CVE-2016-3705

Published on: 05/17/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:02 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Certain versions of Ubuntu Linux from Canonical contain the following vulnerability:

The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.

  • CVE-2016-3705 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.

CVSS3 Score: 7.5 - HIGH

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE NONE HIGH

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE NONE PARTIAL

CVE References

Description Tags Link
USN-2994-1: libxml2 vulnerabilities | Ubuntu www.ubuntu.com
text/html
URL Logo UBUNTU USN-2994-1
Document Display | HPE Support Center h20566.www2.hpe.com
text/html
URL Logo CONFIRM h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157239
Debian -- Security Information -- DSA-3593-1 libxml2 www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-3593
Oracle Linux Bulletin - July 2016 web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
Full Disclosure: CVE-2016-3627 CVE-2016-3705: libxml2: stack overflow in xml validator (parser) seclists.org
text/html
URL Logo FULLDISC 20160503 CVE-2016-3627 CVE-2016-3705: libxml2: stack overflow in xml validator (parser)
[R7] LCE 4.8.1 Fixes Multiple Vulnerabilities - Security Advisory | Tenable™ www.tenable.com
text/html
URL Logo CONFIRM www.tenable.com/security/tns-2016-18
McAfee Security Bulletin: McAfee Web Gateway update fixes several vulnerabilities related to xml parsing kc.mcafee.com
text/html
URL Logo CONFIRM kc.mcafee.com/corporate/index?page=content&id=SB10170
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1292
Oracle VM Server for x86 Bulletin - July 2016 web.archive.org
text/html
Inactive LinkNot Archived
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html
openSUSE-SU-2016:1298-1: moderate: Security update for libxml2 lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:1298
libxml2: Multiple vulnerabilities (GLSA 201701-37) — Gentoo security security.gentoo.org
text/html
URL Logo GENTOO GLSA-201701-37
Bug 765207 – Stack exhaustion parsing xml in parser bugzilla.gnome.org
text/html
URL Logo CONFIRM bugzilla.gnome.org/show_bug.cgi?id=765207
libxml2 CVE-2016-3705 Stack Buffer Overflow Vulnerability cve.report (archive)
text/html
URL Logo BID 89854
openSUSE-SU-2016:1446-1: moderate: Security update for libxml2 lists.opensuse.org
text/html
URL Logo SUSE openSUSE-SU-2016:1446
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:2957
Oracle Solaris Bulletin - July 2016 www.oracle.com
text/html
URL Logo CONFIRM www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
Operating
System
CanonicalUbuntu Linux12.04AllAllAll
Operating
System
CanonicalUbuntu Linux14.04AllAllAll
Operating
System
CanonicalUbuntu Linux15.10AllAllAll
Operating
System
CanonicalUbuntu Linux16.04AllAllAll
Operating
System
CanonicalUbuntu Linux12.04AllAllAll
Operating
System
CanonicalUbuntu Linux14.04AllAllAll
Operating
System
CanonicalUbuntu Linux15.10AllAllAll
Operating
System
CanonicalUbuntu Linux16.04AllAllAll
Operating
System
DebianDebian Linux8.0AllAllAll
Operating
System
DebianDebian Linux8.0AllAllAll
ApplicationHpIcewall Federation Agent3.0AllAllAll
ApplicationHpIcewall Federation Agent3.0AllAllAll
ApplicationHpIcewall File Manager3.0AllAllAll
ApplicationHpIcewall File Manager3.0AllAllAll
Operating
System
OpensuseLeap42.1AllAllAll
Operating
System
OpensuseLeap42.1AllAllAll
ApplicationXmlsoftLibxml22.9.3AllAllAll
ApplicationXmlsoftLibxml22.9.3AllAllAll
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*:
  • cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*:
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:hp:icewall_federation_agent:3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:hp:icewall_federation_agent:3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:hp:icewall_file_manager:3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:hp:icewall_file_manager:3.0:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*:
  • cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:xmlsoft:libxml2:2.9.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:xmlsoft:libxml2:2.9.3:*:*:*:*:*:*:*: