ID CVE-2014-0191
Summary The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:fusion_middleware:11.1.1.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:fusion_middleware:11.1.1.7.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:oracle:fusion_middleware:12.1.3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:oracle:fusion_middleware:12.1.3.0.0:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 29-08-2017 - 01:34)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:M/Au:N/C:N/I:N/A:P
redhat via4
advisories
  • bugzilla
    id 1090976
    title CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhba:tst:20111656001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhba:tst:20111656002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhba:tst:20111656003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20111656004
    • OR
      • AND
        • comment libxml2 is earlier than 0:2.7.6-14.el6_5.1
          oval oval:com.redhat.rhsa:tst:20140513005
        • comment libxml2 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749006
      • AND
        • comment libxml2-devel is earlier than 0:2.7.6-14.el6_5.1
          oval oval:com.redhat.rhsa:tst:20140513007
        • comment libxml2-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749012
      • AND
        • comment libxml2-python is earlier than 0:2.7.6-14.el6_5.1
          oval oval:com.redhat.rhsa:tst:20140513011
        • comment libxml2-python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749010
      • AND
        • comment libxml2-static is earlier than 0:2.7.6-14.el6_5.1
          oval oval:com.redhat.rhsa:tst:20140513009
        • comment libxml2-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749008
    rhsa
    id RHSA-2014:0513
    released 2014-05-19
    severity Moderate
    title RHSA-2014:0513: libxml2 security update (Moderate)
  • bugzilla
    id 1090976
    title CVE-2014-0191 libxml2: external parameter entity loaded when entity substitution is disabled
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment libxml2 is earlier than 0:2.9.1-5.el7_1.2
          oval oval:com.redhat.rhsa:tst:20150749005
        • comment libxml2 is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749006
      • AND
        • comment libxml2-devel is earlier than 0:2.9.1-5.el7_1.2
          oval oval:com.redhat.rhsa:tst:20150749007
        • comment libxml2-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749012
      • AND
        • comment libxml2-python is earlier than 0:2.9.1-5.el7_1.2
          oval oval:com.redhat.rhsa:tst:20150749009
        • comment libxml2-python is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749010
      • AND
        • comment libxml2-static is earlier than 0:2.9.1-5.el7_1.2
          oval oval:com.redhat.rhsa:tst:20150749011
        • comment libxml2-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20111749008
    rhsa
    id RHSA-2015:0749
    released 2015-03-30
    severity Moderate
    title RHSA-2015:0749: libxml2 security update (Moderate)
rpms
  • libxml2-0:2.7.6-14.el6_5.1
  • libxml2-devel-0:2.7.6-14.el6_5.1
  • libxml2-python-0:2.7.6-14.el6_5.1
  • libxml2-static-0:2.7.6-14.el6_5.1
  • libxml2-0:2.9.1-5.el7_1.2
  • libxml2-devel-0:2.9.1-5.el7_1.2
  • libxml2-python-0:2.9.1-5.el7_1.2
  • libxml2-static-0:2.9.1-5.el7_1.2
refmap via4
apple
  • APPLE-SA-2015-08-13-2
  • APPLE-SA-2015-08-13-3
bid 67233
confirm
suse openSUSE-SU-2015:2372
xf libxml2-cve20140191-dos(93092)
Last major update 29-08-2017 - 01:34
Published 21-01-2015 - 14:59
Back to Top