logo
DATABASE RESOURCES PRICING ABOUT US

USN-4991-1: libxml2 vulnerabilities | Cloud Foundry

Description

## Severity Medium ## Vendor Canonical Ubuntu ## Versions Affected * Canonical Ubuntu 14.04 * Canonical Ubuntu 16.04 * Canonical Ubuntu 18.04 ## Description Yunho Kim discovered that libxml2 incorrectly handled certain error conditions. A remote attacker could exploit this with a crafted XML file to cause a denial of service, or possibly cause libxml2 to expose sensitive information. This issue only affected Ubuntu 14.04 ESM, and Ubuntu 16.04 ESM. (CVE-2017-8872) Zhipeng Xie discovered that libxml2 incorrectly handled certain XML schemas. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, and Ubuntu 18.04 LTS. (CVE-2019-20388) It was discovered that libxml2 incorrectly handled invalid UTF-8 input. A remote attacker could possibly exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 ESM, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 20.10. (CVE-2020-24977) It was discovered that libxml2 incorrectly handled invalid UTF-8 input. A remote attacker could possibly exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service. (CVE-2021-3517) It was discovered that libxml2 did not properly handle certain crafted XML files. A local attacker could exploit this with a crafted input to cause libxml2 to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2021-3516, CVE-2021-3518) It was discovered that libxml2 incorrectly handled error states. A remote attacker could exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service. (CVE-2021-3537) Sebastian Pipping discovered that libxml2 did not properly handle certain crafted XML files. A remote attacker could exploit this with a crafted XML file to cause libxml2 to crash, resulting in a denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-3541) CVEs contained in this USN include: CVE-2017-8872, CVE-2021-3516, CVE-2020-24977, CVE-2021-3541, CVE-2021-3537, CVE-2021-3517, CVE-2021-3518, CVE-2019-20388. ## Affected Cloud Foundry Products and Versions _Severity is medium unless otherwise noted._ * Bionic Stemcells * 1.x versions prior to 1.13 * All other stemcells not listed. * cflinuxfs3 * All versions prior to 0.245.0 * CF Deployment * All versions prior to 16.16.0 ## Mitigation Users of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases: * Bionic Stemcells * Upgrade 1.x versions to 1.13 or greater * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io/stemcells>). * cflinuxfs3 * Upgrade all versions to 0.245.0 or greater * CF Deployment * Upgrade all versions to 16.16.0 or greater ## References * [USN Notice](<https://usn.ubuntu.com/4991-1/>) * [CVE-2017-8872](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8872>) * [CVE-2021-3516](<https://people.canonical.com/~ubuntu-security/cve/CVE-2021-3516>) * [CVE-2020-24977](<https://people.canonical.com/~ubuntu-security/cve/CVE-2020-24977>) * [CVE-2021-3541](<https://people.canonical.com/~ubuntu-security/cve/CVE-2021-3541>) * [CVE-2021-3537](<https://people.canonical.com/~ubuntu-security/cve/CVE-2021-3537>) * [CVE-2021-3517](<https://people.canonical.com/~ubuntu-security/cve/CVE-2021-3517>) * [CVE-2021-3518](<https://people.canonical.com/~ubuntu-security/cve/CVE-2021-3518>) * [CVE-2019-20388](<https://people.canonical.com/~ubuntu-security/cve/CVE-2019-20388>) ## History 2021-07-08: Initial vulnerability report published.


Affected Software


CPE Name Name Version
bionic stemcells 1.13
cflinuxfs3 0.245.0
cf deployment 16.16.0

Related