SB2017121308 - Multiple vulnerabilities in libxml2

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2017121308

SB2017121308 - Multiple vulnerabilities in libxml2

Published: December 13, 2017

Security Bulletin ID SB2017121308
Severity
Low
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Memory corruption (CVE-ID: CVE-2017-9047)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the xmlSnprintfElementContent function of XMLSoft libxml2 due to improper memory handling by the valid.c source code. A remote attacker can send a specially crafted XML file, trigger memory corruption and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


2) Heap-based buffer over-read (CVE-ID: CVE-2017-9049)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the xmlDictComputeFastKey function of XMLSoft libxml2 due to improper bounds checking in the dict.c code. A remote attacker can send a specially crafted request, trigger heap-based buffer over-read condition and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


3) Heap-based buffer over-read (CVE-ID: CVE-2017-9050)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the xmlDictAddString function of XMLSoft libxml2 due to improper bounds checking in the dict.c code. A remote attacker can send a specially crafted request, trigger heap-based buffer over-read condition and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


4) Buffer over-read (CVE-ID: CVE-2017-8872)

The vulnerability allows a remote attacker to obtain potentially sensitive information or cause DoS condition on the target system.

The weakness exists in the htmlParseTryOrFinish function of XMLSoft libxml2 due to buffer over-read condition in the HTMLparser.c source code. A remote attacker can send a specially crafted XML file, trick the victim into opening it and read arbitrary data or cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


5) Stack-based buffer overflow (CVE-ID: CVE-2017-9048)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the xmlSnprintfElementContent function of XMLSoft libxml2 due to improper bounds checking in the valid.c code. A remote attacker can send a specially crafted request, trigger stack-based buffer overflow condition and cause the service to crash.

Successful exploitation of the vulnerability results in denial of service.


Remediation

Install update from vendor's website.

References