Vulnerability CVE-2015-8978

Vulnerability Name:

CVE-2015-8978 (CCN-120139)

Assigned:

2016-11-22

Published:

2016-11-22

Updated:

2016-11-28

Summary:

In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with the document consisting of a single instance of the largest entity, which expands to one billion copies of the first entity. The amount of computer memory used for handling an external SOAP call would likely exceed that available to the process parsing the XML.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-399

Vulnerability Consequences:

Denial of Service

References:

Source: CCN
Type: Perl Web site
Revision history for Perl extension SOAP::Lite

Source: CONFIRM
Type: Vendor Advisory
http://cpansearch.perl.org/src/PHRED/SOAP-Lite-1.20/Changes

Source: MITRE
Type: CNA
CVE-2015-8978

Source: BID
Type: UNKNOWN
94487

Source: CCN
Type: BID-94487
Perl Soap Lite Extension CVE-2015-8978 Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
perl-soaplite-cve20158978-dos(120139)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-8978

Vulnerable Configuration:

Configuration 1:

cpe:/a:soap::lite_project:soap::lite:*:*:*:*:*:perl:*:* (Version <= 1.14)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20158978	V	CVE-2015-8978	2021-11-24
oval:org.opensuse.security:def:27559	P	rubygem-i18n-0_6 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26956	P	libmysqlclient15-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28294	P	Recommended update for ncurses (Important)	2020-12-01
oval:org.opensuse.security:def:27306	P	tar on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26880	P	cyrus-imapd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27598	P	Security update for PHP5	2020-12-01
oval:org.opensuse.security:def:27084	P	apache2-mod_php53 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:28329	P	Security update for perl-SOAP-Lite (Moderate)	2020-12-01
oval:org.opensuse.security:def:27457	P	liblcms-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26881	P	dbus-1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27612	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:27165	P	krb5-plugin-kdb-ldap on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27510	P	lighttpd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:26892	P	expat on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:27656	P	Security update for python-httplib2	2020-12-01
oval:org.opensuse.security:def:27222	P	libtiff3 on GA media (Moderate)	2020-12-01
oval:org.cisecurity:def:1622	P	DLA-723-1 -- libsoap-lite-perl security update	2017-01-13
oval:com.ubuntu.artful:def:20158978000	V	CVE-2015-8978 on Ubuntu 17.10 (artful) - low.	2016-11-22
oval:com.ubuntu.trusty:def:20158978000	V	CVE-2015-8978 on Ubuntu 14.04 LTS (trusty) - low.	2016-11-22
oval:com.ubuntu.cosmic:def:201589780000000	V	CVE-2015-8978 on Ubuntu 18.10 (cosmic) - low.	2016-11-22
oval:com.ubuntu.bionic:def:20158978000	V	CVE-2015-8978 on Ubuntu 18.04 LTS (bionic) - low.	2016-11-22
oval:com.ubuntu.xenial:def:20158978000	V	CVE-2015-8978 on Ubuntu 16.04 LTS (xenial) - low.	2016-11-22
oval:com.ubuntu.bionic:def:201589780000000	V	CVE-2015-8978 on Ubuntu 18.04 LTS (bionic) - low.	2016-11-22
oval:com.ubuntu.cosmic:def:20158978000	V	CVE-2015-8978 on Ubuntu 18.10 (cosmic) - low.	2016-11-22
oval:com.ubuntu.xenial:def:201589780000000	V	CVE-2015-8978 on Ubuntu 16.04 LTS (xenial) - low.	2016-11-22
oval:com.ubuntu.precise:def:20158978000	V	CVE-2015-8978 on Ubuntu 12.04 LTS (precise) - low.	2016-11-22

BACK