Vulnerability Name:

CVE-2016-3674 (CCN-111806)

Assigned:2016-03-25
Published:2016-03-25
Updated:2018-03-26
Summary:Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2016-3674

Source: FEDORA
Type: Third Party Advisory
FEDORA-2016-de909cc333

Source: FEDORA
Type: Third Party Advisory
FEDORA-2016-250042b8a6

Source: CCN
Type: RHSA-2016-2822
Moderate: Red Hat JBoss BPM Suite security update

Source: REDHAT
Type: Broken Link
RHSA-2016:2822

Source: CCN
Type: RHSA-2016-2823
Moderate: Red Hat JBoss BRMS security update

Source: REDHAT
Type: Broken Link
RHSA-2016:2823

Source: CCN
Type: oss-sec Mailing List, Fri, 25 Mar 2016 16:04:38 +0100
CVE request - XStream: XXE vulnerability

Source: CCN
Type: oss-sec Mailing List, Mon, 28 Mar 2016 13:12:44 -0400 (EDT)
Re: CVE request - XStream: XXE vulnerability

Source: DEBIAN
Type: Third Party Advisory
DSA-3575

Source: CCN
Type: IBM Security Bulletin 967469 (Security Privileged Identity Manager)
IBM Security Privileged Identity Manager is affected by multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 1985960 (Domino)
IBM Domino is affected by an XStream XML information disclosure (CVE-2016-3674)

Source: CCN
Type: IBM Security Bulletin 1992217 (Tivoli Netcool Configuration Manager)
IBM Tivoli Netcool Configuration Manager (ITNCM) is affected by a vulnerability discovered in XSTREAM (CVE-2016-3674)

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20160325 CVE request - XStream: XXE vulnerability

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20160328 Re: CVE request - XStream: XXE vulnerability

Source: CCN
Type: Oracle CPUApr2017
Oracle Critical Patch Update Advisory - April 2017

Source: BID
Type: Third Party Advisory, VDB Entry
85381

Source: CCN
Type: BID-85381
XStream CVE-2016-3674 XML External Entity Multiple Information Disclosure Vulnerabilities

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1036419

Source: CCN
Type: Xstream GIT Repository
XStream - Change History

Source: CONFIRM
Type: Vendor Advisory
http://x-stream.github.io/changes.html#1.4.9

Source: XF
Type: UNKNOWN
xstream-cve20163674-info-disc(111806)

Source: CONFIRM
Type: Vendor Advisory
https://github.com/x-stream/xstream/issues/25

Source: CCN
Type: IBM Security Bulletin 0872142 (Security Identity Governance and Intelligence)
IBM has announced a release for IBM Security Identity Governance and Intelligence in response to multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 3106029 (StoredIQ)
Multiple Vulnerabilities identified in IBM StoredIQ

Source: CCN
Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2016-3674

Vulnerable Configuration:Configuration 1:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:22:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:23:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/a:xstream_project:xstream:*:*:*:*:*:*:*:* (Version <= 1.4.8)

  • Configuration CCN 1:
  • cpe:/a:xstream_project:xstream:1.4.9:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:domino:8.5.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:9.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:8.5.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:8.5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:8.5.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:8.5.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:8.5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:domino:9.0.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool_configuration_manager:6.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:2.2.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.3.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.3.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:utilities_framework:4.3.0.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:storediq:7.6.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_privileged_identity_manager:2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8073
    P
    xstream-1.4.20-150200.3.25.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:3432
    P
    apache2-mod_jk-1.2.40-7.3.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:95062
    P
    xstream-1.4.19-3.18.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:113607
    P
    xstream-1.4.18-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106990
    P
    xstream-1.4.18-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.cisecurity:def:589
    P
    DSA-3575-1 -- libxstream-java -- security update
    2016-07-01
    oval:com.ubuntu.cosmic:def:201636740000000
    V
    CVE-2016-3674 on Ubuntu 18.10 (cosmic) - medium.
    2016-05-17
    oval:com.ubuntu.artful:def:20163674000
    V
    CVE-2016-3674 on Ubuntu 17.10 (artful) - medium.
    2016-05-17
    oval:com.ubuntu.trusty:def:20163674000
    V
    CVE-2016-3674 on Ubuntu 14.04 LTS (trusty) - medium.
    2016-05-17
    oval:com.ubuntu.bionic:def:201636740000000
    V
    CVE-2016-3674 on Ubuntu 18.04 LTS (bionic) - medium.
    2016-05-17
    oval:com.ubuntu.bionic:def:20163674000
    V
    CVE-2016-3674 on Ubuntu 18.04 LTS (bionic) - medium.
    2016-05-17
    oval:com.ubuntu.xenial:def:20163674000
    V
    CVE-2016-3674 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-05-17
    oval:com.ubuntu.xenial:def:201636740000000
    V
    CVE-2016-3674 on Ubuntu 16.04 LTS (xenial) - medium.
    2016-05-17
    oval:com.ubuntu.cosmic:def:20163674000
    V
    CVE-2016-3674 on Ubuntu 18.10 (cosmic) - medium.
    2016-05-17
    oval:com.ubuntu.disco:def:201636740000000
    V
    CVE-2016-3674 on Ubuntu 19.04 (disco) - medium.
    2016-05-17
    oval:com.ubuntu.precise:def:20163674000
    V
    CVE-2016-3674 on Ubuntu 12.04 LTS (precise) - medium.
    2016-05-17
    BACK
    debian debian linux 8.0
    fedoraproject fedora 22
    fedoraproject fedora 23
    xstream_project xstream *
    xstream_project xstream 1.4.9
    ibm domino 8.5.3.6
    ibm domino 9.0.1
    ibm domino 8.5
    ibm domino 9.0
    ibm domino 8.5.1
    ibm domino 8.5.2
    ibm domino 8.5.3
    ibm tivoli netcool configuration manager 6.4.1
    ibm domino 8.5.1.5
    ibm domino 8.5.2.4
    ibm security identity governance and intelligence 5.2
    ibm security identity governance and intelligence 5.2.1
    ibm domino 9.0.1.6
    ibm tivoli netcool configuration manager 6.4.2
    oracle utilities framework 2.2.0.0.0
    oracle utilities framework 4.2.0.2.0
    oracle utilities framework 4.2.0.3.0
    oracle utilities framework 4.3.0.1.0
    oracle utilities framework 4.3.0.2.0
    oracle utilities framework 4.3.0.3.0
    ibm security identity governance and intelligence 5.2.2
    ibm security identity governance and intelligence 5.2.2.1
    ibm security identity governance and intelligence 5.2.3
    ibm security identity governance and intelligence 5.2.3.1
    ibm security identity governance and intelligence 5.2.3.2
    ibm security identity governance and intelligence 5.2.4
    ibm storediq 7.6.0
    ibm security identity governance and intelligence 5.2.4.1
    ibm security privileged identity manager 2.1.1
    ibm security guardium data encryption 3.0.0.2