Vulnerability Name:

CVE-2017-16932 (CCN-135489)

Assigned:2017-11-23
Published:2017-11-23
Updated:2022-04-08
Summary:parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-835
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2017-16932

Source: CCN
Type: IBM Security Bulletin 0713477 (PureFlex System & Flex System)
IBM Flex System switch firmware products are affected by vulnerabilities in libxml2

Source: CCN
Type: IBM Security Bulletin 0715799 (Other xSeries)
IBM RackSwitch firmware products are affected by vulnerabilities in libxml2

Source: CCN
Type: IBM Security Bulletin 0715837 (System x Blades)
IBM BladeCenter Virtual Fabric 10Gb Switch Module is affected by vulnerabilites in libxml2

Source: CCN
Type: IBM Security Bulletin 0719049 (System x Blades)
IBM BladeCenter Advanced Management Module (AMM) is affected by vulnerabilities in libxml2

Source: CCN
Type: IBM Security Bulletin T1027357 (Flex System Manager Node)
A vulnerability in libxml2 affects IBM Flex System Manager (FSM) (CVE-2017-16932)

Source: CCN
Type: IBM Security Bulletin 2007952 (Cognos Business Intelligence)
IBM Cognos Business Intelligence Server 2017Q4 Security Updater: IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 2011764 (Cognos Business Intelligence)
Multiple vulnerabilities in Libxml2 affect IBM Cognos Metrics Manager.

Source: CCN
Type: IBM Security Bulletin 2011831 (Connections Docs)
IBM Connections Docs is affected by libxml2 vulnerabilty (CVE-2017-16932 CVE-2017-16931)

Source: CCN
Type: IBM Security Bulletin 2013398 (PureData System for Analytics)
Multiple vulnerabilities in XMLsoft Libxml2 and OpenSSL affect IBM Netezza Analytics

Source: CCN
Type: IBM Security Bulletin 2013890 (Lotus Protector for Mail Security)
IBM Protector is affected by Open Source XMLsoft Libxml2 Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 2014337 (Cognos Analytics)
Multiple Vulnerabilities in libxml2 affects IBM Cognos Analytics

Source: CCN
Type: IBM Security Bulletin 2015944 (InfoSphere Identity Insight)
Multiple vulnerabilities in Libxml2 affect IBM InfoSphere Identity Insight.

Source: CONFIRM
Type: Release Notes, Vendor Advisory
http://xmlsoft.org/news.html

Source: CONFIRM
Type: UNKNOWN
https://blog.clamav.net/2018/07/clamav-01001-has-been-released.html

Source: CONFIRM
Type: Permissions Required
https://bugzilla.gnome.org/show_bug.cgi?id=759579

Source: XF
Type: UNKNOWN
libxml2-cve201716932-dos(135489)

Source: CCN
Type: libxml2 GIT Repository
Detect infinite recursion in parameter entities

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/GNOME/libxml2/commit/899a5d9f0ed13b8e32449a08a361e0de127dd961

Source: MLIST
Type: UNKNOWN
[bookkeeper-issues] 20210629 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8

Source: MLIST
Type: UNKNOWN
[bookkeeper-issues] 20210628 [GitHub] [bookkeeper] padma81 opened a new issue #2746: Security Vulnerabilities in CentOS 7 image, Upgrade image to CentOS 8

Source: MLIST
Type: UNKNOWN
[debian-lts-announce] 20171130 [SECURITY] [DLA 1194-1] libxml2 security update

Source: MLIST
Type: UNKNOWN
[debian-lts-announce] 20220408 [SECURITY] [DLA 2972-1] libxml2 security update

Source: UBUNTU
Type: UNKNOWN
USN-3739-1

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-16932

Vulnerable Configuration:Configuration 1:
  • cpe:/a:xmlsoft:libxml2:*:*:*:*:*:*:*:* (Version <= 2.9.4)

    • Configuration CCN 1:
  • cpe:/a:xmlsoft:libxml2:2.9.4:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:cognos_business_intelligence:10.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_protector:2.8.1:*:*:*:mail_security:*:*:*
  • OR cpe:/a:ibm:puredata_system:1.0.0:*:*:*:analytics:*:*:*
  • OR cpe:/a:ibm:cognos_business_intelligence:10.2.2:*:*:*:*:*:*:*
  • OR cpe:/h:ibm:flex_system_manager_node:*:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:connections_docs:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:lotus_protector:2.8.3:*:*:*:mail_security:*:*:*
  • OR cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_identity_insight:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201716932
    V
    		CVE-2017-16932
    2022-09-02
    oval:org.opensuse.security:def:126884
    P
    		Security update for libxml2 (Important)
    2022-05-24
    oval:org.opensuse.security:def:5258
    P
    		Security update for libxml2 (Important)
    2022-05-24
    oval:org.opensuse.security:def:127281
    P
    		Security update for libxml2 (Important)
    2022-05-24
    oval:org.opensuse.security:def:6052
    P
    		Security update for libxml2 (Important)
    2022-05-24
    oval:org.opensuse.security:def:125719
    P
    		Security update for libxml2 (Important)
    2022-05-24
    oval:org.opensuse.security:def:35294
    P
    		Security update for the Linux Kernel (Important)
    2022-01-13
    oval:org.opensuse.security:def:35282
    P
    		Security update for gegl (Important)
    2021-12-28
    oval:org.opensuse.security:def:34616
    P
    		Security update for xorg-x11-server (Important)
    2021-12-20
    oval:org.opensuse.security:def:34002
    P
    		Security update for java-1_8_0-openjdk (Important)
    2021-11-23
    oval:org.opensuse.security:def:31298
    P
    		Security update for pcre (Moderate)
    2021-11-10
    oval:org.opensuse.security:def:34572
    P
    		Security update for python36 (Moderate)
    2021-10-20
    oval:org.opensuse.security:def:33024
    P
    		Security update for util-linux (Moderate)
    2021-10-19
    oval:org.opensuse.security:def:34547
    P
    		Security update for the Linux Kernel (Important)
    2021-09-23
    oval:org.opensuse.security:def:30122
    P
    		Security update for libesmtp (Important)
    2021-09-02
    oval:org.opensuse.security:def:31242
    P
    		Security update for djvulibre (Important)
    2021-08-05
    oval:org.opensuse.security:def:32127
    P
    		Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP3) (Important)
    2021-06-18
    oval:org.opensuse.security:def:31205
    P
    		Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)
    2021-06-18
    oval:org.opensuse.security:def:35254
    P
    		Security update for caribou (Important)
    2021-06-10
    oval:org.opensuse.security:def:32937
    P
    		Security update for MozillaFirefox (Important)
    2021-06-08
    oval:org.opensuse.security:def:36179
    P
    		libcap-progs-2.11-2.17.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:34459
    P
    		Security update for spice (Important)
    2021-06-08
    oval:org.opensuse.security:def:36138
    P
    		gnome-screensaver-2.28.3-0.39.17 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:30208
    P
    		Security update for spice (Important)
    2021-06-08
    oval:org.opensuse.security:def:32089
    P
    		Security update for samba (Important)
    2021-05-04
    oval:org.opensuse.security:def:30065
    P
    		Security update for MozillaFirefox (Important)
    2021-04-27
    oval:org.opensuse.security:def:34401
    P
    		Security update for wpa_supplicant (Moderate)
    2021-04-09
    oval:org.opensuse.security:def:33783
    P
    		Security update for python (Moderate)
    2021-03-16
    oval:org.opensuse.security:def:34657
    P
    		Security update for glib2 (Important)
    2021-03-16
    oval:org.opensuse.security:def:34646
    P
    		Security update for freeradius-server (Low)
    2021-03-04
    oval:org.opensuse.security:def:34645
    P
    		Security update for openldap2 (Important)
    2021-03-03
    oval:org.opensuse.security:def:33772
    P
    		Security update for open-iscsi (Important)
    2021-03-01
    oval:org.opensuse.security:def:34030
    P
    		Security update for open-iscsi (Important)
    2021-03-01
    oval:org.opensuse.security:def:33771
    P
    		Security update for java-1_8_0-ibm (Important)
    2021-02-26
    oval:org.opensuse.security:def:31347
    P
    		Security update for java-1_8_0-ibm (Important)
    2021-02-26
    oval:org.opensuse.security:def:30017
    P
    		Security update for the Linux Kernel (Live Patch 36 for SLE 12 SP2) (Important)
    2021-02-10
    oval:org.opensuse.security:def:34508
    P
    		Security update for openvswitch (Important)
    2021-02-02
    oval:org.opensuse.security:def:31087
    P
    		Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP3) (Important)
    2020-12-07
    oval:org.opensuse.security:def:29299
    P
    		Security update for gdm (Important)
    2020-12-03
    oval:org.opensuse.security:def:26813
    P
    		pyxml on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:29282
    P
    		Security update for xorg-x11-libX11 (Important)
    2020-12-01
    oval:org.opensuse.security:def:26802
    P
    		pcsc-lite on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32880
    P
    		gzip on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:29243
    P
    		Security update for samba (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26801
    P
    		pcsc-ccid on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32786
    P
    		squid3 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:29194
    P
    		Security update for openldap2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:32651
    P
    		dhcpcd on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:29140
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:32573
    P
    		libxml2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:28988
    P
    		Security update for xen (Important)
    2020-12-01
    oval:org.opensuse.security:def:32562
    P
    		libpoppler-glib4 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:28904
    P
    		Security update for flash-player (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:32561
    P
    		libpng12-0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:28847
    P
    		Security update for wpa_supplicant
    2020-12-01
    oval:org.opensuse.security:def:28762
    P
    		Security update for libqt4
    2020-12-01
    oval:org.opensuse.security:def:30567
    P
    		Security update for libvirt
    2020-12-01
    oval:org.opensuse.security:def:28631
    P
    		Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)
    2020-12-01
    oval:org.opensuse.security:def:34244
    P
    		Security update for PostgreSQL
    2020-12-01
    oval:org.opensuse.security:def:30523
    P
    		Security update for icu
    2020-12-01
    oval:org.opensuse.security:def:28563
    P
    		Security update for inkscape
    2020-12-01
    oval:org.opensuse.security:def:34155
    P
    		Security update for openssh (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:30504
    P
    		Security update for MozillaFirefox
    2020-12-01
    oval:org.opensuse.security:def:28552
    P
    		Security update for MozillaFirefox
    2020-12-01
    oval:org.opensuse.security:def:34098
    P
    		Security update to ucode-intel (Important)
    2020-12-01
    oval:org.opensuse.security:def:30465
    P
    		Security update for Mozilla Firefox
    2020-12-01
    oval:org.opensuse.security:def:28551
    P
    		Security update for Mozilla Firefox
    2020-12-01
    oval:org.opensuse.security:def:30416
    P
    		Security update for xorg-x11-libXext
    2020-12-01
    oval:org.opensuse.security:def:35500
    P
    		Security update for postgresql-init (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:33866
    P
    		Security update for jasper (Important)
    2020-12-01
    oval:org.opensuse.security:def:30361
    P
    		Security update for wget (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:35456
    P
    		Security update for perl-DBI (Important)
    2020-12-01
    oval:org.opensuse.security:def:35429
    P
    		Security update for openssl1 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:35390
    P
    		Security update for openldap2
    2020-12-01
    oval:org.opensuse.security:def:34069
    P
    		Security update for libxml2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:35341
    P
    		Security update for mutt (Important)
    2020-12-01
    oval:org.opensuse.security:def:29978
    P
    		Security update for libsndfile (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31451
    P
    		Security update for postgresql10 (Important)
    2020-12-01
    oval:org.opensuse.security:def:29846
    P
    		Security update for Linux kernel
    2020-12-01
    oval:org.opensuse.security:def:35123
    P
    		Security update for the Linux Kernel (Important)
    2020-12-01
    oval:org.opensuse.security:def:31407
    P
    		Security update for perl-XML-LibXML (Important)
    2020-12-01
    oval:org.opensuse.security:def:29773
    P
    		Security update for glibc (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:35033
    P
    		Security update for icu (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31386
    P
    		Security update for openvpn-openssl1 (Important)
    2020-12-01
    oval:org.opensuse.security:def:29762
    P
    		Security update for giflib (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:34976
    P
    		Security update for gdb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:28250
    P
    		Security update for libxml2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:29761
    P
    		Security update for giflib (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:34877
    P
    		Security update for curl
    2020-12-01
    oval:org.opensuse.security:def:28215
    P
    		Security update for libpng12-0 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:34741
    P
    		Security update for LibVNCServer (Important)
    2020-12-01
    oval:org.opensuse.security:def:27577
    P
    		vte-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27533
    P
    		perl-DBD-Pg on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:31000
    P
    		Security update for java-1_6_0-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:27519
    P
    		nagios on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:30943
    P
    		Security update for glibc (Important)
    2020-12-01
    oval:org.opensuse.security:def:27480
    P
    		libreoffice-testtool on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:30853
    P
    		Security update for djvulibre (Low)
    2020-12-01
    oval:org.opensuse.security:def:27431
    P
    		libapr-util1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:33392
    P
    		Security update for spacewalk
    2020-12-01
    oval:org.opensuse.security:def:30721
    P
    		Security update for MozillaFirefox (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27378
    P
    		build on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:33348
    P
    		Security update for openssh-openssl1 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:30647
    P
    		Security update for xorg-x11-libxcb
    2020-12-01
    oval:org.opensuse.security:def:27227
    P
    		libwsman1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:33325
    P
    		Security update for curl (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:30636
    P
    		Security update for xinetd
    2020-12-01
    oval:org.opensuse.security:def:27143
    P
    		guestfs-data on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:33286
    P
    		wpa_supplicant on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:30635
    P
    		Security update for xen (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27086
    P
    		ark on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:33237
    P
    		ppp on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:29981
    P
    		Security update for libsndfile (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27005
    P
    		pam_krb5 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:33180
    P
    		libsndfile on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:29343
    P
    		Security update for cobbler (Important)
    2020-12-01
    oval:org.opensuse.security:def:26877
    P
    		cups on GA media (Moderate)
    2020-12-01
    oval:com.ubuntu.artful:def:201716932000
    V
    		CVE-2017-16932 on Ubuntu 17.10 (artful) - low.
    2017-11-23
    oval:com.ubuntu.bionic:def:201716932000
    V
    		CVE-2017-16932 on Ubuntu 18.04 LTS (bionic) - low.
    2017-11-23
    oval:com.ubuntu.bionic:def:2017169320000000
    V
    		CVE-2017-16932 on Ubuntu 18.04 LTS (bionic) - low.
    2017-11-23
    oval:com.ubuntu.trusty:def:201716932000
    V
    		CVE-2017-16932 on Ubuntu 14.04 LTS (trusty) - low.
    2017-11-23
    oval:com.ubuntu.xenial:def:2017169320000000
    V
    		CVE-2017-16932 on Ubuntu 16.04 LTS (xenial) - low.
    2017-11-23
    oval:com.ubuntu.xenial:def:201716932000
    V
    		CVE-2017-16932 on Ubuntu 16.04 LTS (xenial) - low.
    2017-11-23
    BACK
    xmlsoft libxml2 *
    xmlsoft libxml2 2.9.4
    ibm cognos business intelligence 10.2
    ibm cognos business intelligence 10.2.1
    ibm cognos business intelligence 10.2.1.1
    ibm lotus protector 2.8.1
    ibm puredata system 1.0.0
    ibm cognos business intelligence 10.2.2
    ibm flex system manager node *
    ibm connections docs 2.0
    ibm lotus protector 2.8.3
    ibm cognos analytics 11.0
    ibm infosphere identity insight 9.0
    ibm cloud pak for security 1.7.2.0