SINEC operating system with up to 28 non-blocking interfaces. SCALANCE X switches are used to connect industrial components such as programmable logic controllers (PLCs) or human-machine interfaces (HMIs). Multiple vulnerabilities in third-party components of Siemens' SINEC OS could allow attackers to gain control of the server. ========================================================================== Ubuntu Security Notice USN-7001-2 September 17, 2024 libxmltok vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Several security issues were fixed in libxmltok. Software Description: - libxmltok: XML Parser Toolkit, developer libraries Details: USN-7001-1 fixed vulnerabilities in xmltol library. This update provides the corresponding updates for Ubuntu 24.04 LTS. Original advisory details: Shang-Hung Wan discovered that Expat, contained within the xmltok library, did not properly handle certain function calls when a negative input length was provided. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2024-45490) Shang-Hung Wan discovered that Expat, contained within the xmltok library, did not properly handle the potential for an integer overflow on 32-bit platforms. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. (CVE-2024-45491) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS libxmltok1t64 1.2-4.1ubuntu2.24.0.4.1+esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7001-2 https://ubuntu.com/security/notices/USN-7001-1 CVE-2024-45490, CVE-2024-45491 . For the stable distribution (bookworm), these problems have been fixed in version 2.5.0-1+deb12u1. We recommend that you upgrade your expat packages. For the detailed security status of expat please refer to its security tracker page at: https://security-tracker.debian.org/tracker/expat Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmbp6EIACgkQEMKTtsN8 Tjb+0hAAsAHl9didzh1S8vHaLH8P8I1XT0302RGP1N6r4BKvjEozuTKml28F3NEK 9IplBZXH8GM6tnF1/gRJf5Dp4YsL7H+nYUjbkZEdLM2TztRoy4wnITxUwqQ7q1ly /bWMuyaoUn9jZu6SA+yEL68DtbXpFbs8IAOE3kqPsbcWvJ7O7LU3Ajjw5aWYwxV0 kdVyI67rBkfWAdyFRjlkxF62+ieR9sjpKNDKK1nmO+I8eEF5E/WOXsfPlzcKwax2 mMhisTscEIvaBSKCaQICCojYbvju8KW8B+NsJMsyRbPoimTyzE2n4VBk0ZNHjv+w sIddwdgzXpWHHRbVtl6zjiZvzxUtphp6tHstxoW8YZQKkQiwqqlpONqXKWG1yR0o pltUr7JjTylDo41M21yK/WizdxFkdrUJi4drKTONekvbhUEaTLaoR/ywYi0Za7T0 sUguAJk25id2px3LdTvMhQywTNmL103LkFfq1WIXL9x+yzYdKos8P3qu9DIaIqms R4dy2xMhiJwVyQXi74Tte9h5n6FXET1Z8MoyxFOVI6SQ5FBXJMmL48r6Uwhb09tH ZL2VNUequSC2L4uGozFFaHvr3M606srokRbo18XvNTNUvApJjAFt/WTnOjKUDuJM 08PjLw6brD/XBR6p/NKX8vMQmmXClyKwB97SG1MYu/MfdJK/7wQ= =bEe8 -----END PGP SIGNATURE----- . The following advisory data is extracted from: https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_9610.json Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment. - Packet Storm Staff ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.17.5 security update Advisory ID: RHSA-2024:9610-03 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2024:9610 Issue date: 2024-11-25 Revision: 03 CVE Names: CVE-2024-45490 ==================================================================== Summary: Red Hat OpenShift Container Platform release 4.17.5 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.17. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.17.5. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2024:9613 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.17/release_notes/ocp-4-17-release-notes.html Security Fix(es): * libexpat: Negative Length Parsing Vulnerability in libexpat (CVE-2024-45490) * libexpat: Integer Overflow or Wraparound (CVE-2024-45491) * libexpat: integer overflow (CVE-2024-45492) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.17 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.17/updating/updating_a_cluster/updating-cluster-cli.html Solution: CVEs: CVE-2024-45490 References: https://access.redhat.com/security/updates/classification/#moderate https://bugzilla.redhat.com/show_bug.cgi?id=2308615 https://bugzilla.redhat.com/show_bug.cgi?id=2308616 https://bugzilla.redhat.com/show_bug.cgi?id=2308617 https://issues.redhat.com/browse/OCPBUGS-16141 https://issues.redhat.com/browse/OCPBUGS-42835 https://issues.redhat.com/browse/OCPBUGS-42879 https://issues.redhat.com/browse/OCPBUGS-42931 https://issues.redhat.com/browse/OCPBUGS-42949 https://issues.redhat.com/browse/OCPBUGS-42964 https://issues.redhat.com/browse/OCPBUGS-43427 https://issues.redhat.com/browse/OCPBUGS-43657 https://issues.redhat.com/browse/OCPBUGS-43667 https://issues.redhat.com/browse/OCPBUGS-43690 https://issues.redhat.com/browse/OCPBUGS-43778 https://issues.redhat.com/browse/OCPBUGS-43972 https://issues.redhat.com/browse/OCPBUGS-44227 https://issues.redhat.com/browse/OCPBUGS-44357 https://issues.redhat.com/browse/OCPBUGS-44452

IOT TAXONOMY

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

arbitrary

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Ubuntu

SOURCES

LAST UPDATE DATE

2026-06-18T20:44:20.144000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE