As per to HPE, the flaw only affects HPE OneView versions older than 8.1 and seems to be potentially as dangerous as the Log4j.
A use-after-free vulnerability that enables remote attackers to execute arbitrary code on targeted systems, leak data, or set up the perfect environment for a denial-of-service (DoS) attack was the subject of a critical alert released by Hewlett Packard Enterprise (HPE) on Wednesday in connection with its OneView infrastructure management platform.
The use of Expat XML parser, third-party software, is linked to the bug. With a severity level of 9.8, HPE assigns the bug the CVE-2022-40674 tracking number. Many other vendors’ enterprise-class software has also been harmed by the susceptible code, including NetApp and IBM, both of which have sent customers with critical warnings to address the same fault.
There are no publicly available reports indicating that the flaw is being used in the wild or that a proof-of-concept attack has been launched. However, the vendors state there are no mitigations or solutions for the specific Expat fault, despite the fact that IBM and NetApp both offer remedies. Instead, both companies provide upgrades that protect impacted products.
Open source code flaws pose a continuing challenge to the AppDev and AppSec teams and have resulted in significant security problems like Log4j. The difficulties are so ubiquitous that IT industry leaders are starting to consider regulating the security of open source technology, such as Matt Sanders, director of security at LogRhythm.
Eleven of NetApp’s enterprise products were affected by the Expat fault, the company informed users last week. According to NetApp, the company is still looking into the possibility that host utilities for SAN for Windows may also be impacted. In October, IBM issued a bug alert for its Tivoli Monitoring product.
According to a GitHub repository article, the Expat XML parser is a stream-oriented XML parser library created in the programming language C. The maintainers of a repository noted, “Expat excels with files too huge to fit RAM, and where efficiency and flexibility are critical.”
In September, the Expat fault was first made known. The CVE has now been often updated to reflect additional impacted vendors. The vulnerability is “undergoing reanalysis and not all information is accessible,” according to NIST’s Tuesday update to the CVE record.
Expat (libexpat) versions prior to 2.4.9 include a use-after-free in the doContent function in xmlparse.c, according to NIST. Based on the CVSS 3.x metrics, it assigns the problem a high severity rating. The vulnerability has received critical ratings from other vendors.