Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0130 Junos OS: Multiple vulnerabilities in libxml2 15 January 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: libxml2 Publisher: Juniper Networks Operating System: Juniper Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-9251 CVE-2017-18258 CVE-2017-7375 CVE-2016-4449 CVE-2016-4448 CVE-2016-4447 CVE-2016-3705 CVE-2016-3627 CVE-2015-8035 Reference: ESB-2018.3061 ESB-2018.2923 ESB-2018.1777 ESB-2018.1765 Original Bulletin: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10916 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Junos OS: Multiple vulnerabilities in libxml2 Product Affected: This issue affects Junos OS 12.1X46, 12.3, 12.3X48, 14.1X53, 15.1, 15.1F, 15.1X49, 15.1X53, 16.1, 16.2, 17.1, 17.2, 17.3, 17.4, 18.1, 18.2, 18.2X75 Problem: Multiple vulnerabilities in libxml2 have been resolved in Junos OS. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D81 on SRX Series; 12.3 versions prior to 12.3R12-S10; 12.3X48 versions prior to 12.3X48-D75 on SRX Series; 14.1X53 versions prior to 14.1X53-D48 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; 15.1 versions prior to 15.1R4-S9, 15.1R7-S2; 15.1F versions prior to 15.1F6-S11, 15.1X49 versions prior to 15.1X49-D150 on SRX Series; 15.1X53 versions prior to 15.1X53-D495 on NFX150, NFX250; 15.1X53 versions prior to 15.1X53-D234 on QFX5200/QFX5110; 15.1X53 versions prior to 15.1X53-D68 on QFX10000 Series; 15.1X53 versions prior to 15.1X53-D590 on EX2300/EX3400; 16.1 versions prior to 16.1R4-S11, 16.1R6-S5, 16.1R7-S1; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S9, 17.1R3; 17.2 versions prior to 17.2R1-S7, 17.2R2-S6, 17.2R3; 17.3 versions prior to 17.3R2-S4, 17.3R3-S1; 17.4 versions prior to 17.4R2; 18.1 versions prior to 18.1R2-S2, 18.1R3; 18.2 versions prior to 18.2R1-S1, 18.2R2; 18.2X75 versions prior to 18.2X75-D20. CVE : CVE-2016-3627 CVSS : 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Summary : The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document. CVE : CVE-2016-3705 CVSS : 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Summary : The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references. CVE : CVE-2016-4447 CVSS : 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Summary : The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName. CVE : CVE-2016-4448 CVSS : 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Summary : Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors. CVE : CVE-2016-4449 CVSS : 7.1 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) Summary : XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors. CVE : CVE-2017-7375 CVSS : 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Summary : A flaw in libxml2 allows remote XML entity inclusion with default parser flags (i.e., when the caller did not request entity substitution, DTD validation, external DTD subset loading, or default DTD attributes). Depending on the context, this may expose a higher-risk attack surface in libxml2 not usually reachable with default parser flags, and expose content from local files, HTTP, or FTP servers (which might be otherwise unreachable). CVE : CVE-2017-18258 CVSS : 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) Summary : The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. CVE : CVE-2018-9251 CVSS : 5.3 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H) Summary : The xz_decomp function in xzlib.c in libxml2 2.9.8, if --with-lzma is used, allows remote attackers to cause a denial of service (infinite loop) via a crafted XML file that triggers LZMA_MEMLIMIT_ERROR, as demonstrated by xmllint, a different vulnerability than CVE-2015-8035. Solution: The following software releases have been updated to resolve this specific issue: 12.1X46-D81, 12.3R12-S10, 12.3X48-D75, 14.1X53-D48, 15.1F6-S11, 15.1R4-S9, 15.1R7-S2, 15.1X49-D150, 15.1X53-D495, 15.1X53-D234, 15.1X53-D68, 15.1X53-D590, 16.1R4-S11, 16.1R6-S5, 16.1R7-S1, 16.2R2-S7, 17.1R2-S9, 17.1R3, 17.2R1-S7, 17.2R2-S6, 17.2R3, 17.3R2-S4, 17.3R3-S1, 17.4R2, 18.1R2-S2, 18.1R3, 18.2R1-S1, 18.2R2, 18.2X75-D20, 18.3R1, and all subsequent releases. This issue is being tracked as PR 1364019 which is visible on the Customer Support website. Workaround: There are no known workarounds for these issues. To reduce the risks of exploitations of these issues: limit the use of XML scripting to only trusted hosts, networks, and administrators. Disable services that are not essential to the operation of the system unless needed; e.g. J-Web, FTP, etc. Further, limit access to devices trusted hosts, networks and administrators. Modification History: 2019-01-09: Initial Publication. CVSS Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Risk Level: Critical Risk Assessment: Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories." - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXD1MtmaOgq3Tt24GAQi3cw/9HVldtUYo6eMKkQ1zX3cNOsGBKydCWZAf q0q3GudjoqM7aHLyJ+dc1I02reO7rz73OxpY2DLU5M6rFMZvALNSC+2QUvrUTRV/ FdrC9ODRi85Jl9TR3Ix+W4FJSK/O81+AtfCLt/VKDrVmrrrLtAblRA6pb+m79XW5 5+5yfJWNhEb+sCuddnUSmQiq0WEYLm0j+zN4P9GgrVxMjU4lMWJM2xN/LqqY9CUQ FlwuG91efQBHYexaeUaKdwz5ni6mA2G5oyd9CsOAmt2A3P06Uyjael0VoR71jeax HrstDmwunDP64hQNwMQ617jW2PF9lbvrH4iEkiOqys7VyKv4iHaGJu7eNWuzbapa p7dUMt4aVeyXgCeX5QE+EMNPHRWzdLfp8Gkk1IwC+9Tp38Y/zllbZYYQ8mSvXr+A XyCJf2FYPplLTUQ+zJTPR/WtbDOhrT7EXxOLgrEMGqlm4bXRSqGSRDCGXRiwds22 po7ixlUkP+3zsgqWLnncmeiR6DLLq9ANP5LC97fvR4zkziiGboU50RUJP6AZvxEF fYI5ekn6khhcVpYA+gWcFACHwgBZmZBCxN1oDQEpbobNm5nLxe0UrxKsqDQjT7Bs 2HPPi5zIxuwMA7d3i22tSnhaeVSC5ACcAN1Jl6Fe8pjeuQ6ScVsJQR1/78JhqyDH NtZWxlqXB/M= =pnOl -----END PGP SIGNATURE-----