4
responses

does nxlog-2.9.1716 still uses LibExpat v2.0.1 and LibPCRE v8.02?

Impact:
LibPCRE v8.02 is vulnerable to DoS and code overflow.
LibExpat v2.0.1 has 4 publicly identified vulnerabilities.

References

https://www.cvedetails.com/vulnerability-list/vendor_id-12037/product_id-22545/version_id-129378/Libexpat-Expat-2.0.1.html
https://www.cvedetails.com/vulnerability-list/vendor_id-3265/product_id-5715/version_id-191791/Pcre-Pcre-8.02.html

is it possible to update LibExpat to v2.1.0 and LibPCRE to v8.39?

AskedDecember 29, 2016 - 7:13am

Answer (1)

We are aware of these security issues in PCRE and Expat. The NXLog Enterprise Edition is already using pcre-8.39 and expat-2.2.

The msi installer of the NXLog Community Edition v2.9.1716 still has the old libraries. If this is a concern I suggest going with the NXLog EE.

Comments (3)

  • magesh041985's picture

    thanks a lot for very quick reply.

    i have submitted the request to download the trail version of enterprise edition. hope i will be able to download it soon.

     

  • magesh041985's picture

    in enterprise edition both libeay32.dll and ssleay32.dll are using old SLL versions. Also libpcre and libexpat are older versions.

     

    C:\Program Files (x86)\nxlog>strings.exe libeay32.dll | findstr "OpenSSL"
    OpenSSL: FATAL
    %s(%d): OpenSSL internal error, assertion failed: %s
    OpenSSL 1.0.2a 19 Mar 2015
    MD4 part of OpenSSL 1.0.2a 19 Mar 2015
    MD5 part of OpenSSL 1.0.2a 19 Mar 2015
    SHA part of OpenSSL 1.0.2a 19 Mar 2015
    SHA1 part of OpenSSL 1.0.2a 19 Mar 2015
    SHA-256 part of OpenSSL 1.0.2a 19 Mar 2015
    SHA-512 part of OpenSSL 1.0.2a 19 Mar 2015

    C:\Program Files (x86)\nxlog>strings.exe ssleay32.dll | findstr "OpenSSL"
    SSLv2 part of OpenSSL 1.0.2a 19 Mar 2015
    SSLv3 part of OpenSSL 1.0.2a 19 Mar 2015
    TLSv1 part of OpenSSL 1.0.2a 19 Mar 2015
    DTLSv1 part of OpenSSL 1.0.2a 19 Mar 2015
    OpenSSL 1.0.2a 19 Mar 2015
    OpenSSLDie
    The OpenSSL Project, http://www.openssl.org/
    OpenSSL shared library
    The OpenSSL Toolkit
     1998-2006 The OpenSSL Project. Copyright

  • b0ti's picture
    (NXLog)

    Thanks for bringing this to our attention. There was a glitch in our CI system that didn't update the library files properly. This has been fixed and the NXLog Enterprise Edition trial is now using the following libraries:

    • pcre-8.39
    • expat-2.2
    • openssl-1.0.2j