CVE-2011-1755
First published: Thu Apr 28 2011(Updated: )
jabberd2 before 2.2.14 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jabberd | <2.2.14 | 2.2.14 |
| jabberd2 | =2.1 | |
| jabberd2 | =2.1.8 | |
| jabberd2 | =2.2.2 | |
| jabberd2 | =2.1.18 | |
| jabberd2 | =2.2.7 | |
| jabberd2 | <=2.2.13 | |
| jabberd2 | =2.1.11 | |
| jabberd2 | =2.2.0 | |
| jabberd2 | =2.1.12 | |
| jabberd2 | =2.1.21 | |
| jabberd2 | =2.1.15 | |
| jabberd2 | =2.1.24 | |
| jabberd2 | =2.2.11 | |
| jabberd2 | =2.1.1 | |
| jabberd2 | =2.1.5 | |
| jabberd2 | =2.1.20 | |
| jabberd2 | =2.2.3 | |
| jabberd2 | =2.2.5 | |
| jabberd2 | =2.2.10 | |
| jabberd2 | =2.2.7.1 | |
| jabberd2 | =2.1.22 | |
| jabberd2 | =2.1.14 | |
| jabberd2 | =2.1.23 | |
| jabberd2 | =2.2.1 | |
| jabberd2 | =2.1.4 | |
| jabberd2 | =2.1.7 | |
| jabberd2 | =2.1.17 | |
| jabberd2 | =2.2.12 | |
| jabberd2 | =2.1.16 | |
| jabberd2 | =2.2.8 | |
| jabberd2 | =2.1.2 | |
| jabberd2 | =2.2.6 | |
| jabberd2 | =2.2.9 | |
| jabberd2 | =2.1.13 | |
| jabberd2 | =2.1.10 | |
| jabberd2 | =2.1.19 | |
| jabberd2 | =2.1.6 | |
| jabberd2 | =2.2.4 | |
| jabberd2 | =2.1.9 | |
| jabberd2 | =2.1.3 | |
| Jabberd | <2.2.14 | |
| Fedora | =13 | |
| Fedora | =14 | |
| Fedora | =15 | |
| Apple iOS and macOS | <10.6.8 | |
| Apple iOS and macOS | >=10.7.0<10.7.2 | |
| Apple macOS Server | <10.6.8 | |
| Apple macOS Server | >=10.7.0<10.7.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://secunia.com/advisories/44787
- http://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01655.html
- http://codex.xiaoka.com/svn/jabberd2/tags/jabberd-2.2.14/ChangeLog
- https://bugzilla.redhat.com/show_bug.cgi?id=700390
- http://www.securityfocus.com/bid/48250
- http://www.redhat.com/support/errata/RHSA-2011-0882.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061482.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061341.html
- http://www.redhat.com/support/errata/RHSA-2011-0881.html
- http://secunia.com/advisories/44957
- https://hermes.opensuse.org/messages/9197650
- http://lists.fedoraproject.org/pipermail/package-announce/2011-June/061458.html
- http://secunia.com/advisories/45112
- http://support.apple.com/kb/HT5002
- http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67770
- http://en.wikipedia.org/wiki/Billion_laughs
- http://www.webcitation.org/5wwJidGdh
- https://access.redhat.com/security/cve/CVE-2011-1755
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=496732&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=496732&action=edit
- http://www.canonical.com
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=496733&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=496733&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=700390#c7
- http://tomasz.sterna.tv/
- http://www.xiaoka.com/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=709794
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=709795
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=709796
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=502318&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=502318&action=edit
- https://admin.fedoraproject.org/updates/search/CVE-2011-1755
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=700390#c14
- https://rhn.redhat.com/errata/RHSA-2011-0882.html
- https://rhn.redhat.com/errata/RHSA-2011-0881.html
- https://www.laptopicker.com/best-laptop-for-pentesting/
- http://www.mail-archive.com/jabberd2%40lists.xiaoka.com/msg01655.html
Frequently Asked Questions
What is the severity of CVE-2011-1755?
CVE-2011-1755 has a severity level that is classified as a denial of service vulnerability.
How do I fix CVE-2011-1755?
To fix CVE-2011-1755, you should upgrade to jabberd2 version 2.2.14 or higher.
Which versions are vulnerable to CVE-2011-1755?
CVE-2011-1755 affects jabberd2 versions prior to 2.2.14.
What type of attack does CVE-2011-1755 enable?
CVE-2011-1755 allows remote attackers to induce memory and CPU consumption, leading to service denial.
Is CVE-2011-1755 related to earlier vulnerabilities?
Yes, CVE-2011-1755 is similar to CVE-2003-1564, as both involve issues with entity expansion in XML.
- agent/type
- agent/remedy
- agent/first-publish-date
- agent/references
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-1755
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/author
- agent/tags
- collector/nvd-api
- source/NVD
- agent/softwarecombine
- package-manager/redhat
- vendor/jabber
- canonical/jabberd2
- version/jabberd2/2.1
- version/jabberd2/2.1.8
- version/jabberd2/2.2.2
- version/jabberd2/2.1.18
- version/jabberd2/2.2.7
- version/jabberd2/2.2.13
- version/jabberd2/2.1.11
- version/jabberd2/2.2.0
- version/jabberd2/2.1.12
- version/jabberd2/2.1.21
- version/jabberd2/2.1.15
- version/jabberd2/2.1.24
- version/jabberd2/2.2.11
- version/jabberd2/2.1.1
- version/jabberd2/2.1.5
- version/jabberd2/2.1.20
- version/jabberd2/2.2.3
- version/jabberd2/2.2.5
- version/jabberd2/2.2.10
- version/jabberd2/2.2.7.1
- version/jabberd2/2.1.22
- version/jabberd2/2.1.14
- version/jabberd2/2.1.23
- version/jabberd2/2.2.1
- version/jabberd2/2.1.4
- version/jabberd2/2.1.7
- version/jabberd2/2.1.17
- version/jabberd2/2.2.12
- version/jabberd2/2.1.16
- version/jabberd2/2.2.8
- version/jabberd2/2.1.2
- version/jabberd2/2.2.6
- version/jabberd2/2.2.9
- version/jabberd2/2.1.13
- version/jabberd2/2.1.10
- version/jabberd2/2.1.19
- version/jabberd2/2.1.6
- version/jabberd2/2.2.4
- version/jabberd2/2.1.9
- version/jabberd2/2.1.3
- vendor/jabberd2
- canonical/jabberd
- vendor/fedoraproject
- canonical/fedora
- version/fedora/13
- version/fedora/14
- version/fedora/15
- vendor/apple
- canonical/apple ios and macos
- version/apple ios and macos/10.7.0
- canonical/apple macos server
- version/apple macos server/10.7.0