CVE-2014-0191

MEDIUM

Description

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

References

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html

http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html

http://rhn.redhat.com/errata/RHSA-2015-0749.html

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.securityfocus.com/bid/67233

http://www-01.ibm.com/support/docview.wss?uid=swg21678183

http://xmlsoft.org/news.html

https://bugzilla.redhat.com/show_bug.cgi?id=1090976

https://exchange.xforce.ibmcloud.com/vulnerabilities/93092

https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df

https://support.apple.com/kb/HT205030

https://support.apple.com/kb/HT205031

Details

Source: MITRE

Published: 2015-01-21

Updated: 2017-08-29

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:oracle:fusion_middleware:11.1.1.7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:fusion_middleware:12.1.3.0.0:*:*:*:*:*:*:*

Tenable Plugins

View all (48 total)

IDNameProductFamilySeverity
100352SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2017:1366-1)NessusSuSE Local Security Checks
medium
9333Apple TV < 7.2.1 Multiple VulnerabilitiesNessus Network MonitorInternet Services
medium
90315Apple TV < 7.2.1 Multiple VulnerabilitiesNessusMisc.
high
87681VMware ESXi Multiple Vulnerabilities (VMSA-2014-0012)NessusMisc.
medium
87631openSUSE Security Update : libxml2 (openSUSE-2015-959)NessusSuSE Local Security Checks
high
86569Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (October 2015 CPU)NessusWeb Servers
medium
8981Mac OS X < 10.10.5 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
high
8978Apple iOS < 8.4.1 Multiple VulnerabilitiesNessus Network MonitorMobile Devices
critical
85409Mac OS X Multiple Vulnerabilities (Security Update 2015-006)NessusMacOS X Local Security Checks
high
85408Mac OS X 10.10.x < 10.10.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
85407Apple iOS < 8.4.1 Multiple VulnerabilitiesNessusMobile Devices
high
82728Fedora 20 : libxml2-2.9.1-4.fc20 (2015-4719)NessusFedora Local Security Checks
medium
82627Fedora 21 : libxml2-2.9.1-7.fc21 (2015-4658)NessusFedora Local Security Checks
medium
82476CentOS 7 : libxml2 (CESA-2015:0749)NessusCentOS Local Security Checks
medium
82468Scientific Linux Security Update : libxml2 on SL7.x x86_64 (20150330)NessusScientific Linux Local Security Checks
medium
82464Oracle Linux 7 : libxml2 (ELSA-2015-0749)NessusOracle Linux Local Security Checks
medium
82427RHEL 7 : libxml2 (RHSA-2015:0749)NessusRed Hat Local Security Checks
medium
82364Mandriva Linux Security Advisory : libxml2 (MDVSA-2015:111)NessusMandriva Local Security Checks
medium
82225Debian DLA-80-1 : libxml2 security updateNessusDebian Local Security Checks
medium
82143Debian DLA-16-1 : libxml2 security updateNessusDebian Local Security Checks
medium
82134Debian DLA-151-1 : libxml2 security updateNessusDebian Local Security Checks
medium
81002Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2015 CPU)NessusWeb Servers
high
80692Oracle Solaris Third-Party Patch Update : libxml2 (cve_2014_0191_denial_of)NessusSolaris Local Security Checks
medium
80327Fedora 21 : mingw-libxml2-2.9.2-1.fc21 (2014-17609)NessusFedora Local Security Checks
medium
80318Fedora 20 : mingw-libxml2-2.9.2-1.fc20 (2014-17573)NessusFedora Local Security Checks
medium
79865VMware Security Updates for vCenter Server (VMSA-2014-0012)NessusMisc.
critical
79862ESXi 5.1 < Build 2323236 Third-Party Libraries Multiple Vulnerabilities (remote check) (BEAST)NessusMisc.
medium
79762VMSA-2014-0012 : VMware vSphere product updates address security vulnerabilitiesNessusVMware ESX Local Security Checks
medium
79546OracleVM 3.3 : libxml2 (OVMSA-2014-0031)NessusOracleVM Local Security Checks
medium
79063AIX 7.1 TL 3 : bos.rte.control (U862099)NessusAIX Local Security Checks
medium
79062AIX 6.1 TL 9 : bos.rte.control (U861276)NessusAIX Local Security Checks
medium
78284Amazon Linux AMI : libxml2 (ALAS-2014-341)NessusAmazon Linux Local Security Checks
medium
77776GLSA-201409-08 : libxml2: Denial of ServiceNessusGentoo Local Security Checks
medium
77260AIX 7.1 TL 3 : libxml2 (IV62450)NessusAIX Local Security Checks
medium
77259AIX 7.1 TL 2 : libxml2 (IV62449)NessusAIX Local Security Checks
medium
77258AIX 6.1 TL 9 : libxml2 (IV62448)NessusAIX Local Security Checks
medium
77257AIX 6.1 TL 8 : libxml2 (IV62447)NessusAIX Local Security Checks
medium
76499Debian DSA-2978-1 : libxml2 - security updateNessusDebian Local Security Checks
medium
75381openSUSE Security Update : libxml2 / python-libxml2 (openSUSE-SU-2014:0753-1)NessusSuSE Local Security Checks
medium
75373openSUSE Security Update : libxml2 / python-libxml2 (openSUSE-SU-2014:0716-1)NessusSuSE Local Security Checks
medium
75358openSUSE Security Update : libxml2 (openSUSE-SU-2014:0645-1)NessusSuSE Local Security Checks
medium
74103Scientific Linux Security Update : libxml2 on SL6.x i386/x86_64 (20140519)NessusScientific Linux Local Security Checks
medium
74102RHEL 6 : libxml2 (RHSA-2014:0513)NessusRed Hat Local Security Checks
medium
74100Oracle Linux 6 : libxml2 (ELSA-2014-0513)NessusOracle Linux Local Security Checks
medium
74094CentOS 6 : libxml2 (CESA-2014:0513)NessusCentOS Local Security Checks
medium
74035Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 / 14.04 LTS : libxml2 vulnerability (USN-2214-1)NessusUbuntu Local Security Checks
medium
73978Mandriva Linux Security Advisory : libxml2 (MDVSA-2014:086)NessusMandriva Local Security Checks
medium
73975FreeBSD : libxml2 -- entity substitution DoS (efdd0edc-da3d-11e3-9ecb-2c4138874f7d)NessusFreeBSD Local Security Checks
medium