Environment
NetIQ Access Manager 4.1
NetIQ Access Manager 4.0
Situation
Resolution
Access Manager 4.x does not use this Xerces library and is therefor not susceptible to attack. The NAM 3.1 Linux Access Gateway (LAG) did use it but this is long out of support.
Additional Information
CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: Apache Xerces-C XML Parser library versions
prior to V3.1.3
Description: The Xerces-C XML parser mishandles certain kinds of malformed
input documents, resulting in buffer overlows during processing and error
reporting. The overflows can manifest as a segmentation fault or as memory
corruption during a parse operation. The bugs allow for a denial of service
attack in many applications by an unauthenticated attacker, and could
conceivably result in remote code execution.
Mitigation: Applications that are using library versions older than
V3.1.3 should upgrade as soon as possible. Distributors of older versions
should apply the patches from this subversion revision:
http://svn.apache.org/viewvc?view=revision&revision=1727978
Credit: This issue was reported by Gustavo Grieco.
References: