CVE-2016-3627 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2016-3627?

CVE-2016-3627 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-3627?

Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Leap, Debian Debian Linux, Hp Icewall Federation Agent, Hp Icewall File Manager, Xmlsoft Libxml2.

Vulnerability Description

The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Opensuse	Leap	42.1
Debian	Debian Linux	8.0
Hp	Icewall Federation Agent	3.0
Hp	Icewall File Manager	3.0
Xmlsoft	Libxml2	<= 2.9.3
Canonical	Ubuntu Linux	12.04
Redhat	Jboss Core Services	-
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Eus	7.2
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	7.2
Redhat	Enterprise Linux Workstation	6.0
Oracle	Vm Server	3.3
Oracle	Solaris	11.3

Related Weaknesses (CWE)

CWE-674

References

http://lists.opensuse.org/opensuse-updates/2016-05/msg00055.htmlMailing List
http://lists.opensuse.org/opensuse-updates/2016-05/msg00127.htmlMailing List
http://rhn.redhat.com/errata/RHSA-2016-2957.htmlThird Party Advisory
http://seclists.org/fulldisclosure/2016/May/10Mailing ListPatchThird Party Advisory
http://www.openwall.com/lists/oss-security/2016/03/21/2Mailing ListPatch
http://www.openwall.com/lists/oss-security/2016/03/21/3Mailing List
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.htmlPatchThird Party Advisory
http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.hPatchThird Party Advisory
http://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmPatchThird Party Advisory
http://www.securityfocus.com/bid/84992Broken LinkThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1035335Broken LinkThird Party AdvisoryVDB Entry
http://www.ubuntu.com/usn/USN-2994-1Third Party Advisory
https://access.redhat.com/errata/RHSA-2016:1292Third Party Advisory
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-cThird Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10170Broken Link

FAQ

What is CVE-2016-3627?

CVE-2016-3627 is a vulnerability with a CVSS score of 7.5 (HIGH). The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consump...

How severe is CVE-2016-3627?

CVE-2016-3627 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-3627?

Check the references section above for vendor advisories and patch information. Affected products include: Opensuse Leap, Debian Debian Linux, Hp Icewall Federation Agent, Hp Icewall File Manager, Xmlsoft Libxml2.