CVE-2016-8734
First published: Mon Oct 16 2017(Updated: )
Apache Subversion's mod_dontdothat module and HTTP clients 1.4.0 through 1.8.16, and 1.9.0 through 1.9.4 are vulnerable to a denial-of-service attack caused by exponential XML entity expansion. The attack can cause the targeted process to consume an excessive amount of CPU resources or memory.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Subversion | =1.4.0 | |
| Subversion | =1.4.1 | |
| Subversion | =1.4.2 | |
| Subversion | =1.4.3 | |
| Subversion | =1.4.4 | |
| Subversion | =1.4.5 | |
| Subversion | =1.4.6 | |
| Subversion | =1.5.0 | |
| Subversion | =1.5.1 | |
| Subversion | =1.5.2 | |
| Subversion | =1.5.3 | |
| Subversion | =1.5.4 | |
| Subversion | =1.5.5 | |
| Subversion | =1.5.6 | |
| Subversion | =1.5.7 | |
| Subversion | =1.5.8 | |
| Subversion | =1.6.0 | |
| Subversion | =1.6.1 | |
| Subversion | =1.6.2 | |
| Subversion | =1.6.3 | |
| Subversion | =1.6.4 | |
| Subversion | =1.6.5 | |
| Subversion | =1.6.6 | |
| Subversion | =1.6.7 | |
| Subversion | =1.6.8 | |
| Subversion | =1.6.9 | |
| Subversion | =1.6.10 | |
| Subversion | =1.6.11 | |
| Subversion | =1.6.12 | |
| Subversion | =1.6.13 | |
| Subversion | =1.6.14 | |
| Subversion | =1.6.15 | |
| Subversion | =1.6.16 | |
| Subversion | =1.6.17 | |
| Subversion | =1.6.18 | |
| Subversion | =1.6.19 | |
| Subversion | =1.6.20 | |
| Subversion | =1.6.21 | |
| Subversion | =1.6.23 | |
| Subversion | =1.7.0 | |
| Subversion | =1.7.1 | |
| Subversion | =1.7.2 | |
| Subversion | =1.7.3 | |
| Subversion | =1.7.4 | |
| Subversion | =1.7.5 | |
| Subversion | =1.7.6 | |
| Subversion | =1.7.7 | |
| Subversion | =1.7.8 | |
| Subversion | =1.7.9 | |
| Subversion | =1.7.10 | |
| Subversion | =1.7.11 | |
| Subversion | =1.7.12 | |
| Subversion | =1.7.13 | |
| Subversion | =1.7.14 | |
| Subversion | =1.7.15 | |
| Subversion | =1.7.16 | |
| Subversion | =1.7.17 | |
| Subversion | =1.7.18 | |
| Subversion | =1.7.19 | |
| Subversion | =1.7.20 | |
| Subversion | =1.8.0 | |
| Subversion | =1.8.1 | |
| Subversion | =1.8.2 | |
| Subversion | =1.8.3 | |
| Subversion | =1.8.4 | |
| Subversion | =1.8.5 | |
| Subversion | =1.8.6 | |
| Subversion | =1.8.7 | |
| Subversion | =1.8.8 | |
| Subversion | =1.8.9 | |
| Subversion | =1.8.10 | |
| Subversion | =1.8.11 | |
| Subversion | =1.8.12 | |
| Subversion | =1.8.13 | |
| Subversion | =1.8.14 | |
| Subversion | =1.8.15 | |
| Subversion | =1.8.16 | |
| Subversion | =1.9.0 | |
| Subversion | =1.9.1 | |
| Subversion | =1.9.2 | |
| Subversion | =1.9.3 | |
| Subversion | =1.9.4 | |
| Debian | =8.0 | |
| Debian | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.debian.org/security/2017/dsa-3932
- http://www.securityfocus.com/bid/94588
- http://www.securitytracker.com/id/1037361
- https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b00009d44f0e09@%3Cannounce.apache.org%3E
- https://subversion.apache.org/security/CVE-2016-8734-advisory.txt
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/7798f5cda1b2a3c70db4be77694b12dec8fcc1a441b00009d44f0e09%40%3Cannounce.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2016-8734?
CVE-2016-8734 has been classified as a denial-of-service vulnerability that can lead to significant resource exhaustion.
How do I fix CVE-2016-8734?
To mitigate CVE-2016-8734, users should upgrade to a patched version of Apache Subversion that addresses this vulnerability.
Which versions are affected by CVE-2016-8734?
CVE-2016-8734 affects Apache Subversion versions 1.4.0 through 1.8.16 and 1.9.0 through 1.9.4.
What types of attacks are enabled by CVE-2016-8734?
CVE-2016-8734 allows attackers to perform denial-of-service attacks through exponential XML entity expansion.
Is there a workaround for CVE-2016-8734?
While the best solution is to update to a secure version, users may limit exposure by monitoring and blocking malicious XML requests.
- agent/type
- agent/author
- agent/references
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/subversion
- version/subversion/1.4.0
- version/subversion/1.4.1
- version/subversion/1.4.2
- version/subversion/1.4.3
- version/subversion/1.4.4
- version/subversion/1.4.5
- version/subversion/1.4.6
- version/subversion/1.5.0
- version/subversion/1.5.1
- version/subversion/1.5.2
- version/subversion/1.5.3
- version/subversion/1.5.4
- version/subversion/1.5.5
- version/subversion/1.5.6
- version/subversion/1.5.7
- version/subversion/1.5.8
- version/subversion/1.6.0
- version/subversion/1.6.1
- version/subversion/1.6.2
- version/subversion/1.6.3
- version/subversion/1.6.4
- version/subversion/1.6.5
- version/subversion/1.6.6
- version/subversion/1.6.7
- version/subversion/1.6.8
- version/subversion/1.6.9
- version/subversion/1.6.10
- version/subversion/1.6.11
- version/subversion/1.6.12
- version/subversion/1.6.13
- version/subversion/1.6.14
- version/subversion/1.6.15
- version/subversion/1.6.16
- version/subversion/1.6.17
- version/subversion/1.6.18
- version/subversion/1.6.19
- version/subversion/1.6.20
- version/subversion/1.6.21
- version/subversion/1.6.23
- version/subversion/1.7.0
- version/subversion/1.7.1
- version/subversion/1.7.2
- version/subversion/1.7.3
- version/subversion/1.7.4
- version/subversion/1.7.5
- version/subversion/1.7.6
- version/subversion/1.7.7
- version/subversion/1.7.8
- version/subversion/1.7.9
- version/subversion/1.7.10
- version/subversion/1.7.11
- version/subversion/1.7.12
- version/subversion/1.7.13
- version/subversion/1.7.14
- version/subversion/1.7.15
- version/subversion/1.7.16
- version/subversion/1.7.17
- version/subversion/1.7.18
- version/subversion/1.7.19
- version/subversion/1.7.20
- version/subversion/1.8.0
- version/subversion/1.8.1
- version/subversion/1.8.2
- version/subversion/1.8.3
- version/subversion/1.8.4
- version/subversion/1.8.5
- version/subversion/1.8.6
- version/subversion/1.8.7
- version/subversion/1.8.8
- version/subversion/1.8.9
- version/subversion/1.8.10
- version/subversion/1.8.11
- version/subversion/1.8.12
- version/subversion/1.8.13
- version/subversion/1.8.14
- version/subversion/1.8.15
- version/subversion/1.8.16
- version/subversion/1.9.0
- version/subversion/1.9.1
- version/subversion/1.9.2
- version/subversion/1.9.3
- version/subversion/1.9.4
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0