The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
http://rhn.redhat.com/errata/RHSA-2015-0749.html
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.securityfocus.com/bid/67233
http://www-01.ibm.com/support/docview.wss?uid=swg21678183
https://bugzilla.redhat.com/show_bug.cgi?id=1090976
https://exchange.xforce.ibmcloud.com/vulnerabilities/93092
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
Source: MITRE
Published: 2015-01-21
Updated: 2017-08-29
Type: NVD-CWE-noinfo
Base Score: 4.3
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM
OR
cpe:2.3:a:oracle:fusion_middleware:11.1.1.7.0:*:*:*:*:*:*:*
ID | Name | Product | Family | Severity |
---|---|---|---|---|
100352 | SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2017:1366-1) | Nessus | SuSE Local Security Checks | medium |
9333 | Apple TV < 7.2.1 Multiple Vulnerabilities | Nessus Network Monitor | Internet Services | medium |
90315 | Apple TV < 7.2.1 Multiple Vulnerabilities | Nessus | Misc. | high |
87681 | VMware ESXi Multiple Vulnerabilities (VMSA-2014-0012) | Nessus | Misc. | medium |
87631 | openSUSE Security Update : libxml2 (openSUSE-2015-959) | Nessus | SuSE Local Security Checks | high |
86569 | Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (October 2015 CPU) | Nessus | Web Servers | medium |
8981 | Mac OS X < 10.10.5 Multiple Vulnerabilities | Nessus Network Monitor | Operating System Detection | high |
8978 | Apple iOS < 8.4.1 Multiple Vulnerabilities | Nessus Network Monitor | Mobile Devices | critical |
85409 | Mac OS X Multiple Vulnerabilities (Security Update 2015-006) | Nessus | MacOS X Local Security Checks | high |
85408 | Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities | Nessus | MacOS X Local Security Checks | high |
85407 | Apple iOS < 8.4.1 Multiple Vulnerabilities | Nessus | Mobile Devices | high |
82728 | Fedora 20 : libxml2-2.9.1-4.fc20 (2015-4719) | Nessus | Fedora Local Security Checks | medium |
82627 | Fedora 21 : libxml2-2.9.1-7.fc21 (2015-4658) | Nessus | Fedora Local Security Checks | medium |
82476 | CentOS 7 : libxml2 (CESA-2015:0749) | Nessus | CentOS Local Security Checks | medium |
82468 | Scientific Linux Security Update : libxml2 on SL7.x x86_64 (20150330) | Nessus | Scientific Linux Local Security Checks | medium |
82464 | Oracle Linux 7 : libxml2 (ELSA-2015-0749) | Nessus | Oracle Linux Local Security Checks | medium |
82427 | RHEL 7 : libxml2 (RHSA-2015:0749) | Nessus | Red Hat Local Security Checks | medium |
82364 | Mandriva Linux Security Advisory : libxml2 (MDVSA-2015:111) | Nessus | Mandriva Local Security Checks | medium |
82225 | Debian DLA-80-1 : libxml2 security update | Nessus | Debian Local Security Checks | medium |
82143 | Debian DLA-16-1 : libxml2 security update | Nessus | Debian Local Security Checks | medium |
82134 | Debian DLA-151-1 : libxml2 security update | Nessus | Debian Local Security Checks | medium |
81002 | Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2015 CPU) | Nessus | Web Servers | high |
80692 | Oracle Solaris Third-Party Patch Update : libxml2 (cve_2014_0191_denial_of) | Nessus | Solaris Local Security Checks | medium |
80327 | Fedora 21 : mingw-libxml2-2.9.2-1.fc21 (2014-17609) | Nessus | Fedora Local Security Checks | medium |
80318 | Fedora 20 : mingw-libxml2-2.9.2-1.fc20 (2014-17573) | Nessus | Fedora Local Security Checks | medium |
79865 | VMware Security Updates for vCenter Server (VMSA-2014-0012) | Nessus | Misc. | critical |
79862 | ESXi 5.1 < Build 2323236 Third-Party Libraries Multiple Vulnerabilities (remote check) (BEAST) | Nessus | Misc. | medium |
79762 | VMSA-2014-0012 : VMware vSphere product updates address security vulnerabilities | Nessus | VMware ESX Local Security Checks | medium |
79546 | OracleVM 3.3 : libxml2 (OVMSA-2014-0031) | Nessus | OracleVM Local Security Checks | medium |
79063 | AIX 7.1 TL 3 : bos.rte.control (U862099) | Nessus | AIX Local Security Checks | medium |
79062 | AIX 6.1 TL 9 : bos.rte.control (U861276) | Nessus | AIX Local Security Checks | medium |
78284 | Amazon Linux AMI : libxml2 (ALAS-2014-341) | Nessus | Amazon Linux Local Security Checks | medium |
77776 | GLSA-201409-08 : libxml2: Denial of Service | Nessus | Gentoo Local Security Checks | medium |
77260 | AIX 7.1 TL 3 : libxml2 (IV62450) | Nessus | AIX Local Security Checks | medium |
77259 | AIX 7.1 TL 2 : libxml2 (IV62449) | Nessus | AIX Local Security Checks | medium |
77258 | AIX 6.1 TL 9 : libxml2 (IV62448) | Nessus | AIX Local Security Checks | medium |
77257 | AIX 6.1 TL 8 : libxml2 (IV62447) | Nessus | AIX Local Security Checks | medium |
76499 | Debian DSA-2978-1 : libxml2 - security update | Nessus | Debian Local Security Checks | medium |
75381 | openSUSE Security Update : libxml2 / python-libxml2 (openSUSE-SU-2014:0753-1) | Nessus | SuSE Local Security Checks | medium |
75373 | openSUSE Security Update : libxml2 / python-libxml2 (openSUSE-SU-2014:0716-1) | Nessus | SuSE Local Security Checks | medium |
75358 | openSUSE Security Update : libxml2 (openSUSE-SU-2014:0645-1) | Nessus | SuSE Local Security Checks | medium |
74103 | Scientific Linux Security Update : libxml2 on SL6.x i386/x86_64 (20140519) | Nessus | Scientific Linux Local Security Checks | medium |
74102 | RHEL 6 : libxml2 (RHSA-2014:0513) | Nessus | Red Hat Local Security Checks | medium |
74100 | Oracle Linux 6 : libxml2 (ELSA-2014-0513) | Nessus | Oracle Linux Local Security Checks | medium |
74094 | CentOS 6 : libxml2 (CESA-2014:0513) | Nessus | CentOS Local Security Checks | medium |
74035 | Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 / 14.04 LTS : libxml2 vulnerability (USN-2214-1) | Nessus | Ubuntu Local Security Checks | medium |
73978 | Mandriva Linux Security Advisory : libxml2 (MDVSA-2014:086) | Nessus | Mandriva Local Security Checks | medium |
73975 | FreeBSD : libxml2 -- entity substitution DoS (efdd0edc-da3d-11e3-9ecb-2c4138874f7d) | Nessus | FreeBSD Local Security Checks | medium |