ID CVE-2014-0191
Summary The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.
References
Vulnerable Configurations
  • Oracle Fusion Middleware 11.1.1.7.0
    cpe:2.3:a:oracle:fusion_middleware:11.1.1.7.0
  • Oracle Fusion Middleware 12.1.2.0.0
    cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0
  • cpe:2.3:a:oracle:fusion_middleware:12.1.3.0.0
    cpe:2.3:a:oracle:fusion_middleware:12.1.3.0.0
CVSS
Base: 4.3 (as of 08-07-2016 - 11:53)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
redhat via4
advisories
  • bugzilla
    id 1090976
    title CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment libxml2 is earlier than 0:2.7.6-14.el6_5.1
          oval oval:com.redhat.rhsa:tst:20140513005
        • comment libxml2 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120018006
      • AND
        • comment libxml2-devel is earlier than 0:2.7.6-14.el6_5.1
          oval oval:com.redhat.rhsa:tst:20140513007
        • comment libxml2-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120018010
      • AND
        • comment libxml2-python is earlier than 0:2.7.6-14.el6_5.1
          oval oval:com.redhat.rhsa:tst:20140513011
        • comment libxml2-python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120018008
      • AND
        • comment libxml2-static is earlier than 0:2.7.6-14.el6_5.1
          oval oval:com.redhat.rhsa:tst:20140513009
        • comment libxml2-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120018012
    rhsa
    id RHSA-2014:0513
    released 2014-05-19
    severity Moderate
    title RHSA-2014:0513: libxml2 security update (Moderate)
  • bugzilla
    id 1090976
    title CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment libxml2 is earlier than 0:2.9.1-5.el7_1.2
          oval oval:com.redhat.rhsa:tst:20150749005
        • comment libxml2 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120018006
      • AND
        • comment libxml2-devel is earlier than 0:2.9.1-5.el7_1.2
          oval oval:com.redhat.rhsa:tst:20150749007
        • comment libxml2-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120018010
      • AND
        • comment libxml2-python is earlier than 0:2.9.1-5.el7_1.2
          oval oval:com.redhat.rhsa:tst:20150749009
        • comment libxml2-python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120018008
      • AND
        • comment libxml2-static is earlier than 0:2.9.1-5.el7_1.2
          oval oval:com.redhat.rhsa:tst:20150749011
        • comment libxml2-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20120018012
    rhsa
    id RHSA-2015:0749
    released 2015-03-30
    severity Moderate
    title RHSA-2015:0749: libxml2 security update (Moderate)
rpms
  • libxml2-0:2.7.6-14.el6_5.1
  • libxml2-devel-0:2.7.6-14.el6_5.1
  • libxml2-python-0:2.7.6-14.el6_5.1
  • libxml2-static-0:2.7.6-14.el6_5.1
  • libxml2-0:2.9.1-5.el7_1.2
  • libxml2-devel-0:2.9.1-5.el7_1.2
  • libxml2-python-0:2.9.1-5.el7_1.2
  • libxml2-static-0:2.9.1-5.el7_1.2
refmap via4
apple
  • APPLE-SA-2015-08-13-2
  • APPLE-SA-2015-08-13-3
bid 67233
confirm
suse openSUSE-SU-2015:2372
xf libxml2-cve20140191-dos(93092)
vmware via4
description libxml2 is updated to address multiple security issues
id VMSA-2014-0012
last_updated 2015-01-27T00:00:00
published 2014-12-04T00:00:00
title Update to ESXi libxml2 package
workaround None
Last major update 02-01-2017 - 21:59
Published 21-01-2015 - 09:59
Last modified 28-08-2017 - 21:34
Back to Top