Input validation error in libxml2 (Alpine package)

1) Input validation error

EUVDB-ID: #VU33820

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-0191

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

Mitigation

Install update from vendor's website.

Vulnerable software versions

libxml2 (Alpine package): 2.9.0-r0 - 2.9.0-r3

External links

http://git.alpinelinux.org/aports/commit/?id=0215e6588cf7cdc9ec3c57926af82e79b8366e46
http://git.alpinelinux.org/aports/commit/?id=9e3ec8396214f0ec09a2b5c75e65bbc808013c84
http://git.alpinelinux.org/aports/commit/?id=07c1580cc3dc9496f9f7a6ae25fbdd3ef22caee3
http://git.alpinelinux.org/aports/commit/?id=13e59ed69b9459e1ef4534ee2f34e5f94fb99232
http://git.alpinelinux.org/aports/commit/?id=3906599673a7cd93e56c2d8a998148a07a343a4c
http://git.alpinelinux.org/aports/commit/?id=9693e42051fbaf1fea977ea0098f3818925f256e

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.