CVE-2008-3281
First published: Wed Aug 06 2008(Updated: )
libxml2 2.6.32 and earlier does not properly detect recursion during entity expansion in an attribute value, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| libxml2-devel | =2.4.19 | |
| libxml2-devel | =2.6.11 | |
| libxml2-devel | =2.6.13 | |
| libxml2-devel | =2.6.14 | |
| libxml2-devel | =2.6.2 | |
| libxml2-devel | <=2.6.32 | |
| libxml2-devel | =2.5.11 | |
| libxml2-devel | =2.6.1 | |
| libxml2-devel | =2.4.23 | |
| libxml2-devel | =2.6.12 | |
| libxml2-devel | =2.6.0 | |
| libxml2-devel | =2.5.4 | |
| libxml2-devel | =2.5.10 | |
| libxml2-devel | =2.6.3 | |
| Safari | <4.0 | |
| iPhone OS | >=1.0.0<3.0 | |
| Red Hat Fedora | =9 | |
| Ubuntu | =6.06 | |
| Ubuntu | =7.04 | |
| Ubuntu | =7.10 | |
| Ubuntu | =8.04 | |
| Debian Linux | =4.0 | |
| Red Hat Enterprise Linux Desktop | =3.0 | |
| Red Hat Enterprise Linux Desktop | =4.0 | |
| Red Hat Enterprise Linux Desktop | =5.0 | |
| Red Hat Enterprise Linux Server EUS | =4.7 | |
| Red Hat Enterprise Linux Server EUS | =5.2 | |
| Red Hat Enterprise Linux Server | =2.0 | |
| Red Hat Enterprise Linux Server | =3.0 | |
| Red Hat Enterprise Linux Server | =4.0 | |
| Red Hat Enterprise Linux Server | =5.0 | |
| Red Hat Enterprise Linux Workstation | =2.0 | |
| Red Hat Enterprise Linux Workstation | =3.0 | |
| Red Hat Enterprise Linux Workstation | =4.0 | |
| Red Hat Enterprise Linux Workstation | =5.0 | |
| VMware ESXi | =2.5.4 | |
| VMware ESXi | =2.5.5 | |
| VMware ESXi | =3.0.2 | |
| VMware ESXi | =3.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://mail.gnome.org/archives/xml/2008-August/msg00034.html
- https://bugzilla.redhat.com/show_bug.cgi?id=458086
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:180
- https://rhn.redhat.com/errata/RHSA-2008-0836.html
- http://www.securityfocus.com/bid/30783
- http://www.ubuntu.com/usn/usn-640-1
- http://secunia.com/advisories/31728
- http://svn.gnome.org/viewvc/libxml2?view=revision&revision=3772
- https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00261.html
- http://xmlsoft.org/news.html
- http://secunia.com/advisories/31558
- http://secunia.com/advisories/31748
- https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00347.html
- http://secunia.com/advisories/31590
- http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
- http://secunia.com/advisories/31855
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:192
- http://www.vmware.com/security/advisories/VMSA-2008-0017.html
- http://lists.vmware.com/pipermail/security-announce/2008/000039.html
- http://secunia.com/advisories/32488
- http://secunia.com/advisories/31566
- http://www.securitytracker.com/id?1020728
- http://www.debian.org/security/2008/dsa-1631
- http://secunia.com/advisories/32807
- http://wiki.rpath.com/Advisories:rPSA-2008-0325
- http://security.gentoo.org/glsa/glsa-200812-06.xml
- http://secunia.com/advisories/32974
- http://secunia.com/advisories/31982
- http://www.vupen.com/english/advisories/2009/1522
- http://secunia.com/advisories/35379
- http://support.apple.com/kb/HT3613
- http://lists.apple.com/archives/security-announce/2009/jun/msg00002.html
- http://lists.apple.com/archives/security-announce/2009/Jun/msg00005.html
- http://www.vupen.com/english/advisories/2009/1621
- http://support.apple.com/kb/HT3639
- http://www.vupen.com/english/advisories/2008/2843
- http://www.vupen.com/english/advisories/2008/2971
- http://www.vupen.com/english/advisories/2008/2419
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9812
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6496
- https://usn.ubuntu.com/644-1/
- http://www.securityfocus.com/archive/1/497962/100/0/threaded
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=458086#c21
- https://www.cve.org/CVERecord?id=CVE-2008-3281 https://nvd.nist.gov/vuln/detail/CVE-2008-3281
- https://access.redhat.com/errata/RHSA-2008:0836
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2008-3281.json
Frequently Asked Questions
What is the severity of CVE-2008-3281?
CVE-2008-3281 is classified as a denial of service vulnerability due to excessive memory and CPU consumption.
How do I fix CVE-2008-3281?
To fix CVE-2008-3281, upgrade libxml2 to version 2.6.33 or later.
What software is affected by CVE-2008-3281?
Versions of libxml2 up to and including 2.6.32 are affected by CVE-2008-3281.
What type of attack does CVE-2008-3281 facilitate?
CVE-2008-3281 allows attackers to launch denial of service attacks via specially crafted XML documents.
Is CVE-2008-3281 related to XML processing?
Yes, CVE-2008-3281 is specifically related to improper recursion handling during XML entity expansion.
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2008-3281
- collector/redhat-cve
- agent/first-publish-date
- agent/references
- agent/description
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/xmlsoft
- canonical/libxml2-devel
- version/libxml2-devel/2.4.19
- version/libxml2-devel/2.6.11
- version/libxml2-devel/2.6.13
- version/libxml2-devel/2.6.14
- version/libxml2-devel/2.6.2
- version/libxml2-devel/2.6.32
- version/libxml2-devel/2.5.11
- version/libxml2-devel/2.6.1
- version/libxml2-devel/2.4.23
- version/libxml2-devel/2.6.12
- version/libxml2-devel/2.6.0
- version/libxml2-devel/2.5.4
- version/libxml2-devel/2.5.10
- version/libxml2-devel/2.6.3
- vendor/apple
- canonical/safari
- canonical/iphone os
- version/iphone os/1.0.0
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/9
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/6.06
- version/ubuntu/7.04
- version/ubuntu/7.10
- version/ubuntu/8.04
- vendor/debian
- canonical/debian linux
- version/debian linux/4.0
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/3.0
- version/red hat enterprise linux desktop/4.0
- version/red hat enterprise linux desktop/5.0
- canonical/red hat enterprise linux server eus
- version/red hat enterprise linux server eus/4.7
- version/red hat enterprise linux server eus/5.2
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/2.0
- version/red hat enterprise linux server/3.0
- version/red hat enterprise linux server/4.0
- version/red hat enterprise linux server/5.0
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/2.0
- version/red hat enterprise linux workstation/3.0
- version/red hat enterprise linux workstation/4.0
- version/red hat enterprise linux workstation/5.0
- vendor/vmware
- canonical/vmware esxi
- version/vmware esxi/2.5.4
- version/vmware esxi/2.5.5
- version/vmware esxi/3.0.2
- version/vmware esxi/3.0.3