The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability note CVE-2016-4447 CVE-2016-4448 CVE-2016-4449

libxml2: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of libxml2.
Vulnerable systems: iOS by Apple, iPhone, Mac OS X, Blue Coat CAS, ProxyAV, ProxyRA, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, BIG-IP Hardware, TMOS, Fedora, Junos OS, Junos Space, libxml, McAfee Web Gateway, openSUSE Leap, Oracle Communications, RHEL, Slackware, Splunk Enterprise, SLES, Nessus, Ubuntu.
Severity of this threat: 2/4.
Consequences of a hack: user access/rights, data reading, denial of service on service, denial of service on client.
Pirate's origin: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 25/05/2016.
Références of this weakness: 1989337, 1991909, 1991910, 1991911, 1991913, 1991997, CERTFR-2017-AVI-012, cpujan2018, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, DLA-503-1, DSA-3593-1, FEDORA-2017-a3a47973eb, FEDORA-2017-be8574d593, HT206902, HT206903, JSA10770, JSA10916, K24322529, K41103561, openSUSE-SU-2016:1595-1, RHSA-2016:1292-01, SA129, SB10170, SOL41103561, SPL-119440, SPL-121159, SPL-123095, SSA:2016-148-01, SUSE-SU-2016:1538-1, SUSE-SU-2016:1604-1, TNS-2017-03, USN-2994-1, USN-3235-1, VIGILANCE-VUL-19694.

Description of the vulnerability

Several vulnerabilities were announced in libxml2.

An attacker can force a read at an invalid address via xmlParseName, in order to trigger a denial of service, or to obtain sensitive information. [severity:1/4; CVE-2016-4447]

An attacker can use a format string attack, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-4448]

An attacker can generate a memory corruption via Entities Content, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-4449]
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities management. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.