4.3 - CVE-2014-0191

Executive Summary

Informations
Name	CVE-2014-0191	First vendor Publication	2015-01-21
Vendor	Cve	Last vendor Modification	2024-11-21

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Cvss Base Score	4.3	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0191

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:24407

Oval ID:	oval:org.mitre.oval:def:24407
Title:	RHSA-2014:0513: libxml2 security update (Moderate)
Description:	The libxml2 library is a development toolbox providing the implementation of various XML standards. It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. (CVE-2014-0191) An out-of-bounds read flaw was found in the way libxml2 detected the end of an XML file. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to crash. (CVE-2013-2877) The CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat. All libxml2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:0513-00 CESA-2014:0513 CVE-2013-2877 CVE-2014-0191	Version:	3
Platform(s):	Red Hat Enterprise Linux 6 CentOS Linux 6	Product(s):	libxml2
Definition Synopsis:
Redhat 6 or Centos 6 release The operating system installed on the system is Red Hat Enterprise Linux 6 AND The operating system installed on the system is CentOS Linux 6.x Packages section libxml2 is earlier than 0:2.7.6-14.el6_5.1 AND libxml2-devel is earlier than 0:2.7.6-14.el6_5.1 AND libxml2-python is earlier than 0:2.7.6-14.el6_5.1 AND libxml2-static is earlier than 0:2.7.6-14.el6_5.1

Definition Id: oval:org.mitre.oval:def:24762

Oval ID:	oval:org.mitre.oval:def:24762
Title:	USN-2214-1 -- libxml2 vulnerability
Description:	libxml2 could be made to consume resources if it processed a specially crafted file.
Family:	unix	Class:	patch
Reference(s):	USN-2214-1 CVE-2014-0191	Version:	5
Platform(s):	Ubuntu 14.04 Ubuntu 13.10 Ubuntu 12.10 Ubuntu 12.04 Ubuntu 10.04	Product(s):	libxml2
Definition Synopsis:
Ubuntu 14.04 release section Ubuntu 14.04 is installed AND libxml2 DPKG is earlier than 0:2.9.1+dfsg1-3ubuntu4.1 AND Ubuntu 13.10 release section Ubuntu 13.10 is installed AND libxml2 DPKG is earlier than 0:2.9.1+dfsg1-3ubuntu2.1 AND Ubuntu 12.10 release section Ubuntu 12.10 is installed AND libxml2 DPKG is earlier than 0:2.8.0+dfsg1-5ubuntu2.5 AND Ubuntu 12.04 release section Ubuntu 12.04 is installed AND libxml2 DPKG is earlier than 0:2.7.8.dfsg-5.1ubuntu4.7 AND Ubuntu 10.04 release section Ubuntu 10.04 is installed AND libxml2 DPKG is earlier than 0:2.7.6.dfsg-1ubuntu1.11

Definition Id: oval:org.mitre.oval:def:24907

Oval ID:	oval:org.mitre.oval:def:24907
Title:	DSA-2978-1 -- libxml2 - security update
Description:	Daniel P. Berrange discovered a denial of service vulnerability in libxml2 entity substitution.
Family:	unix	Class:	patch
Reference(s):	DSA-2978-1 CVE-2014-0191	Version:	5
Platform(s):	Debian GNU/Linux 7 Debian GNU/kFreeBSD 7	Product(s):	libxml2
Definition Synopsis:
Debian 7 Debian 7 is installed AND GNU/Linux or GNU/kFreeBSD kernel Debian GNU/Linux is installed AND Debian GNU/kFreeBSD is installed AND libxml2 DPKG is earlier than 0:2.8.0+dfsg1-7+wheezy1

Definition Id: oval:org.mitre.oval:def:25192

Oval ID:	oval:org.mitre.oval:def:25192
Title:	ELSA-2014:0513: libxml2 security update (Moderate)
Description:	The libxml2 library is a development toolbox providing the implementation of various XML standards. It was discovered that libxml2 loaded external parameter entities even when entity substitution was disabled. A remote attacker able to provide a specially crafted XML file to an application linked against libxml2 could use this flaw to conduct XML External Entity (XXE) attacks, possibly resulting in a denial of service or an information leak on the system. (CVE-2014-0191) An out-of-bounds read flaw was found in the way libxml2 detected the end of an XML file. A remote attacker could provide a specially crafted XML file that, when processed by an application linked against libxml2, could cause the application to crash. (CVE-2013-2877) The CVE-2014-0191 issue was discovered by Daniel P. Berrange of Red Hat. All libxml2 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. The desktop must be restarted (log out, then log back in) for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	ELSA-2014:0513-00 CVE-2013-2877 CVE-2014-0191	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	libxml2
Definition Synopsis:
Oracle Linux 6.x rpm test libxml2 is earlier than 0:2.7.6-14.el6_5.1 AND libxml2-devel is earlier than 0:2.7.6-14.el6_5.1 AND libxml2-python is earlier than 0:2.7.6-14.el6_5.1 AND libxml2-static is earlier than 0:2.7.6-14.el6_5.1

Definition Id: oval:org.mitre.oval:def:26123

Oval ID:	oval:org.mitre.oval:def:26123
Title:	AIX libxml2 vulnerability
Description:	The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2014-0191	Version:	6
Platform(s):	IBM AIX 6.1 IBM AIX 7.1	Product(s):
Definition Synopsis:
platforms IBM AIX 6.1 is installed AND IBM AIX 7.1 is installed AND filesets File Version Exists bos.rte.control greater than or equal 6.1.8.0 AND bos.rte.control less than or equal 6.1.8.17 OR File Version Exists bos.rte.control greater than or equal 6.1.9.0 AND bos.rte.control less than or equal 6.1.9.15 OR File Version Exists bos.rte.control greater than or equal 7.1.2.0 AND bos.rte.control less than or equal 7.1.2.17 OR File Version Exists bos.rte.control greater than or equal 7.1.3.0 AND bos.rte.control less than or equal 7.1.3.15

Definition Id: oval:org.mitre.oval:def:27354

Oval ID:	oval:org.mitre.oval:def:27354
Title:	DEPRECATED: ELSA-2014-0513 -- libxml2 security update (moderate)
Description:	[2.7.6-14.0.1.el6_5.1] - Update doc/redhat.gif in tarball - Add libxml2-oracle-enterprise.patch and update logos in tarball [2-2.7.6-14.el6_5.1] - Improve handling of xmlStopParser(CVE-2013-2877) - Do not fetch external parameter entities (CVE-2014-0191)
Family:	unix	Class:	patch
Reference(s):	ELSA-2014-0513 CVE-2013-2877 CVE-2014-0191	Version:	4
Platform(s):	Oracle Linux 6	Product(s):	libxml2
Definition Synopsis:
Oracle Linux 6.x Packages match section libxml2 is earlier than 0:2.7.6-14.0.1.el6_5.1 AND libxml2-devel is earlier than 0:2.7.6-14.0.1.el6_5.1 AND libxml2-python is earlier than 0:2.7.6-14.0.1.el6_5.1 AND libxml2-static is earlier than 0:2.7.6-14.0.1.el6_5.1

CPE : Common Platform Enumeration

Type	Description	Count
Application	Oracle Fusion Middleware cpe:2.3:a:oracle:fusion_middleware:12.1.3.0.0:::::::* cpe:2.3:a:oracle:fusion_middleware:12.1.2.0.0:::::::* cpe:2.3:a:oracle:fusion_middleware:11.1.1.7.0:::::::*	3

Information Assurance Vulnerability Management (IAVM)

Date	Description
2015-08-20	IAVM : 2015-A-0199 - Multiple Vulnerabilities in Apple Mac OS X Severity : Category I - VMSKEY : V0061337
2014-12-11	IAVM : 2014-B-0162 - VMware vCenter Server 5.1 Certificate Validation Vulnerability Severity : Category I - VMSKEY : V0057685
2014-12-11	IAVM : 2014-B-0159 - VMware vCenter Server Appliance 5.1 Cross-site Scripting Vulnerability Severity : Category II - VMSKEY : V0057687
2014-12-11	IAVM : 2014-A-0191 - VMware vCenter Server 5.0 Certificate Validation Vulnerability Severity : Category I - VMSKEY : V0057699
2014-12-11	IAVM : 2014-B-0161 - Multiple Vulnerabilities in VMware ESXi 5.1 Severity : Category I - VMSKEY : V0057717

Nessus® Vulnerability Scanner

Date	Description
2017-05-23	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2017-1366-1.nasl - Type : ACT_GATHER_INFO
2016-04-04	Name : The remote device is affected by multiple vulnerabilities. File : appletv_7_2_1.nasl - Type : ACT_GATHER_INFO
2015-12-30	Name : The remote VMware ESXi host is missing a security-related patch. File : vmware_VMSA-2014-0012_remote.nasl - Type : ACT_GATHER_INFO
2015-12-29	Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-959.nasl - Type : ACT_GATHER_INFO
2015-10-23	Name : The remote web server is affected by multiple vulnerabilities. File : oracle_http_server_cpu_oct_2015.nasl - Type : ACT_GATHER_INFO
2015-08-17	Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_SecUpd2015-006.nasl - Type : ACT_GATHER_INFO
2015-08-17	Name : The remote host is missing a Mac OS X update that fixes multiple security vul... File : macosx_10_10_5.nasl - Type : ACT_GATHER_INFO
2015-04-13	Name : The remote Fedora host is missing a security update. File : fedora_2015-4719.nasl - Type : ACT_GATHER_INFO
2015-04-08	Name : The remote Fedora host is missing a security update. File : fedora_2015-4658.nasl - Type : ACT_GATHER_INFO
2015-04-01	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-0749.nasl - Type : ACT_GATHER_INFO
2015-03-31	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150330_libxml2_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2015-03-31	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-0749.nasl - Type : ACT_GATHER_INFO
2015-03-30	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-0749.nasl - Type : ACT_GATHER_INFO
2015-03-30	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-111.nasl - Type : ACT_GATHER_INFO
2015-03-26	Name : The remote Debian host is missing a security update. File : debian_DLA-80.nasl - Type : ACT_GATHER_INFO
2015-03-26	Name : The remote Debian host is missing a security update. File : debian_DLA-16.nasl - Type : ACT_GATHER_INFO
2015-03-26	Name : The remote Debian host is missing a security update. File : debian_DLA-151.nasl - Type : ACT_GATHER_INFO
2015-01-27	Name : The remote web server is affected by multiple vulnerabilities. File : oracle_http_server_cpu_jan_2015.nasl - Type : ACT_GATHER_INFO
2015-01-19	Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_libxml2_20140819.nasl - Type : ACT_GATHER_INFO
2015-01-02	Name : The remote Fedora host is missing a security update. File : fedora_2014-17609.nasl - Type : ACT_GATHER_INFO
2015-01-02	Name : The remote Fedora host is missing a security update. File : fedora_2014-17573.nasl - Type : ACT_GATHER_INFO
2014-12-12	Name : The remote VMware ESXi 5.1 host is affected by multiple vulnerabilities. File : vmware_esxi_5_1_build_2323236_remote.nasl - Type : ACT_GATHER_INFO
2014-12-12	Name : The remote host has a virtualization management application installed that is... File : vmware_vcenter_vmsa-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-12-12	Name : The remote host has an update manager installed that is affected by multiple ... File : vmware_vcenter_update_mgr_vmsa-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-12-12	Name : The remote host has a virtualization appliance installed that is affected by ... File : vmware_vcenter_server_appliance_vmsa-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-12-06	Name : The remote VMware ESXi host is missing a security-related patch. File : vmware_VMSA-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-11-26	Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2014-0031.nasl - Type : ACT_GATHER_INFO
2014-11-26	Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2014-0012.nasl - Type : ACT_GATHER_INFO
2014-11-10	Name : The remote AIX host is missing a vendor-supplied security patch. File : aix_U862099.nasl - Type : ACT_GATHER_INFO
2014-11-10	Name : The remote AIX host is missing a vendor-supplied security patch. File : aix_U861276.nasl - Type : ACT_GATHER_INFO
2014-10-12	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-341.nasl - Type : ACT_GATHER_INFO
2014-09-22	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201409-08.nasl - Type : ACT_GATHER_INFO
2014-08-20	Name : The remote AIX host is missing a security patch. File : aix_IV62450.nasl - Type : ACT_GATHER_INFO
2014-08-20	Name : The remote AIX host is missing a security patch. File : aix_IV62449.nasl - Type : ACT_GATHER_INFO
2014-08-20	Name : The remote AIX host is missing a security patch. File : aix_IV62448.nasl - Type : ACT_GATHER_INFO
2014-08-20	Name : The remote AIX host is missing a security patch. File : aix_IV62447.nasl - Type : ACT_GATHER_INFO
2014-07-15	Name : The remote Debian host is missing a security-related update. File : debian_DSA-2978.nasl - Type : ACT_GATHER_INFO
2014-06-18	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2214-3.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-409.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-394.nasl - Type : ACT_GATHER_INFO
2014-06-13	Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-363.nasl - Type : ACT_GATHER_INFO
2014-06-10	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2214-2.nasl - Type : ACT_GATHER_INFO
2014-05-20	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140519_libxml2_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-05-20	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0513.nasl - Type : ACT_GATHER_INFO
2014-05-20	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-0513.nasl - Type : ACT_GATHER_INFO
2014-05-20	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-0513.nasl - Type : ACT_GATHER_INFO
2014-05-16	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2214-1.nasl - Type : ACT_GATHER_INFO
2014-05-13	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_efdd0edcda3d11e39ecb2c4138874f7d.nasl - Type : ACT_GATHER_INFO
2014-05-13	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-086.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
http://rhn.redhat.com/errata/RHSA-2015-0749.html
http://www-01.ibm.com/support/docview.wss?uid=swg21678183
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.securityfocus.com/bid/67233
http://xmlsoft.org/news.html
https://bugzilla.redhat.com/show_bug.cgi?id=1090976
https://exchange.xforce.ibmcloud.com/vulnerabilities/93092
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e0...
https://support.apple.com/kb/HT205030
https://support.apple.com/kb/HT205031

Source	Url

Alert History

If you want to see full details history, please login or register.

Date	Informations
2024-11-28 12:38:28	Multiple Updates
2021-05-04 12:29:31	Multiple Updates
2021-04-22 01:35:41	Multiple Updates
2020-05-23 00:39:22	Multiple Updates
2017-08-29 09:24:24	Multiple Updates
2017-05-24 13:25:25	Multiple Updates
2017-01-03 09:22:51	Multiple Updates
2016-12-07 09:24:11	Multiple Updates
2016-07-08 21:24:15	Multiple Updates
2016-06-17 09:27:17	Multiple Updates
2016-04-07 09:21:39	Multiple Updates
2016-04-05 13:25:36	Multiple Updates
2015-12-31 13:26:05	Multiple Updates
2015-12-30 13:25:37	Multiple Updates
2015-10-24 13:23:49	Multiple Updates
2015-10-23 09:22:51	Multiple Updates
2015-10-18 17:22:25	Multiple Updates
2015-08-18 13:34:49	Multiple Updates
2015-08-18 09:19:22	Multiple Updates
2015-04-15 09:27:41	Multiple Updates
2015-04-14 13:28:42	Multiple Updates
2015-04-09 13:28:41	Multiple Updates
2015-04-04 13:27:20	Multiple Updates
2015-04-02 13:27:37	Multiple Updates
2015-04-02 09:25:47	Multiple Updates
2015-03-31 13:28:13	Multiple Updates
2015-03-27 13:28:01	Multiple Updates
2015-01-30 09:22:19	Multiple Updates
2015-01-28 13:23:54	Multiple Updates
2015-01-22 21:23:35	Multiple Updates
2015-01-21 17:22:12	First insertion

Global Informations

Type	Count
Oval ID(s)	6
CPE ID(s)	3
Sources(s)	14
IAVM(s)	5
Nessus® Exploit(s)	49

	Related
10	VMSA-2014-0012
5	RHSA-2014:0513
5	MDVSA-2015:111
5	DSA-2978
4.3	USN-2214-1
4.3	RHSA-2015:0749
4.3	MDVSA-2014:086
4.3	GLSA-201409-08
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 8 more Alert(s)

4.3 - CVE-2014-0191

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

OVAL Definitions

CPE : Common Platform Enumeration

Information Assurance Vulnerability Management (IAVM)

Nessus® Vulnerability Scanner

Sources (Detail)

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU