Amazon Linux AMI update for libxml2
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2015-8035 CVE-2016-5131 CVE-2017-15412 CVE-2017-18258 CVE-2018-14404 CVE-2018-14567 CVE-2018-9251 |
| CWE-ID | CWE-399 CWE-416 CWE-119 CWE-476 CWE-835 CWE-611 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #5 is available. |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Resource management error
EUVDB-ID: #VU32381
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2015-8035
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
libxml2-2.9.1-6.4.40.amzn1.i686
libxml2-python26-2.9.1-6.4.40.amzn1.i686
libxml2-devel-2.9.1-6.4.40.amzn1.i686
libxml2-static-2.9.1-6.4.40.amzn1.i686
libxml2-python27-2.9.1-6.4.40.amzn1.i686
libxml2-debuginfo-2.9.1-6.4.40.amzn1.i686
src:
libxml2-2.9.1-6.4.40.amzn1.src
x86_64:
libxml2-python26-2.9.1-6.4.40.amzn1.x86_64
libxml2-static-2.9.1-6.4.40.amzn1.x86_64
libxml2-debuginfo-2.9.1-6.4.40.amzn1.x86_64
libxml2-2.9.1-6.4.40.amzn1.x86_64
libxml2-devel-2.9.1-6.4.40.amzn1.x86_64
libxml2-python27-2.9.1-6.4.40.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2020-1415.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use-after-free
EUVDB-ID: #VU33135
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2016-5131
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing vectors related to the XPointer range-to function. A remote attackers can cause a denial of service or execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
libxml2-2.9.1-6.4.40.amzn1.i686
libxml2-python26-2.9.1-6.4.40.amzn1.i686
libxml2-devel-2.9.1-6.4.40.amzn1.i686
libxml2-static-2.9.1-6.4.40.amzn1.i686
libxml2-python27-2.9.1-6.4.40.amzn1.i686
libxml2-debuginfo-2.9.1-6.4.40.amzn1.i686
src:
libxml2-2.9.1-6.4.40.amzn1.src
x86_64:
libxml2-python26-2.9.1-6.4.40.amzn1.x86_64
libxml2-static-2.9.1-6.4.40.amzn1.x86_64
libxml2-debuginfo-2.9.1-6.4.40.amzn1.x86_64
libxml2-2.9.1-6.4.40.amzn1.x86_64
libxml2-devel-2.9.1-6.4.40.amzn1.x86_64
libxml2-python27-2.9.1-6.4.40.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2020-1415.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use-after-free error
EUVDB-ID: #VU9577
Risk: High
CVSSv4.0: 7.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-15412
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in libXML. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected packages:
i686:Vulnerable software versions
libxml2-2.9.1-6.4.40.amzn1.i686
libxml2-python26-2.9.1-6.4.40.amzn1.i686
libxml2-devel-2.9.1-6.4.40.amzn1.i686
libxml2-static-2.9.1-6.4.40.amzn1.i686
libxml2-python27-2.9.1-6.4.40.amzn1.i686
libxml2-debuginfo-2.9.1-6.4.40.amzn1.i686
src:
libxml2-2.9.1-6.4.40.amzn1.src
x86_64:
libxml2-python26-2.9.1-6.4.40.amzn1.x86_64
libxml2-static-2.9.1-6.4.40.amzn1.x86_64
libxml2-debuginfo-2.9.1-6.4.40.amzn1.x86_64
libxml2-2.9.1-6.4.40.amzn1.x86_64
libxml2-devel-2.9.1-6.4.40.amzn1.x86_64
libxml2-python27-2.9.1-6.4.40.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2020-1415.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Memory corruption
EUVDB-ID: #VU15363
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-18258
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in the xz_head() function of the GNOME libxml2 library, as defined in the xzlib.c source code due to boundary error in the Lempel-Ziv-Markov (LZMA) decompression feature. A remote unauthenticated attacker can trick the victim into opening a specially crafted LZMA file that submits malicious input, trigger memory corruption and cause the application to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
libxml2-2.9.1-6.4.40.amzn1.i686
libxml2-python26-2.9.1-6.4.40.amzn1.i686
libxml2-devel-2.9.1-6.4.40.amzn1.i686
libxml2-static-2.9.1-6.4.40.amzn1.i686
libxml2-python27-2.9.1-6.4.40.amzn1.i686
libxml2-debuginfo-2.9.1-6.4.40.amzn1.i686
src:
libxml2-2.9.1-6.4.40.amzn1.src
x86_64:
libxml2-python26-2.9.1-6.4.40.amzn1.x86_64
libxml2-static-2.9.1-6.4.40.amzn1.x86_64
libxml2-debuginfo-2.9.1-6.4.40.amzn1.x86_64
libxml2-2.9.1-6.4.40.amzn1.x86_64
libxml2-devel-2.9.1-6.4.40.amzn1.x86_64
libxml2-python27-2.9.1-6.4.40.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2020-1415.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Null pointer dereference
EUVDB-ID: #VU13949
Risk: Low
CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2018-14404
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in the xmlXPathCompOpEval() function, as defined in the path.c source code file due to improper parsing of invalid XPath expressions in the XPATH_OP_AND and XPATH_OP_OR cases. A remote attacker can send a specially crafted request that submits malicious input to an application that is using the affected library, trigger a NULL pointer dereference and cause the application to crash.
Update the affected packages:
i686:Vulnerable software versions
libxml2-2.9.1-6.4.40.amzn1.i686
libxml2-python26-2.9.1-6.4.40.amzn1.i686
libxml2-devel-2.9.1-6.4.40.amzn1.i686
libxml2-static-2.9.1-6.4.40.amzn1.i686
libxml2-python27-2.9.1-6.4.40.amzn1.i686
libxml2-debuginfo-2.9.1-6.4.40.amzn1.i686
src:
libxml2-2.9.1-6.4.40.amzn1.src
x86_64:
libxml2-python26-2.9.1-6.4.40.amzn1.x86_64
libxml2-static-2.9.1-6.4.40.amzn1.x86_64
libxml2-debuginfo-2.9.1-6.4.40.amzn1.x86_64
libxml2-2.9.1-6.4.40.amzn1.x86_64
libxml2-devel-2.9.1-6.4.40.amzn1.x86_64
libxml2-python27-2.9.1-6.4.40.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2020-1415.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Infinite loop
EUVDB-ID: #VU14470
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-14567
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in the liblzma error code of the GNOME libxml2 library due to an infinite loop condition in the Lempel–Ziv–Markov (LZMA) decompression feature during the processing of XML files. A remote attacker can trick the victim into opening an XML file that submits malicious input, trigger a LZMA_MEMLIMIT_ERROR condition and cause the service to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
libxml2-2.9.1-6.4.40.amzn1.i686
libxml2-python26-2.9.1-6.4.40.amzn1.i686
libxml2-devel-2.9.1-6.4.40.amzn1.i686
libxml2-static-2.9.1-6.4.40.amzn1.i686
libxml2-python27-2.9.1-6.4.40.amzn1.i686
libxml2-debuginfo-2.9.1-6.4.40.amzn1.i686
src:
libxml2-2.9.1-6.4.40.amzn1.src
x86_64:
libxml2-python26-2.9.1-6.4.40.amzn1.x86_64
libxml2-static-2.9.1-6.4.40.amzn1.x86_64
libxml2-debuginfo-2.9.1-6.4.40.amzn1.x86_64
libxml2-2.9.1-6.4.40.amzn1.x86_64
libxml2-devel-2.9.1-6.4.40.amzn1.x86_64
libxml2-python27-2.9.1-6.4.40.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2020-1415.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Infinite loop
EUVDB-ID: #VU15364
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-9251
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in the xz_decomp() function of the GNOME libxml2 library, as defined in the xzlib.c source code due to an infinite loop condition in the Lempel-Ziv-Markov (LZMA) decompression feature during the processing of XML files. A remote unauthenticated attacker can trick the victim into opening a specially crafted XML file that submits malicious input, trigger an LZMA_MEMLIMIT_ERROR condition and cause the application to crash.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
libxml2-2.9.1-6.4.40.amzn1.i686
libxml2-python26-2.9.1-6.4.40.amzn1.i686
libxml2-devel-2.9.1-6.4.40.amzn1.i686
libxml2-static-2.9.1-6.4.40.amzn1.i686
libxml2-python27-2.9.1-6.4.40.amzn1.i686
libxml2-debuginfo-2.9.1-6.4.40.amzn1.i686
src:
libxml2-2.9.1-6.4.40.amzn1.src
x86_64:
libxml2-python26-2.9.1-6.4.40.amzn1.x86_64
libxml2-static-2.9.1-6.4.40.amzn1.x86_64
libxml2-debuginfo-2.9.1-6.4.40.amzn1.x86_64
libxml2-2.9.1-6.4.40.amzn1.x86_64
libxml2-devel-2.9.1-6.4.40.amzn1.x86_64
libxml2-python27-2.9.1-6.4.40.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2020-1415.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
