CVE-2021-3517

Description

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

CVSS Metrics

• v3.1•HIGH•Score: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
• v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.11%• Percentile: 28%

Techniques & Countermeasures

• CWE-787•Out-of-bounds Write

  The product writes data past the end, or before the beginning, of the intended buffer.

• CWE-125•Out-of-bounds Read

  The product reads data past the end, or before the beginning, of the intended buffer.

Affected Systems

• debian•debian_linux

  9.0

• fedoraproject•fedora

  33 | 34

• netapp•active_iq_unified_manager

  na

• netapp•clustered_data_ontap

  na

• netapp•clustered_data_ontap_antivirus_connector

  na

• netapp•e-series_santricity_os_controller

  ≥ 11.0.0, ≤ 11.70.1

• netapp•e-series_santricity_storage_manager

  na

• netapp•e-series_santricity_web_services

  na

• netapp•hci_h410c_firmware

  na

• netapp•hci_management_node

  na

• netapp•manageability_software_development_kit

  na

• netapp•oncommand_insight

  na

• netapp•oncommand_workflow_automation

  na

• netapp•ontap_select_deploy_administration_utility

  na

• netapp•santricity_unified_manager

  na

• netapp•snapdrive

  na

• netapp•snapmanager

  na

• netapp•solidfire

  na

• oracle•communications_cloud_native_core_network_function_cloud_native_environment

  1.10.0

• oracle•enterprise_manager_base_platform

  13.4.0.0 | 13.5.0.0

• oracle•mysql_workbench

  ≤ 8.0.26

• oracle•openjdk

  8:update301

• oracle•peoplesoft_enterprise_peopletools

  8.58

• oracle•real_user_experience_insight

  13.4.1.0 | 13.5.1.0

• oracle•zfs_storage_appliance_kit

  8.8

• redhat•enterprise_linux

  8.0

• redhat•jboss_core_services

  na

• xmlsoft•libxml2

  < 2.9.11

References (13)

• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
• https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1954232
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
• https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
• https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
• https://security.gentoo.org/glsa/202107-05
• https://security.netapp.com/advisory/ntap-20210625-0002/
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://security.netapp.com/advisory/ntap-20211022-0004/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html