CVE-2014-0191

MEDIUM

Description

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

References

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html

http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html

http://rhn.redhat.com/errata/RHSA-2015-0749.html

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

http://www.securityfocus.com/bid/67233

http://www-01.ibm.com/support/docview.wss?uid=swg21678183

http://xmlsoft.org/news.html

https://bugzilla.redhat.com/show_bug.cgi?id=1090976

https://exchange.xforce.ibmcloud.com/vulnerabilities/93092

https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df

https://support.apple.com/kb/HT205030

https://support.apple.com/kb/HT205031

Details

Source: MITRE

Published: 2015-01-21

Updated: 2017-08-29

Type: NVD-CWE-noinfo

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Tenable Plugins

View all (48 total)

ID	Name	Product	Family	Severity
100352	SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2017:1366-1)	Nessus	SuSE Local Security Checks	medium
9333	Apple TV < 7.2.1 Multiple Vulnerabilities	Nessus Network Monitor	Internet Services	medium
90315	Apple TV < 7.2.1 Multiple Vulnerabilities	Nessus	Misc.	high
87681	VMware ESXi Multiple Vulnerabilities (VMSA-2014-0012)	Nessus	Misc.	medium
87631	openSUSE Security Update : libxml2 (openSUSE-2015-959)	Nessus	SuSE Local Security Checks	high
86569	Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (October 2015 CPU)	Nessus	Web Servers	medium
8981	Mac OS X < 10.10.5 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	high
8978	Apple iOS < 8.4.1 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	critical
85409	Mac OS X Multiple Vulnerabilities (Security Update 2015-006)	Nessus	MacOS X Local Security Checks	high
85408	Mac OS X 10.10.x < 10.10.5 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
85407	Apple iOS < 8.4.1 Multiple Vulnerabilities	Nessus	Mobile Devices	high
82728	Fedora 20 : libxml2-2.9.1-4.fc20 (2015-4719)	Nessus	Fedora Local Security Checks	medium
82627	Fedora 21 : libxml2-2.9.1-7.fc21 (2015-4658)	Nessus	Fedora Local Security Checks	medium
82476	CentOS 7 : libxml2 (CESA-2015:0749)	Nessus	CentOS Local Security Checks	medium
82468	Scientific Linux Security Update : libxml2 on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	medium
82464	Oracle Linux 7 : libxml2 (ELSA-2015-0749)	Nessus	Oracle Linux Local Security Checks	medium
82427	RHEL 7 : libxml2 (RHSA-2015:0749)	Nessus	Red Hat Local Security Checks	medium
82364	Mandriva Linux Security Advisory : libxml2 (MDVSA-2015:111)	Nessus	Mandriva Local Security Checks	medium
82225	Debian DLA-80-1 : libxml2 security update	Nessus	Debian Local Security Checks	medium
82143	Debian DLA-16-1 : libxml2 security update	Nessus	Debian Local Security Checks	medium
82134	Debian DLA-151-1 : libxml2 security update	Nessus	Debian Local Security Checks	medium
81002	Oracle Fusion Middleware Oracle HTTP Server Multiple Vulnerabilities (January 2015 CPU)	Nessus	Web Servers	high
80692	Oracle Solaris Third-Party Patch Update : libxml2 (cve_2014_0191_denial_of)	Nessus	Solaris Local Security Checks	medium
80327	Fedora 21 : mingw-libxml2-2.9.2-1.fc21 (2014-17609)	Nessus	Fedora Local Security Checks	medium
80318	Fedora 20 : mingw-libxml2-2.9.2-1.fc20 (2014-17573)	Nessus	Fedora Local Security Checks	medium
79865	VMware Security Updates for vCenter Server (VMSA-2014-0012)	Nessus	Misc.	critical
79862	ESXi 5.1 < Build 2323236 Third-Party Libraries Multiple Vulnerabilities (remote check) (BEAST)	Nessus	Misc.	medium
79762	VMSA-2014-0012 : VMware vSphere product updates address security vulnerabilities	Nessus	VMware ESX Local Security Checks	medium
79546	OracleVM 3.3 : libxml2 (OVMSA-2014-0031)	Nessus	OracleVM Local Security Checks	medium
79063	AIX 7.1 TL 3 : bos.rte.control (U862099)	Nessus	AIX Local Security Checks	medium
79062	AIX 6.1 TL 9 : bos.rte.control (U861276)	Nessus	AIX Local Security Checks	medium
78284	Amazon Linux AMI : libxml2 (ALAS-2014-341)	Nessus	Amazon Linux Local Security Checks	medium
77776	GLSA-201409-08 : libxml2: Denial of Service	Nessus	Gentoo Local Security Checks	medium
77260	AIX 7.1 TL 3 : libxml2 (IV62450)	Nessus	AIX Local Security Checks	medium
77259	AIX 7.1 TL 2 : libxml2 (IV62449)	Nessus	AIX Local Security Checks	medium
77258	AIX 6.1 TL 9 : libxml2 (IV62448)	Nessus	AIX Local Security Checks	medium
77257	AIX 6.1 TL 8 : libxml2 (IV62447)	Nessus	AIX Local Security Checks	medium
76499	Debian DSA-2978-1 : libxml2 - security update	Nessus	Debian Local Security Checks	medium
75381	openSUSE Security Update : libxml2 / python-libxml2 (openSUSE-SU-2014:0753-1)	Nessus	SuSE Local Security Checks	medium
75373	openSUSE Security Update : libxml2 / python-libxml2 (openSUSE-SU-2014:0716-1)	Nessus	SuSE Local Security Checks	medium
75358	openSUSE Security Update : libxml2 (openSUSE-SU-2014:0645-1)	Nessus	SuSE Local Security Checks	medium
74103	Scientific Linux Security Update : libxml2 on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
74102	RHEL 6 : libxml2 (RHSA-2014:0513)	Nessus	Red Hat Local Security Checks	medium
74100	Oracle Linux 6 : libxml2 (ELSA-2014-0513)	Nessus	Oracle Linux Local Security Checks	medium
74094	CentOS 6 : libxml2 (CESA-2014:0513)	Nessus	CentOS Local Security Checks	medium
74035	Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 / 14.04 LTS : libxml2 vulnerability (USN-2214-1)	Nessus	Ubuntu Local Security Checks	medium
73978	Mandriva Linux Security Advisory : libxml2 (MDVSA-2014:086)	Nessus	Mandriva Local Security Checks	medium
73975	FreeBSD : libxml2 -- entity substitution DoS (efdd0edc-da3d-11e3-9ecb-2c4138874f7d)	Nessus	FreeBSD Local Security Checks	medium