CVE-2014-3660

MEDIUM

Description

parser.c in libxml2 before 2.9.2 does not properly prevent entity expansion even when entity substitution has been disabled, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted XML document containing a large number of nested entity references, a variant of the "billion laughs" attack.

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html

http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html

http://lists.opensuse.org/opensuse-updates/2014-10/msg00034.html

http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html

http://rhn.redhat.com/errata/RHSA-2014-1655.html

http://rhn.redhat.com/errata/RHSA-2014-1885.html

http://secunia.com/advisories/59903

http://secunia.com/advisories/61965

http://secunia.com/advisories/61966

http://secunia.com/advisories/61991

http://www.debian.org/security/2014/dsa-3057

http://www.mandriva.com/security/advisories?name=MDVSA-2014:244

http://www.openwall.com/lists/oss-security/2014/10/17/7

http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html

http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html

http://www.securityfocus.com/bid/70644

http://www.ubuntu.com/usn/USN-2389-1

https://bugzilla.redhat.com/attachment.cgi?id=944444&action=diff

https://bugzilla.redhat.com/show_bug.cgi?id=1149084

https://support.apple.com/kb/HT205030

https://support.apple.com/kb/HT205031

https://www.ncsc.nl/actueel/nieuwsberichten/kwetsbaarheid-ontdekt-in-libxml2.html

Details

Source: MITRE

Published: 2014-11-04

Updated: 2016-12-08

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:xmlsoft:libxml2:2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.1.0:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.1.1:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.0:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.0:beta:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.1:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.2:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.3:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.4:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.5:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.6:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.7:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.8:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.9:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.10:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.2.11:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.0:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.1:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.2:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.3:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.4:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.5:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.6:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.7:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.8:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.9:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.10:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.11:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.12:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.13:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.3.14:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.1:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.2:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.3:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.4:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.5:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.6:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.7:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.8:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.9:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.10:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.11:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.12:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.13:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.14:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.15:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.16:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.17:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.18:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.19:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.20:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.21:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.22:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.23:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.24:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.25:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.26:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.27:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.28:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.29:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.4.30:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.5.0:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.5.4:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.5.7:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.5.8:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.5.10:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.5.11:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.0:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.1:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.2:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.3:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.4:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.5:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.6:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.7:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.8:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.9:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.11:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.12:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.13:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.14:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.16:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.17:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.18:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.20:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.21:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.22:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.23:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.24:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.25:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.26:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.27:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.28:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.29:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.30:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.31:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.6.32:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.7.0:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.7.1:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.7.2:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.7.3:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.7.4:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.7.5:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.7.6:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.7.7:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.7.8:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.8.0:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.9.0:*:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:2.9.0:rc1:*:*:*:*:*:*

cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:* versions up to 2.9.1 (inclusive)

Configuration 2

OR

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:* versions up to 10.10.4 (inclusive)

cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*

Tenable Plugins

View all (38 total)

IDNameProductFamilySeverity
91745OracleVM 3.2 : libxml2 (OVMSA-2016-0063)NessusOracleVM Local Security Checks
medium
9333Apple TV < 7.2.1 Multiple VulnerabilitiesNessus Network MonitorInternet Services
medium
90315Apple TV < 7.2.1 Multiple VulnerabilitiesNessusMisc.
high
88742F5 Networks BIG-IP : Multiple libXML2 vulnerabilities (K61570943)NessusF5 Networks Local Security Checks
high
87631openSUSE Security Update : libxml2 (openSUSE-2015-959)NessusSuSE Local Security Checks
high
8981Mac OS X < 10.10.5 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
high
8978Apple iOS < 8.4.1 Multiple VulnerabilitiesNessus Network MonitorMobile Devices
critical
85409Mac OS X Multiple Vulnerabilities (Security Update 2015-006)NessusMacOS X Local Security Checks
high
85408Mac OS X 10.10.x < 10.10.5 Multiple VulnerabilitiesNessusMacOS X Local Security Checks
high
85407Apple iOS < 8.4.1 Multiple VulnerabilitiesNessusMobile Devices
high
85138OracleVM 3.3 : libxml2 (OVMSA-2015-0097)NessusOracleVM Local Security Checks
medium
83851SUSE SLED12 / SLES12 Security Update : libxml2 (SUSE-SU-2015:0003-1)NessusSuSE Local Security Checks
medium
82364Mandriva Linux Security Advisory : libxml2 (MDVSA-2015:111)NessusMandriva Local Security Checks
medium
82225Debian DLA-80-1 : libxml2 security updateNessusDebian Local Security Checks
medium
82134Debian DLA-151-1 : libxml2 security updateNessusDebian Local Security Checks
medium
81085ESXi 5.5 < Build 2352327 Multiple Vulnerabilities (remote check) (POODLE)NessusMisc.
medium
81079VMSA-2015-0001 : VMware vCenter Server, ESXi, Workstation, Player, and Fusion updates address security issues (POODLE)NessusVMware ESX Local Security Checks
high
79959GLSA-201412-06 : libxml2: Denial of ServiceNessusGentoo Local Security Checks
medium
79732F5 Networks BIG-IP : libxml2 vulnerability (SOL15872)NessusF5 Networks Local Security Checks
medium
79546OracleVM 3.3 : libxml2 (OVMSA-2014-0031)NessusOracleVM Local Security Checks
medium
79390Fedora 19 : libxml2-2.9.1-2.fc19 (2014-13047)NessusFedora Local Security Checks
medium
79381Scientific Linux Security Update : libxml2 on SL5.x i386/x86_64 (20141120)NessusScientific Linux Local Security Checks
medium
79380RHEL 5 : libxml2 (RHSA-2014:1885)NessusRed Hat Local Security Checks
medium
79373Oracle Linux 5 : libxml2 (ELSA-2014-1885)NessusOracle Linux Local Security Checks
medium
79361CentOS 5 : libxml2 (CESA-2014:1885)NessusCentOS Local Security Checks
medium
79309SuSE 11.3 Security Update : libxml2 (SAT Patch Number 9914)NessusSuSE Local Security Checks
medium
79293Amazon Linux AMI : libxml2 (ALAS-2014-444)NessusAmazon Linux Local Security Checks
medium
78794Fedora 21 : libxml2-2.9.1-6.fc21 (2014-12915)NessusFedora Local Security Checks
medium
78734openSUSE Security Update : libxml2 (openSUSE-SU-2014:1330-1)NessusSuSE Local Security Checks
medium
78698Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : libxml2 vulnerability (USN-2389-1)NessusUbuntu Local Security Checks
medium
78694Debian DSA-3057-1 : libxml2 - security updateNessusDebian Local Security Checks
medium
78666Mandriva Linux Security Advisory : libxml2 (MDVSA-2014:204)NessusMandriva Local Security Checks
medium
78646Scientific Linux Security Update : libxml2 on SL6.x, SL7.x i386/x86_64 (20141016)NessusScientific Linux Local Security Checks
medium
78605CentOS 6 / 7 : libxml2 (CESA-2014:1655)NessusCentOS Local Security Checks
medium
78577FreeBSD : libxml2 -- Denial of service (0642b064-56c4-11e4-8b87-bcaec565249c)NessusFreeBSD Local Security Checks
medium
78570Fedora 20 : libxml2-2.9.1-3.fc20 (2014-12995)NessusFedora Local Security Checks
medium
78535RHEL 6 / 7 : libxml2 (RHSA-2014:1655)NessusRed Hat Local Security Checks
medium
78531Oracle Linux 6 / 7 : libxml2 (ELSA-2014-1655)NessusOracle Linux Local Security Checks
medium