libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Add bug347316.patch to backport fix for bug#347316 from     upstream version

  - Add libxml2-enterprise.patch and update logos in tarball

  - Fix a couple of crash (CVE-2009-2414, CVE-2009-2416)

  - Resolves: rhbz#515236

  - two patches for size overflows problems (CVE-2008-4225,     CVE-2008-4226)

  - Resolves: rhbz#470474

  - Patch to fix an entity name copy buffer overflow     (CVE-2008-3529)

  - Resolves: rhbz#461023

  - Better fix for (CVE-2008-3281)

  - Resolves: rhbz#458095

  - change the patch for CVE-2008-3281 due to ABI issues

  - Resolves: rhbz#458095

  - Patch to fix recursive entities handling (CVE-2008-3281)

  - Resolves: rhbz#458095

  - Patch to fix UTF-8 decoding problem (CVE-2007-6284)

  - Resolves: rhbz#425933

From Red Hat Security Advisory 2008:0836 :

Updated libxml2 packages that fix a security issue are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

[Updated 26th August 2008] The original fix used in this errata caused some applications using the libxml2 library in an unexpected way to crash when used with updated libxml2 packages. We have updated the packages for Red Hat Enterprise Linux 3, 4 and 5 to use a different fix that does not break affected applications.

The libxml2 packages provide a library that allows you to manipulate XML files. It includes support to read, modify, and write XML and HTML files.

A denial of service flaw was found in the way libxml2 processes certain content. If an application linked against libxml2 processes malformed XML content, it could cause the application to stop responding. (CVE-2008-3281)

Red Hat would like to thank Andreas Solberg for responsibly disclosing this issue.

All users of libxml2 are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.

A denial of service flaw was found in the way libxml2 processes certain content. If an application linked against libxml2 processes malformed XML content, it could cause the application to stop responding. (CVE-2008-3281)

Specially crafted XML files could cause a crash or a heap-based buffer overflow in libxml2. (CVE-2008-3281, CVE-2008-3529)

a. Updated ESX Service Console package libxml2

   A denial of service flaw was found in the way libxml2 processes    certain content. If an application that is linked against    libxml2 processes malformed XML content, the XML content might    cause the application to stop responding.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-3281 to this issue.

   Additionally the following was also fixed, but was missing in the    security advisory.

   A heap-based buffer overflow flaw was found in the way libxml2    handled long XML entity names. If an application linked against    libxml2 processed untrusted malformed XML content, it could cause    the application to crash or, possibly, execute arbitrary code.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-3529 to this issue.

b. Updated ESX Service Console package ucd-snmp

   A flaw was found in the way ucd-snmp checks an SNMPv3 packet's    Keyed-Hash Message Authentication Code. An attacker could use    this flaw to spoof an authenticated SNMPv3 packet.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-0960 to this issue.

c. Updated third-party library libtiff

   Multiple uses of uninitialized values were discovered in libtiff's    Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker    could create a carefully crafted LZW-encoded TIFF file that would    cause an application linked with libtiff to crash or, possibly,    execute arbitrary code.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2008-2327 to this issue.

Specially crafted xml files could cause a crash or a heap based buffer overlow in libxml2 (CVE-2008-3281, CVE-2008-3529).

The version of Safari installed on the remote Windows host is earlier than 4.0.  It therefore is potentially affected by numerous issues in the following components :

  - CFNetwork
  - CoreGraphics
  - ImageIO
  - International Components for Unicode
  - libxml
  - Safari
  - Safari Windows Installer
  - WebKit

The version of Apple Safari installed on the remote Mac OS X host is earlier than 4.0.  As such, it is potentially affected by numerous issues in the following components :

  - CFNetwork
  - libxml
  - Safari
  - WebKit

A heap-based buffer overflow was found in how libxml2 handled long XML entity names. If an application linked against libxml2 processed untrusted malformed XML content, it could cause the application to crash or possibly execute arbitrary code (CVE-2008-3529).

The updated packages have been patched to prevent this issue. As well, the patch to fix CVE-2008-3281 has been updated to remove the hard-coded entity limit that was set to 5M, instead using XML entity density heuristics. Many thanks to Daniel Veillard of Red Hat for his hard work in tracking down and dealing with the edge cases discovered with the initial fix to this issue.

It was discovered that libxml2 did not correctly handle long entity names. If a user were tricked into processing a specially crafted XML document, a remote attacker could execute arbitrary code with user privileges or cause the application linked against libxml2 to crash, leading to a denial of service. (CVE-2008-3529)

USN-640-1 fixed vulnerabilities in libxml2. When processing extremely large XML documents with valid entities, it was possible to incorrectly trigger the newly added vulnerability protections. This update fixes the problem. (CVE-2008-3281).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Andreas Solberg found a denial of service flaw in how libxml2 processed certain content. If an application linked against libxml2 processed such malformed XML content, it could cause the application to stop responding (CVE-2008-3281).

Update :

The original fix used to correct this issue caused some applications that used the libxml2 library to crash. These new updated packages use a different fix that does not cause certain linked applications to crash as the old packages did.

The remote host is affected by the vulnerability described in GLSA-200812-06 (libxml2: Multiple vulnerabilities)

    Multiple vulnerabilities were reported in libxml2:
    Andreas Solberg reported that libxml2 does not properly detect     recursion during entity expansion in an attribute value     (CVE-2008-3281).
    A heap-based buffer overflow has been reported in the     xmlParseAttValueComplex() function in parser.c (CVE-2008-3529).
    Christian Weiske reported that predefined entity definitions in     entities are not properly handled (CVE-2008-4409).
    Drew Yao of Apple Product Security reported an integer overflow in the     xmlBufferResize() function that can lead to an infinite loop     (CVE-2008-4225).
    Drew Yao of Apple Product Security reported an integer overflow in the     xmlSAX2Characters() function leading to a memory corruption     (CVE-2008-4226).
  Impact :

    A remote attacker could entice a user or automated system to open a     specially crafted XML document with an application using libxml2,     possibly resulting in the exeution of arbitrary code or a high CPU and     memory consumption.
  Workaround :

    There is no known workaround at this time.

Secunia reports :

Two vulnerabilities have been reported in Libxml2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library.

1) A recursion error exists when processing certain XML content. This can be exploited to e.g. exhaust all available memory and CPU resources by tricking an application using Libxml2 into processing specially crafted XML documents.

2) A boundary error in the processing of long XML entity names in parser.c can be exploited to cause a heap-based buffer overflow when specially crafted XML content is parsed.

Successful exploitation may allow execution of arbitrary code.

Specially crafted xml files could cause a crash or a heap based buffer overlow in libxml2. (CVE-2008-3281 / CVE-2008-3529)

- Mon Aug 25 2008 Daniel Veillard <veillard at redhat.com>     2.6.31-2.fc8

    - fix for entities recursion problem

    - Resolve: rhbz#459712

    - Fri Apr 11 2008 Daniel Veillard <veillard at       redhat.com> 2.6.32-1.fc8

    - upstream release 2.6.32 see       http://xmlsoft.org/news.html

    - many bugs fixed upstrea

    - Fri Jan 11 2008 Daniel Veillard <veillard at       redhat.com> 2.6.31-1.fc8

    - upstream release 2.6.31 see       http://xmlsoft.org/news.html

    - many bug fixed upstream

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Mon Aug 25 2008 Daniel Veillard <veillard at redhat.com>     2.6.31-3.fc9

    - fix for entities recursion problem

    - Resolve: rhbz#459713

    - Thu May 15 2008 Daniel Veillard <veillard at       redhat.com> 2.6.31-2.fc9

    - try to fix multiarch problems like #440206

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Andreas Solberg discovered that libxml2 did not handle recursive entities safely. If an application linked against libxml2 were made to process a specially crafted XML document, a remote attacker could exhaust the system's CPU resources, leading to a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated libxml2 packages that fix a security issue are now available.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

[Updated 26th August 2008] The original fix used in this errata caused some applications using the libxml2 library in an unexpected way to crash when used with updated libxml2 packages. We have updated the packages for Red Hat Enterprise Linux 3, 4 and 5 to use a different fix that does not break affected applications.

The libxml2 packages provide a library that allows you to manipulate XML files. It includes support to read, modify, and write XML and HTML files.

A denial of service flaw was found in the way libxml2 processes certain content. If an application linked against libxml2 processes malformed XML content, it could cause the application to stop responding. (CVE-2008-3281)

Red Hat would like to thank Andreas Solberg for responsibly disclosing this issue.

All users of libxml2 are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue.

Andreas Solberg discovered that libxml2, the GNOME XML library, could be forced to recursively evaluate entities, until available CPU and memory resources were exhausted.

ID	Name	Product	Family	Severity
79462	OracleVM 2.1 : libxml2 (OVMSA-2009-0018)	Nessus	OracleVM Local Security Checks	critical
67737	Oracle Linux 3 / 4 / 5 : libxml2 (ELSA-2008-0836)	Nessus	Oracle Linux Local Security Checks	medium
60466	Scientific Linux Security Update : libxml2 on SL3.x, SL4.x, SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
41240	SuSE9 Security Update : libxml2 (YOU Patch Number 12237)	Nessus	SuSE Local Security Checks	critical
40384	VMSA-2008-0017 : Updated ESX packages for libxml2, ucd-snmp, libtiff	Nessus	VMware ESX Local Security Checks	critical
40056	openSUSE Security Update : libxml2 (libxml2-184)	Nessus	SuSE Local Security Checks	critical
39339	Safari < 4.0 Multiple Vulnerabilities	Nessus	Windows	high
39338	Mac OS X : Apple Safari < 4.0	Nessus	MacOS X Local Security Checks	high
38013	Mandriva Linux Security Advisory : libxml2 (MDVSA-2008:192)	Nessus	Mandriva Local Security Checks	critical
37936	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : libxml2 vulnerabilities (USN-644-1)	Nessus	Ubuntu Local Security Checks	critical
36598	Mandriva Linux Security Advisory : libxml2 (MDVSA-2008:180-1)	Nessus	Mandriva Local Security Checks	medium
35023	GLSA-200812-06 : libxml2: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
34416	FreeBSD : libxml2 -- two vulnerabilities (d71da236-9a94-11dd-8f42-001c2514716c)	Nessus	FreeBSD Local Security Checks	critical
34208	openSUSE 10 Security Update : libxml2 (libxml2-5586)	Nessus	SuSE Local Security Checks	critical
34207	SuSE 10 Security Update : libxml2 (ZYPP Patch Number 5583)	Nessus	SuSE Local Security Checks	critical
34147	Fedora 8 : libxml2-2.6.32-2.fc8 (2008-7724)	Nessus	Fedora Local Security Checks	medium
34130	Fedora 9 : libxml2-2.6.32-3.fc9 (2008-7395)	Nessus	Fedora Local Security Checks	medium
34094	Ubuntu 6.06 LTS / 7.04 / 7.10 / 8.04 LTS : libxml2 vulnerability (USN-640-1)	Nessus	Ubuntu Local Security Checks	medium
34051	CentOS 3 / 4 / 5 : libxml2 (CESA-2008:0836)	Nessus	CentOS Local Security Checks	medium
34033	Debian DSA-1631-2 : libxml2 - denial of service	Nessus	Debian Local Security Checks	medium
34023	RHEL 2.1 / 3 / 4 / 5 : libxml2 (RHSA-2008:0836)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2008-3281

medium

Tenable Plugins

critical

medium

medium

critical

critical

critical

high

high

critical

critical

medium

critical

critical

critical

critical

medium

medium

medium

medium

medium

medium