Access Manager and CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input

Document ID:7017306
Creation Date:29-Feb-2016
Modified Date:29-Feb-2016
- Micro Focus Products:
  Access Manager (NAM)

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
NetIQ Access Manager 4.0

Situation

An Apache library vulnerability (CVE-2016-0729) was recently issued where Apache Xerces-C XML Parser Crashes on Malformed Input. Since Access Manager components deal with a lot of XML exchanges, can we confirm whether any of the NAM components are effected by this vulnerability?

Resolution

Access Manager 4.x does not use this Xerces library and is therefor not susceptible to attack. The NAM 3.1 Linux Access Gateway (LAG) did use it but this is long out of support.

Additional Information

CVE-2016-0729: Apache Xerces-C XML Parser Crashes on Malformed Input

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache Xerces-C XML Parser library versions

prior to V3.1.3

Description: The Xerces-C XML parser mishandles certain kinds of malformed

input documents, resulting in buffer overlows during processing and error

reporting. The overflows can manifest as a segmentation fault or as memory

corruption during a parse operation. The bugs allow for a denial of service

attack in many applications by an unauthenticated attacker, and could

conceivably result in remote code execution.

Mitigation: Applications that are using library versions older than

V3.1.3 should upgrade as soon as possible. Distributors of older versions

should apply the patches from this subversion revision:

http://svn.apache.org/viewvc?view=revision&revision=1727978

Credit: This issue was reported by Gustavo Grieco.

References:

http://xerces.apache.org/xerces-c/secadv/CVE-2016-0729.txt