Flaws in popular parser prompt updates from numerous downstream vendors


IBM has updated data management platform Db2 in order to protect users from a pair of critical vulnerabilities in older versions of Expat, a third-party library.

Both flaws notched a CVSS score of 9.8 and each potentially allowed attackers to execute arbitrary code on vulnerable systems because of integer overflow issues.

The integer overflows are located in Expat’s XML_GetBuffer (CVE-2022-23852) and doProlog functions (CVE-2022-23990).

YOU MAY ALSO LIKE Hot patch for Log4Shell vulnerability in AWS allowed full host takeover

If exploited, the bugs “could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS)”, according to related advisories from NetApp, which is working on fixes for several of its own vulnerable products.

IBM Db2 is only one of many enterprise products that bundle Expat (aka libexpat), a C library for parsing XML that dates back to 1997 and “excels with files too large to fit RAM, and where performance and flexibility are crucial”, according to its maintainers.

Downstream patches

The maintainers of Expat patched the flaws in version 2.4.4, which dropped on January 30, 2022.

The bugs affect Db2 versions 9.7.x, 10.1.x, 10.5.x, and 11.1.x.

IBM has advised customers running vulnerable fixpack levels to download a corresponding special build containing an interim fix. “These special builds are available based on the most recent fixpack level for each impacted release: V9.7 FP11, V10.1 FP6, V10.5 FP11, and V11.1.4 FP6,” reads an IBM security bulletin issued on April 20.

The Expat flaws have also prompted updates to the Oracle Communications MetaSolv Solution and Red Hat Enterprise Linux.

Pulse Secure has scheduled releases addressing the issues for a number of products, including Pulse Desktop Client, Pulse Connect Secure, and Ivanti Connect Secure, and is still investigating whether certain other products are vulnerable too.

There have been other related advisories from Linux distribution Ubuntu, Cisco in relation to its 8000 Series of video surveillance cameras, and Dell EMC regarding its VxRail hyper-converged infrastructure (storage) appliances.

RELATED NIST revamps aging enterprise patch management guidance