Vulnerability CVE-2021-3541

Vulnerability Name:

CVE-2021-3541 (CCN-204818)

Assigned:

2021-05-13

Published:

2021-05-13

Updated:

2022-03-01

Summary:

A flaw was found in libxml2. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

6.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-776
CWE-400

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2021-3541

Source: CCN
Type: Red Hat Bugzilla Bug 1950515
(CVE-2021-3541) - CVE-2021-3541 libxml2: Exponential entity expansion attack bypasses all existing protection mechanisms

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1950515

Source: XF
Type: UNKNOWN
gnome-libxml2-cve20213541-dos(204818)

Source: CCN
Type: GNOME GIT Repository
Patch for security issue CVE-2021-3541

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210805-0007/

Source: CCN
Type: IBM Security Bulletin 6493729 (Cloud Pak for Security)
Cloud Pak for Security is vulnerable to several CVEs

Source: CCN
Type: IBM Security Bulletin 6520474 (QRadar SIEM)
IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6538418 (Security Verify Access)
Multiple Security Vulnerabilities fixed in IBM Security Verify Access

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:xmlsoft:libxml2:*:*:*:*:*:*:*:* (Version < 2.9.11)

Configuration 2:

cpe:/a:redhat:jboss_core_services:-:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*

OR cpe:/a:netapp:cloud_backup:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:clustered_data_ontap_antivirus_connector:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:manageability_software_development_kit:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:smi-s_provider:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snapdrive:-:*:*:*:*:unix:*:*

Configuration 5:

cpe:/o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

AND

cpe:/h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 6:

cpe:/o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

AND

cpe:/h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 7:

cpe:/o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

AND

cpe:/h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 8:

cpe:/o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

AND

cpe:/h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 9:

cpe:/o:netapp:h300e_firmware:-:*:*:*:*:*:*:*

AND

cpe:/h:netapp:h300e:-:*:*:*:*:*:*:*

Configuration 10:

cpe:/o:netapp:h500e_firmware:-:*:*:*:*:*:*:*

AND

cpe:/h:netapp:h500e:-:*:*:*:*:*:*:*

Configuration 11:

cpe:/o:netapp:h700e_firmware:-:*:*:*:*:*:*:*

AND

cpe:/h:netapp:h700e:-:*:*:*:*:*:*:*

Configuration 12:

cpe:/o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

AND

cpe:/h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*

OR cpe:/a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7657	P	libqpdf28-10.3.1-1.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7702	P	libxml2-2-2.10.3-150500.3.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7675	P	libsqlite3-0-3.39.3-150000.3.20.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:717	P	Security update for zlib (Important)	2022-08-31
oval:org.opensuse.security:def:95282	P	Security update for git (Important)	2022-07-26
oval:org.opensuse.security:def:3618	P	Security update for qemu (Important)	2022-07-04
oval:org.opensuse.security:def:3110	P	jakarta-taglibs-standard-1.1.1-255.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3434	P	apache2-mod_perl-2.0.8-11.43 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94546	P	enscript-1.6.6-1.17 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94740	P	libxml2-2-2.9.12-150400.3.4 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:6051	P	Security update for MozillaFirefox (Important)	2022-05-23
oval:org.opensuse.security:def:101995	P	Security update for the Linux Kernel (Live Patch 0 for SLE 15 SP3) (Important)	2022-02-02
oval:org.opensuse.security:def:112928	P	libxml2-2-2.9.12-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:113394	P	ruby2.7-rubygem-nokogiri-1.12.3-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:112560	P	libQt5Pdf5-5.15.8-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106800	P	Security update for net-snmp (Important)	2022-01-11
oval:org.opensuse.security:def:106383	P	libxml2-2-2.9.12-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:101259	P	ctags-5.8-1.27 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:111574	P	Security update for libxml2 (Moderate)	2021-07-11
oval:com.redhat.rhsa:def:20212569	P	RHSA-2021:2569: libxml2 security update (Moderate)	2021-06-29
oval:org.opensuse.security:def:26078	P	Security update for libxml2 (Moderate)	2021-06-18
oval:org.opensuse.security:def:60294	P	Security update for libxml2 (Moderate)	2021-06-18
oval:org.opensuse.security:def:32952	P	Security update for libxml2 (Moderate)	2021-06-18
oval:org.opensuse.security:def:5065	P	Security update for libxml2 (Moderate)	2021-06-18
oval:org.opensuse.security:def:34471	P	Security update for libxml2 (Moderate)	2021-06-18
oval:org.opensuse.security:def:58775	P	Security update for libxml2 (Moderate)	2021-06-18
oval:org.opensuse.security:def:87416	P	Security update for libxml2 (Moderate)	2021-06-18
oval:org.opensuse.security:def:111442	P	Security update for libxml2 (Moderate)	2021-06-16
oval:org.opensuse.security:def:99109	P	(Moderate)	2021-06-09
oval:org.opensuse.security:def:75891	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:100621	P	(Moderate)	2021-06-09
oval:org.opensuse.security:def:109315	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:67140	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:43619	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:1569	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:99644	P	(Moderate)	2021-06-09
oval:org.opensuse.security:def:97050	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:64523	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:76208	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:5734	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:101448	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:39189	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:68746	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:44974	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:73645	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:99957	P	(Moderate)	2021-06-09
oval:org.opensuse.security:def:107925	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:95936	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:64707	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:76526	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:117440	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:102130	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:40544	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:102649	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:68764	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:73829	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:42087	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:100292	P	(Moderate)	2021-06-09
oval:org.opensuse.security:def:108661	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:66823	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:76544	P	Security update for libxml2 (Moderate)	2021-06-09
oval:org.opensuse.security:def:118406	P	Security update for libxml2 (Moderate)	2021-06-09

BACK