Vulnerability CVE-2016-3627: Information

Description

The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2016-3627

Published: May 17, 2016

Modified: Feb. 10, 2024

Error type identifier: CWE-674

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
libxml2	sisyphus	2.9.3.0.5.6511-alt1	2.12.7-alt1	ALT-PU-2016-1221-1	160389	Fixed
libxml2	p10	2.9.3.0.5.6511-alt1	2.9.12-alt1.p10.1	ALT-PU-2016-1221-1	160389	Fixed
libxml2	p9	2.9.3.0.5.6511-alt1	2.9.10-alt6.p9.1	ALT-PU-2016-1221-1	160389	Fixed
libxml2	p8	2.9.4.0.12.e905-alt1	2.9.4.0.12.e905-alt1	ALT-PU-2017-1252-1	179256	Fixed
libxml2	c10f1	2.9.3.0.5.6511-alt1	2.9.12-alt1.p10.1	ALT-PU-2016-1221-1	160389	Fixed
libxml2	c9f2	2.9.3.0.5.6511-alt1	2.9.12-alt1.c9f2.1	ALT-PU-2016-1221-1	160389	Fixed
libxml2	p11	2.9.3.0.5.6511-alt1	2.12.7-alt1	ALT-PU-2016-1221-1	160389	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
[oss-security] 20160321 Re: CVE request: Stack exhaustion in libxml2 parsing xml files in recover mode	Mailing List
openSUSE-SU-2016:1298	Mailing List
20160503 CVE-2016-3627 CVE-2016-3705: libxml2: stack overflow in xml validator (parser)	Mailing List Patch Third Party Advisory
[oss-security] 20160321 CVE request: Stack exhaustion in libxml2 parsing xml files in recover mode	Mailing List Patch
DSA-3593	Mailing List
USN-2994-1	Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05157239	Third Party Advisory
RHSA-2016:1292	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.html	Patch Third Party Advisory
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html	Patch Third Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html	Patch Third Party Advisory
84992	Broken Link Third Party Advisory VDB Entry
openSUSE-SU-2016:1446	Mailing List
https://kc.mcafee.com/corporate/index?page=content&id=SB10170	Broken Link
https://www.tenable.com/security/tns-2016-18	Third Party Advisory
GLSA-201701-37	Third Party Advisory
1035335	Broken Link Third Party Advisory VDB Entry
RHSA-2016:2957	Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:a:hp:icewall_file_manager:3.0:*:*:*:*:*:*:*
  cpe:2.3:a:hp:icewall_federation_agent:3.0:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:a:xmlsoft:libxml2:*:*:*:*:*:*:*:*
  End including
  2.9.3
  
  Configuration 5
  cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:15.10:*:*:*:*:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
  
  Configuration 6
  cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.3:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
  cpe:2.3:a:redhat:jboss_core_services:-:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:7.7:*:*:*:*:*:*:*
  
  Configuration 7
  cpe:2.3:o:oracle:solaris:11.3:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:vm_server:3.4:*:*:*:*:*:x86:*
  cpe:2.3:a:oracle:vm_server:3.3:*:*:*:*:*:x86:*

Version: v24.5.3

Vulnerability CVE-2016-3627: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Configuration 6

Configuration 7