CVE-2024-28757: 
Bottlerocket vulnerability analysis and mitigation

CVE-2024-28757 affects libexpat through version 2.6.1, where it is vulnerable to an XML Entity Expansion attack when there is isolated use of external parsers created via XML_ExternalEntityParserCreate. The vulnerability was discovered through ClusterFuzz finding 66812 and was publicly disclosed on March 10, 2024. The issue affects various systems and software that incorporate libexpat, including NetApp products, Fedora distributions, and other dependent systems (NVD, Debian).

The vulnerability occurs when parsing DTD content with isolated external parsers where no bytes are accounted as direct input and all input is treated as indirect. In this scenario, the accountingGetCurrentAmplification function cannot properly calculate the amplification ratio as '(direct + indirect) / direct', and instead returns 1.0, indicating no amplification over direct input. This prevents the detection of billion laughs attacks from DTD-only input. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Expat Issue).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition. The attack specifically targets the XML parsing mechanism, potentially causing system resource exhaustion through XML entity expansion (NetApp Advisory).

The vulnerability has been fixed in libexpat version 2.6.2. The fix involves modifying the approach to assume direct input of length 22 (derived from ghost input), allowing proper calculation of the amplification ratio. Various distributions and products have released patches, including Fedora 38, 39, and 40 updates. Organizations are advised to upgrade to the fixed version or apply available patches (OSS Security, Fedora Update).