The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-1827 advisory.

    - Fix CVE-2018-14404 (#1595989)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Nessus Network Monitor running on the remote host is prior to 6.2.2. It is, therefore, affected by multiple vulnerabilities as referenced in the TNS-2023-23 advisory. Several of the third-party components were found to contain vulnerabilities, and updated versions have been made available by the providers. Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus Network Monitor 6.2.2 updates the following components:

  - c-ares from version 1.10.0 to version 1.19.1.
  - curl from version 7.79.1 to version 8.1.2.
  - libbzip2 from version 1.0.6 to version 1.0.8.
  - libpcre from version 8.42 to version 8.44.
  - libxml2 from version 2.7.7 to version 2.11.1.
  - libxslt from version 1.1.26 to version 1.1.37.
  - libxmlsec from version 1.2.18 to version 1.2.37.
  - sqlite from version 3.27.2 to version 3.40.1.
  - jQuery Cookie from version 1.3.1 to version 1.4.1.
  - jQuery UI from version 1.13.0 to version 1.13.2.
  - OpenSSL from version 3.0.8 to version 3.0.9.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:1827 advisory.

  - libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c (CVE-2018-14404)

  - libxml2: infinite loop in xz_decomp function in xzlib.c (CVE-2018-9251)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1827 advisory.

    The libxml2 library is a development toolbox providing the implementation of various XML standards.

    Security Fix(es):

    * libxml2: NULL pointer dereference in xmlXPathCompOpEval() function in xpath.c (CVE-2018-14404)

    * libxml2: infinite loop in xz_decomp function in xzlib.c (CVE-2018-9251)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.2 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the libxml2 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     heap-based buffer over-read in the xmlDictAddString     function in dict.c. This vulnerability causes programs     that use libxml2, such as PHP, to crash. This     vulnerability exists because of an incomplete fix for     CVE-2016-1839.(CVE-2017-9050)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     heap-based buffer over-read in the     xmlDictComputeFastKey function in dict.c. This     vulnerability causes programs that use libxml2, such as     PHP, to crash. This vulnerability exists because of an     incomplete fix for libxml2 Bug 759398.(CVE-2017-9049)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     stack-based buffer overflow. The function     xmlSnprintfElementContent in valid.c is supposed to     recursively dump the element content definition into a     char buffer 'buf' of size 'size'. At the end of the     routine, the function may strcat two more characters     without checking whether the current strlen(buf) + 2 <     size. This vulnerability causes programs that use     libxml2, such as PHP, to crash.(CVE-2017-9048)

  - The htmlParseTryOrFinish function in HTMLparser.c in     libxml2 2.9.4 allows attackers to cause a denial of     service (buffer over-read) or information     disclosure.(CVE-2017-8872)

  - The xz_decomp function in xzlib.c in libxml2 2.9.8, if
    --with-lzma is used, allows remote attackers to cause a     denial of service (infinite loop) via a crafted XML     file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated     by xmllint, a different vulnerability than     CVE-2015-8035.(CVE-2018-9251)

  - libxml2 2.9.8, if --with-lzma is used, allows remote     attackers to cause a denial of service (infinite loop)     via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a     different vulnerability than CVE-2015-8035 and     CVE-2018-9251.(CVE-2018-14567)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the libxml2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - dict.c in libxml2 allows remote attackers to cause a     denial of service (heap-based buffer over-read and     application crash) via an unexpected character     immediately after the '<!DOCTYPE html' substring in a     crafted HTML document.(CVE-2015-8806)

  - libxml2 2.9.4, when used in recover mode, allows remote     attackers to cause a denial of service (NULL pointer     dereference) via a crafted XML document. NOTE: The     maintainer states 'I would disagree of a CVE with the     Recover parsing option which should only be used for     manual recovery at least for XML     parser.'(CVE-2017-5969)

  - The htmlParseTryOrFinish function in HTMLparser.c in     libxml2 2.9.4 allows attackers to cause a denial of     service (buffer over-read) or information     disclosure.(CVE-2017-8872)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     stack-based buffer overflow. The function     xmlSnprintfElementContent in valid.c is supposed to     recursively dump the element content definition into a     char buffer 'buf' of size 'size'. At the end of the     routine, the function may strcat two more characters     without checking whether the current strlen(buf) + 2 <     size. This vulnerability causes programs that use     libxml2, such as PHP, to crash.(CVE-2017-9048)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     heap-based buffer over-read in the     xmlDictComputeFastKey function in dict.c. This     vulnerability causes programs that use libxml2, such as     PHP, to crash. This vulnerability exists because of an     incomplete fix for libxml2 Bug 759398.(CVE-2017-9049)

  - libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a     heap-based buffer over-read in the xmlDictAddString     function in dict.c. This vulnerability causes programs     that use libxml2, such as PHP, to crash. This     vulnerability exists because of an incomplete fix for     CVE-2016-1839.(CVE-2017-9050)

  - The xz_decomp function in xzlib.c in libxml2 2.9.8, if
    --with-lzma is used, allows remote attackers to cause a     denial of service (infinite loop) via a crafted XML     file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated     by xmllint, a different vulnerability than     CVE-2015-8035.(CVE-2018-9251)

  - libxml2 2.9.8, if --with-lzma is used, allows remote     attackers to cause a denial of service (infinite loop)     via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a     different vulnerability than CVE-2015-8035 and     CVE-2018-9251.(CVE-2018-14567)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the libxml2 package has been released.

This update for libxml2 fixes the following security issues :

  - CVE-2018-9251: The xz_decomp function allowed remote     attackers to cause a denial of service (infinite loop)     via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint     (bsc#1088279)

  - CVE-2018-14567: Prevent denial of service (infinite     loop) via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint     (bsc#1105166)

  - CVE-2018-14404: Prevent NULL pointer dereference in the     xmlXPathCompOpEval() function when parsing an invalid     XPath expression in the XPATH_OP_AND or XPATH_OP_OR case     leading to a denial of service attack (bsc#1102046)

This update was imported from the SUSE:SLE-15:Update update project.

According to its self-reported version number, the remote Juniper Junos device is affected by a Multiple vulnerabilities in libxml2:

- Format string vulnerability in libxml2 before 2.9.4 allows   attackers to have unspecified impact via format string   specifiers in unknown vectors.(CVE-2016-4448)   
- The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and   earlier, when used in recovery mode, allows context-dependent   attackers to cause a denial of service (infinite recursion, stack   consumption, and application crash) via a crafted XML document.   (CVE-2016-3627)

Fix few CVEs

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libxml2 fixes the following security issues :

CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279)

CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166)

CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for libxml2 fixes the following security issues :

  - CVE-2018-9251: The xz_decomp function allowed remote     attackers to cause a denial of service (infinite loop)     via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint     (bsc#1088279).

  - CVE-2018-14567: Prevent denial of service (infinite     loop) via a crafted XML file that triggers     LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint     (bsc#1105166).

  - CVE-2018-14404: Prevent NULL pointer dereference in the     xmlXPathCompOpEval() function when parsing an invalid     XPath expression in the XPATH_OP_AND or XPATH_OP_OR case     leading to a denial of service attack (bsc#1102046).

  - CVE-2017-18258: The xz_head function allowed remote     attackers to cause a denial of service (memory     consumption) via a crafted LZMA file, because the     decoder functionality did not restrict memory usage to     what is required for a legitimate file (bsc#1088601).

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for libxml2 fixes the following security issues :

CVE-2018-9251: The xz_decomp function allowed remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1088279).

CVE-2018-14567: Prevent denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint (bsc#1105166).

CVE-2018-14404: Prevent NULL pointer dereference in the xmlXPathCompOpEval() function when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case leading to a denial of service attack (bsc#1102046).

CVE-2017-18258: The xz_head function allowed remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality did not restrict memory usage to what is required for a legitimate file (bsc#1088601).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

CVE-2018-14404 Fix of a NULL pointer dereference which might result in a crash and thus in a denial of service.

CVE-2018-14567 and CVE-2018-9251 Approvement in LZMA error handling which prevents an infinite loop.

CVE-2017-18258 Limit available memory to 100MB to avoid exhaustive memory consumption by malicious files.

For Debian 8 'Jessie', these problems have been fixed in version 2.9.1+dfsg1-5+deb8u7.

We recommend that you upgrade your libxml2 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
180991	Oracle Linux 8 : libxml2 (ELSA-2020-1827)	Nessus	Oracle Linux Local Security Checks	high
177842	Nessus Network Monitor < 6.2.2 Multiple Vulnerabilities (TNS-2023-23)	Nessus	Misc.	critical
145930	CentOS 8 : libxml2 (CESA-2020:1827)	Nessus	CentOS Local Security Checks	high
143009	RHEL 8 : libxml2 (RHSA-2020:1827)	Nessus	Red Hat Local Security Checks	high
134734	EulerOS Virtualization 3.0.2.2 : libxml2 (EulerOS-SA-2020-1268)	Nessus	Huawei Local Security Checks	critical
130673	EulerOS 2.0 SP5 : libxml2 (EulerOS-SA-2019-2211)	Nessus	Huawei Local Security Checks	critical
128154	Photon OS 3.0: Libxml2 PHSA-2019-3.0-0024	Nessus	PhotonOS Local Security Checks	medium
123336	openSUSE Security Update : libxml2 (openSUSE-2019-785)	Nessus	SuSE Local Security Checks	high
121070	Junos OS: Multiple vulnerabilities in libxml2 (JSA10916)	Nessus	Junos Local Security Checks	critical
120363	Fedora 28 : libxml2 (2018-3b782350ff)	Nessus	Fedora Local Security Checks	high
120125	SUSE SLED15 / SLES15 Security Update : libxml2 (SUSE-SU-2018:3080-1)	Nessus	SuSE Local Security Checks	high
118116	openSUSE Security Update : libxml2 (openSUSE-2018-1150)	Nessus	SuSE Local Security Checks	high
118115	openSUSE Security Update : libxml2 (openSUSE-2018-1149)	Nessus	SuSE Local Security Checks	high
118032	SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2018:3081-1)	Nessus	SuSE Local Security Checks	high
117811	Debian DLA-1524-1 : libxml2 security update	Nessus	Debian Local Security Checks	high
111621	Fedora 27 : libxml2 (2018-e198cf4a64)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2018-9251

medium

Tenable Plugins

high

critical

high

high

critical

critical

medium

high

critical

high

high

high

high

high

high

high