SB2014052209 - Input validation error in libxml2 (Alpine package)
Published: May 22, 2014
Security Bulletin ID
SB2014052209
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Input validation error (CVE-ID: CVE-2014-0191)
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=0215e6588cf7cdc9ec3c57926af82e79b8366e46
- https://git.alpinelinux.org/aports/commit/?id=9e3ec8396214f0ec09a2b5c75e65bbc808013c84
- https://git.alpinelinux.org/aports/commit/?id=07c1580cc3dc9496f9f7a6ae25fbdd3ef22caee3
- https://git.alpinelinux.org/aports/commit/?id=13e59ed69b9459e1ef4534ee2f34e5f94fb99232
- https://git.alpinelinux.org/aports/commit/?id=3906599673a7cd93e56c2d8a998148a07a343a4c
- https://git.alpinelinux.org/aports/commit/?id=9693e42051fbaf1fea977ea0098f3818925f256e