Executive Summary

Summary
Titlelibxml2 security update
Informations
NameRHSA-2012:0324First vendor Publication2012-02-21
VendorRedHatLast vendor Modification2012-02-21
Severity (Vendor) ModerateRevision01

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score5Attack RangeNetwork
Cvss Impact Score2.9Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated libxml2 packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

2. Relevant releases/architectures:

RHEL Desktop Workstation (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64 Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64

3. Description:

The libxml2 library is a development toolbox providing the implementation of various XML standards.

It was found that the hashing routine used by libxml2 arrays was susceptible to predictable hash collisions. Sending a specially-crafted message to an XML service could result in longer processing time, which could lead to a denial of service. To mitigate this issue, randomization has been added to the hashing function to reduce the chance of an attacker successfully causing intentional collisions. (CVE-2012-0841)

All users of libxml2 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. The desktop must be restarted (log out, then log back in) for this update to take effect.

4. Solution:

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259

5. Bugs fixed (http://bugzilla.redhat.com/):

787067 - CVE-2012-0841 libxml2: hash table collisions CPU usage DoS

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2012-0324.html

CWE : Common Weakness Enumeration

idName
CWE-399Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20976
 
Oval ID: oval:org.mitre.oval:def:20976
Title: RHSA-2012:0324: libxml2 security update (Moderate)
Description: libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
Family: unix Class: patch
Reference(s): RHSA-2012:0324-01
CESA-2012:0324
CVE-2012-0841
Version: 4
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20110
 
Oval ID: oval:org.mitre.oval:def:20110
Title: VMware vSphere and vCOps updates to third party libraries
Description: libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
Family: unix Class: vulnerability
Reference(s): CVE-2012-0841
Version: 4
Platform(s): VMWare ESX Server 4.1
VMWare ESX Server 4.0
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:15454
 
Oval ID: oval:org.mitre.oval:def:15454
Title: USN-1376-1 -- libxml2 vulnerability
Description: libxml2: GNOME XML library libxml2 could be made to cause a denial of service by consuming excessive CPU resources.
Family: unix Class: patch
Reference(s): USN-1376-1
CVE-2012-0841
Version: 5
Platform(s): Ubuntu 11.04
Ubuntu 11.10
Ubuntu 8.04
Ubuntu 10.04
Ubuntu 10.10
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14887
 
Oval ID: oval:org.mitre.oval:def:14887
Title: DSA-2417-1 libxml2 -- computational denial of service
Description: It was discovered that the internal hashing routine of libxml2, a library providing an extensive API to handle XML data, is vulnerable to predictable hash collisions. Given an attacker with knowledge of the hashing algorithm, it is possible to craft input that creates a large amount of collisions. As a result it is possible to perform denial of service attacks against applications using libxml2 functionality because of the computational overhead.
Family: unix Class: patch
Reference(s): DSA-2417-1
CVE-2012-0841
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/kFreeBSD 6.0
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23733
 
Oval ID: oval:org.mitre.oval:def:23733
Title: ELSA-2012:0324: libxml2 security update (Moderate)
Description: libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
Family: unix Class: patch
Reference(s): ELSA-2012:0324-01
CVE-2012-0841
Version: 6
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23087
 
Oval ID: oval:org.mitre.oval:def:23087
Title: DEPRECATED: ELSA-2012:0324: libxml2 security update (Moderate)
Description: libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.
Family: unix Class: patch
Reference(s): ELSA-2012:0324-01
CVE-2012-0841
Version: 7
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): libxml2
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27873
 
Oval ID: oval:org.mitre.oval:def:27873
Title: ELSA-2012-0324 -- libxml2 security update (moderate)
Description: [2.7.6-4.0.1.el6_2.4] - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball [2.7.6-4.el6_2.4] - remove chunk in patch related to configure.in as it breaks rebuild - Resolves: rhbz#788845 [2.7.6-4.el6_2.3] - fix previous build to force compilation of randomization code - Resolves: rhbz#788845 [2.7.6-4.el6_2.2] - adds randomization to hash and dict structures CVE-2012-0841 - Resolves: rhbz#788845
Family: unix Class: patch
Reference(s): ELSA-2012-0324
CVE-2012-0841
Version: 3
Platform(s): Oracle Linux 5
Oracle Linux 6
Product(s): libxml2
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application124
Os48

OpenVAS Exploits

DateDescription
2012-10-03Name : Fedora Update for libxml2 FEDORA-2012-13824
File : nvt/gb_fedora_2012_13824_libxml2_fc16.nasl
2012-09-27Name : Fedora Update for libxml2 FEDORA-2012-13820
File : nvt/gb_fedora_2012_13820_libxml2_fc17.nasl
2012-08-31Name : VMSA-2012-0013 VMware vSphere and vCOps updates to third party libraries.
File : nvt/gb_VMSA-2012-0013.nasl
2012-07-30Name : CentOS Update for libxml2 CESA-2012:0324 centos6
File : nvt/gb_CESA-2012_0324_libxml2_centos6.nasl
2012-07-13Name : VMSA-2012-0012 VMware ESXi update addresses several security issues.
File : nvt/gb_VMSA-2012-0012.nasl
2012-03-12Name : Gentoo Security Advisory GLSA 201203-04 (libxml2)
File : nvt/glsa_201203_04.nasl
2012-03-12Name : Debian Security Advisory DSA 2417-1 (libxml2)
File : nvt/deb_2417_1.nasl
2012-03-07Name : Ubuntu Update for libxml2 USN-1376-1
File : nvt/gb_ubuntu_USN_1376_1.nasl
2012-02-27Name : RedHat Update for libxml2 RHSA-2012:0324-01
File : nvt/gb_RHSA-2012_0324-01_libxml2.nasl

Information Assurance Vulnerability Management (IAVM)

DateDescription
2012-09-27IAVM : 2012-A-0153 - Multiple Vulnerabilities in VMware ESX 4.0 and ESXi 4.0
Severity : Category I - VMSKEY : V0033884
2012-09-13IAVM : 2012-A-0148 - Multiple Vulnerabilities in VMware ESXi 4.1 and ESX 4.1
Severity : Category I - VMSKEY : V0033794

Nessus® Vulnerability Scanner

DateDescription
2014-11-17Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0422.nasl - Type : ACT_GATHER_INFO
2014-11-08Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1324.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-179.nasl - Type : ACT_GATHER_INFO
2014-06-13Name : The remote openSUSE host is missing a security update.
File : suse_11_4_libxml2-120224.nasl - Type : ACT_GATHER_INFO
2014-01-23Name : The remote host contains an application that has multiple vulnerabilities.
File : itunes_11_1_4.nasl - Type : ACT_GATHER_INFO
2014-01-23Name : The remote host contains a multimedia application that has multiple vulnerabi...
File : itunes_11_1_4_banner.nasl - Type : ACT_GATHER_INFO
2013-11-13Name : The remote VMware ESXi 5.0 host is affected by multiple security vulnerabilit...
File : vmware_esxi_5_0_build_764879_remote.nasl - Type : ACT_GATHER_INFO
2013-10-24Name : The remote host contains an application that has multiple vulnerabilities.
File : itunes_11_1_2.nasl - Type : ACT_GATHER_INFO
2013-10-24Name : The remote host contains a multimedia application that has multiple vulnerabi...
File : itunes_11_1_2_banner.nasl - Type : ACT_GATHER_INFO
2013-10-01Name : The remote device is affected by multiple vulnerabilities.
File : appletv_6_0.nasl - Type : ACT_GATHER_INFO
2013-09-04Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-52.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-0324.nasl - Type : ACT_GATHER_INFO
2013-07-12Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-0217.nasl - Type : ACT_GATHER_INFO
2013-02-04Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20130131_mingw32_libxml2_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2013-02-01Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-0217.nasl - Type : ACT_GATHER_INFO
2013-02-01Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-0217.nasl - Type : ACT_GATHER_INFO
2013-01-25Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_libxml2-120223.nasl - Type : ACT_GATHER_INFO
2012-09-27Name : The remote Fedora host is missing a security update.
File : fedora_2012-13820.nasl - Type : ACT_GATHER_INFO
2012-09-27Name : The remote Fedora host is missing a security update.
File : fedora_2012-13824.nasl - Type : ACT_GATHER_INFO
2012-08-31Name : The remote VMware ESXi / ESX host is missing one or more security-related pat...
File : vmware_VMSA-2012-0013.nasl - Type : ACT_GATHER_INFO
2012-08-01Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120221_libxml2_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-07-13Name : The remote VMware ESXi host is missing a security-related patch.
File : vmware_VMSA-2012-0012.nasl - Type : ACT_GATHER_INFO
2012-05-17Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_libxml2-7997.nasl - Type : ACT_GATHER_INFO
2012-03-06Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201203-04.nasl - Type : ACT_GATHER_INFO
2012-02-28Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-1376-1.nasl - Type : ACT_GATHER_INFO
2012-02-23Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2417.nasl - Type : ACT_GATHER_INFO
2012-02-23Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-0324.nasl - Type : ACT_GATHER_INFO
2012-02-22Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-0324.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
DateInformations
2014-02-17 11:55:44
  • Multiple Updates
2012-12-21 17:23:55
  • Multiple Updates
2012-12-21 13:21:10
  • Multiple Updates