Hewlett Packard Enterprise (HPE) issued a critical alert Wednesday tied to its OneView infrastructure management platform warning of a use-after-free vulnerability that allows remote attackers to execute arbitrary code on targeted systems, leak data or create conditions ripe for a denial-of-service (DoS) attack.
The flaw is tied to the use of third-party code called Expat XML parser. Tracked as CVE-2022-40674, HPE scores the bug with a severity rating of 9.8. The vulnerable code has impacted bevy of other vendors' enterprise-class software including NetApp and IBM, which both released critical warnings to customers to mitigate the same flaw.
There are no public reports that the vulnerability is being exploited in the wild or that a public proof-of-concept attack exists.
Both IBM and NetApp offer remediation, however the vendors indicate there is no workarounds or mitigations to the specific Expat flaw. Alternatively, both vendors offer upgrades that secure effected products.
Open-source code vulnerabilities represent an ongoing challenge to AppDev and AppSec teams and have triggered major security issues such as Log4j. Challenges are so pervasive that IT business leaders, such as Matt Sanders, director of security, LogRhythm, have begun to ask, “Do we need to regulate the security of open-source code?”.
Last week NetApp warned users that the Expat flaw impacted eleven of its enterprise products. NetApp indicated it is still investigating whether any host utilities for SAN for Windows may also impacted. In October IBM warned its Tivoli Monitoring solution was impacted by the bug.
An OWASP explains a heap use-after-free flaw is triggered by freed memory can cause a program to crash. "Use after free errors occur when a program continues to use a pointer after it has been freed," it wrote.
A successful exploitation of the bug, NetApp warned, “could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service.”
The Expat XML parser is a stream-oriented XML parser library written in the coding language C, according to a GitHub repository entry. “Expat excels with files too large to fit RAM, and where performance and flexibility are crucial,” a repository maintainers wrote.
HPE explained that Expat is used by its OneView platform to parse various XMLs. The bug, HPE said, only impacts versions of HPE OneView prior to 8.1. In a technical summary, HPE explained vulnerable systems allow an “attacker to triage a denial of service or potentially arbitrary code execution.”
The Expat flaw was originally made public in September. Since then, the CVE has been updated many times to reflect additionally impacted vendors. The Tuesday update by NIST, to the CVE record, indicates the vulnerability is “undergoing reanalysis and not all information is available.”
NIST wrote, versions of Expat (libexpat) before 2.4.9 have a use-after-free in the doContent function in xmlparse.c. It rates the bug as high severity, based on the CVSS 3.x metrics. Other vendors have rated the vulnerability as critical.
Security researcher Rhodri James is credited for discovering the vulnerability. A request to open-source author of Expat, James Clark, was not immediately returned. Clark describes Expat as “the world's fastest XML parser.”