Vigil@nce - Apache Xerces-C: denial of service via a deeply nested DTD
August 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can submit an XML document including a deeply nested
DTD to Apache Xerces-C, in order to trigger a denial of service.
Impacted products: Xerces-C++, Debian, Fedora, openSUSE,
Shibboleth SP.
Severity: 2/4.
Creation date: 30/06/2016.
DESCRIPTION OF THE VULNERABILITY
The Apache Xerces-C XML parser handles Document Type Definition,
including the internal part in an XML document.
DTDs are recursively parsed. However, Xerces does not limit the
depth of the element definitions in the DTD. So a very deeply
nested DTD can make the parser stack grow until its limit. This
overflow kills the application process.
An attacker can therefore submit an XML document including a
deeply nested DTD to Apache Xerces-C, in order to trigger a denial
of service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/Apache-Xerces-C-denial-of-service-via-a-deeply-nested-DTD-20001