#VU32381 Resource management error in Libxml2 - CVE-2015-8035

Cybersecurity Help s.r.o.

Published: 2015-11-18 | Updated: 2020-07-28

Vulnerability identifier: #VU32381

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-8035

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Libxml2
Universal components / Libraries / Libraries used by multiple products

Vendor: Gnome Development Team

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Libxml2: 6.0.19

External links
https://lists.apple.com/archives/security-announce/2016/Mar/msg00000.html
https://lists.apple.com/archives/security-announce/2016/Mar/msg00001.html
https://lists.apple.com/archives/security-announce/2016/Mar/msg00002.html
https://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177341.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177381.html
https://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
https://lists.opensuse.org/opensuse-updates/2016-01/msg00031.html
https://rhn.redhat.com/errata/RHSA-2016-1089.html
https://www.debian.org/security/2015/dsa-3430
https://www.openwall.com/lists/oss-security/2015/11/02/2
https://www.openwall.com/lists/oss-security/2015/11/02/4
https://www.openwall.com/lists/oss-security/2015/11/03/1
https://www.securityfocus.com/bid/77390
https://www.securitytracker.com/id/1034243
https://www.ubuntu.com/usn/USN-2812-1
https://xmlsoft.org/news.html
https://bugzilla.gnome.org/show_bug.cgi?id=757466
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05111017
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158380
https://security.gentoo.org/glsa/201701-37
https://support.apple.com/HT206166
https://support.apple.com/HT206167
https://support.apple.com/HT206168
https://support.apple.com/HT206169

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)

Amazon Linux AMI update for libxml2

Red Hat Enterprise Linux 7 update for libxml2

Fedora EPEL 7 update for mingw-libxml2

Fedora 22 update for mingw-libxml2

Fedora 23 update for mingw-libxml2

Resource management error in libxml2 (Alpine package)

Fedora 23 update for libxml2

Fedora 22 update for libxml2

Resource management error in Libxml2