Input validation error in Libxml2 - CVE-2014-0191
Published: January 21, 2015 / Updated: August 4, 2020
Vulnerability identifier: #VU33820
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2014-0191
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Gnome Development Team
Affected software:
Libxml2
Libxml2
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to perform service disruption.
The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.
How to mitigate CVE-2014-0191
Install update from vendor's website.
Sources
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
- http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
- http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
- http://rhn.redhat.com/errata/RHSA-2015-0749.html
- http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
- http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
- http://www.securityfocus.com/bid/67233
- http://www-01.ibm.com/support/docview.wss?uid=swg21678183
- http://xmlsoft.org/news.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1090976
- https://exchange.xforce.ibmcloud.com/vulnerabilities/93092
- https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
- https://support.apple.com/kb/HT205030
- https://support.apple.com/kb/HT205031