F5 Networks BIG-IP : libxml2 vulnerabilities (K54225343)
Medium Nessus Plugin ID 95966
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionCVE-2016-3627 The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document
CVE-2016-3705 The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K54225343.