Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : libxml2 vulnerabilities (USN-3424-1)

Ubuntu Security Notice (C) 2017 Canonical, Inc. / NASL script (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

It was discovered that a type confusion error existed in libxml2. An
attacker could use this to specially construct XML data that could
cause a denial of service or possibly execute arbitrary code.
(CVE-2017-0663)

It was discovered that libxml2 did not properly validate parsed entity
references. An attacker could use this to specially construct XML data
that could expose sensitive information. (CVE-2017-7375)

It was discovered that a buffer overflow existed in libxml2 when
handling HTTP redirects. An attacker could use this to specially
construct XML data that could cause a denial of service or possibly
execute arbitrary code. (CVE-2017-7376)

Marcel Bohme and Van-Thuan Pham discovered a buffer overflow in
libxml2 when handling elements. An attacker could use this to
specially construct XML data that could cause a denial of service or
possibly execute arbitrary code. (CVE-2017-9047)

Marcel Bohme and Van-Thuan Pham discovered a buffer overread in
libxml2 when handling elements. An attacker could use this to
specially construct XML data that could cause a denial of service.
(CVE-2017-9048)

Marcel Bohme and Van-Thuan Pham discovered multiple buffer overreads
in libxml2 when handling parameter-entity references. An attacker
could use these to specially construct XML data that could cause a
denial of service. (CVE-2017-9049, CVE-2017-9050).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected libxml2 package.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.3
(CVSS2#E:POC/RL:OF/RC:ND)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 103327 ()

Bugtraq ID:

CVE ID: CVE-2017-0663
CVE-2017-7375
CVE-2017-7376
CVE-2017-9047
CVE-2017-9048
CVE-2017-9049
CVE-2017-9050

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now