-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0130
               Junos OS: Multiple vulnerabilities in libxml2
                              15 January 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libxml2
Publisher:         Juniper Networks
Operating System:  Juniper
Impact/Access:     Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-9251 CVE-2017-18258 CVE-2017-7375
                   CVE-2016-4449 CVE-2016-4448 CVE-2016-4447
                   CVE-2016-3705 CVE-2016-3627 CVE-2015-8035

Reference:         ESB-2018.3061
                   ESB-2018.2923
                   ESB-2018.1777
                   ESB-2018.1765

Original Bulletin: 
   https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10916

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Junos OS: Multiple vulnerabilities in libxml2

Product Affected:
This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1,
15.1F, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1,
18.2, 18.2X75
Problem:

Multiple vulnerabilities in libxml2 have been resolved in Junos OS.

Affected releases are Juniper Networks Junos OS:

12.1X46 versions prior to 12.1X46-D81 on SRX Series;
12.3 versions prior to 12.3R12-S10;
12.3X48 versions prior to 12.3X48-D75 on SRX Series;
14.1X53 versions prior to 14.1X53-D48 on EX2200/VC, EX3200,
EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC
(XRE), QFX3500, QFX3600, QFX5100;
15.1 versions prior to 15.1R4-S9, 15.1R7-S2;
15.1F versions prior to 15.1F6-S11,
15.1X49 versions prior to 15.1X49-D150 on SRX Series;
15.1X53 versions prior to 15.1X53-D495 on NFX150, NFX250;
15.1X53 versions prior to 15.1X53-D234 on QFX5200/QFX5110;
15.1X53 versions prior to 15.1X53-D68 on QFX10000 Series;
15.1X53 versions prior to 15.1X53-D590 on EX2300/EX3400;
16.1 versions prior to 16.1R4-S11, 16.1R6-S5, 16.1R7-S1;
16.2 versions prior to 16.2R2-S7;
17.1 versions prior to 17.1R2-S9, 17.1R3;
17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3;
17.3 versions prior to 17.3R2-S4, 17.3R3-S1;
17.4 versions prior to 17.4R2;
18.1 versions prior to 18.1R2-S2, 18.1R3;
18.2 versions prior to 18.2R1-S1, 18.2R2;
18.2X75 versions prior to 18.2X75-D20.


CVE     : CVE-2016-3627
CVSS    : 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Summary : The xmlStringGetNodeList function in tree.c in libxml2 
          2.9.3 and earlier, when used in recovery mode, allows 
          context-dependent attackers to cause a denial of service 
          (infinite recursion, stack consumption, and application 
          crash) via a crafted XML document.

CVE     : CVE-2016-3705
CVSS    : 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Summary : The (1) xmlParserEntityCheck and (2) 
          xmlParseAttValueComplex functions in parser.c in libxml2 
          2.9.3 do not properly keep track of the recursion depth, 
          which allows context-dependent attackers to cause a denial 
          of service (stack consumption and application crash) via a 
          crafted XML document containing a large number of nested 
          entity references.

CVE     : CVE-2016-4447
CVSS    : 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Summary : The xmlParseElementDecl function in parser.c in libxml2 
          before 2.9.4 allows context-dependent attackers to cause a 
          denial of service (heap-based buffer underread and 
          application crash) via a crafted file, involving 
          xmlParseName.

CVE     : CVE-2016-4448
CVSS    : 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Summary : Format string vulnerability in libxml2 before 2.9.4 allows 
          attackers to have unspecified impact via format string 
          specifiers in unknown vectors.

CVE     : CVE-2016-4449
CVSS    : 7.1 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H)
Summary : XML external entity (XXE) vulnerability in the 
          xmlStringLenDecodeEntities function in parser.c in libxml2 
          before 2.9.4, when not in validating mode, allows 
          context-dependent attackers to read arbitrary files or 
          cause a denial of service (resource consumption) via 
          unspecified vectors.

CVE     : CVE-2017-7375
CVSS    : 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Summary : A flaw in libxml2 allows remote XML entity inclusion with 
          default parser flags (i.e., when the caller did not request 
          entity substitution, DTD validation, external DTD subset 
          loading, or default DTD attributes). Depending on the 
          context, this may expose a higher-risk attack surface in 
          libxml2 not usually reachable with default parser flags, 
          and expose content from local files, HTTP, or FTP servers 
          (which might be otherwise unreachable).

CVE     : CVE-2017-18258
CVSS    : 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Summary : The xz_head function in xzlib.c in libxml2 before 2.9.6 
          allows remote attackers to cause a denial of service 
          (memory consumption) via a crafted LZMA file, because the 
          decoder functionality does not restrict memory usage to 
          what is required for a legitimate file.

CVE     : CVE-2018-9251
CVSS    : 5.3 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H)
Summary : The xz_decomp function in xzlib.c in libxml2 2.9.8, if 
          --with-lzma is used, allows remote attackers to cause a 
          denial of service (infinite loop) via a crafted XML file 
          that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by 
          xmllint, a different vulnerability than CVE-2015-8035.


Solution:

The following software releases have been updated to resolve this
specific issue: 12.1X46-D81, 12.3R12-S10, 12.3X48-D75, 14.1X53-D48,
15.1F6-S11, 15.1R4-S9, 15.1R7-S2, 15.1X49-D150, 15.1X53-D495,
15.1X53-D234, 15.1X53-D68, 15.1X53-D590, 16.1R4-S11, 16.1R6-S5,
16.1R7-S1, 16.2R2-S7, 17.1R2-S9, 17.1R3, 17.2R1-S7, 17.2R2-S6,
17.2R3, 17.3R2-S4, 17.3R3-S1, 17.4R2, 18.1R2-S2, 18.1R3, 18.2R1-S1,
18.2R2, 18.2X75-D20, 18.3R1, and all subsequent releases.

This issue is being tracked as PR 1364019 which is visible on the
Customer Support website.

Workaround:
There are no known workarounds for these issues.

To reduce the risks of exploitations of these issues:

limit the use of XML scripting to only trusted hosts, networks,
and administrators.
Disable services that are not essential to the operation of the
system unless needed; e.g. J-Web, FTP, etc.
Further, limit access to devices trusted hosts, networks and
administrators.

Modification History:
2019-01-09: Initial Publication.

CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Risk Level:
Critical

Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB
16446 "Common Vulnerability Scoring System (CVSS) and Juniper's
Security Advisories."

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXD1MtmaOgq3Tt24GAQi3cw/9HVldtUYo6eMKkQ1zX3cNOsGBKydCWZAf
q0q3GudjoqM7aHLyJ+dc1I02reO7rz73OxpY2DLU5M6rFMZvALNSC+2QUvrUTRV/
FdrC9ODRi85Jl9TR3Ix+W4FJSK/O81+AtfCLt/VKDrVmrrrLtAblRA6pb+m79XW5
5+5yfJWNhEb+sCuddnUSmQiq0WEYLm0j+zN4P9GgrVxMjU4lMWJM2xN/LqqY9CUQ
FlwuG91efQBHYexaeUaKdwz5ni6mA2G5oyd9CsOAmt2A3P06Uyjael0VoR71jeax
HrstDmwunDP64hQNwMQ617jW2PF9lbvrH4iEkiOqys7VyKv4iHaGJu7eNWuzbapa
p7dUMt4aVeyXgCeX5QE+EMNPHRWzdLfp8Gkk1IwC+9Tp38Y/zllbZYYQ8mSvXr+A
XyCJf2FYPplLTUQ+zJTPR/WtbDOhrT7EXxOLgrEMGqlm4bXRSqGSRDCGXRiwds22
po7ixlUkP+3zsgqWLnncmeiR6DLLq9ANP5LC97fvR4zkziiGboU50RUJP6AZvxEF
fYI5ekn6khhcVpYA+gWcFACHwgBZmZBCxN1oDQEpbobNm5nLxe0UrxKsqDQjT7Bs
2HPPi5zIxuwMA7d3i22tSnhaeVSC5ACcAN1Jl6Fe8pjeuQ6ScVsJQR1/78JhqyDH
NtZWxlqXB/M=
=pnOl
-----END PGP SIGNATURE-----