CVE-2021-23926: XMLBeans XML Entity Expansion
First published: Wed Jan 13 2021(Updated: )
A flaw was found when parsing XML files using XMLBeans 2.6.0 or below. The underlying parser created by XMLBeans could be susceptible to XML External Entity (XXE) attacks. The highest threat from this vulnerability is to confidentiality and system availability.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/xmlbeans | <3.0.0 | 3.0.0 |
| Apache XMLBeans | <=2.6.0 | |
| NetApp OnCommand Unified Manager Core Package | ||
| NetApp Snap Creator Framework | ||
| Netapp Snapmanager Oracle | ||
| Netapp Snapmanager Sap | ||
| Debian Debian Linux | =9.0 | |
| Oracle Middleware Common Libraries And Tools | =12.2.1.3.0 | |
| Oracle Middleware Common Libraries And Tools | =12.2.1.4.0 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.57 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.59 |
Remedy
Affected users are advised to update to Apache XMLBeans 3.0.0 or above, which fixes this vulnerability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-23926 https://nvd.nist.gov/vuln/detail/CVE-2021-23926
- https://bugzilla.redhat.com/show_bug.cgi?id=1922102
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/security/cve/cve-2021-23926
- https://issues.apache.org/jira/browse/XMLBEANS-517
- https://access.redhat.com/security/updates/classification
- https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed@%3Cjava-dev.axis.apache.org%3E
- https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1@%3Cjava-dev.axis.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/06/msg00024.html
- https://poi.apache.org/
- https://security.netapp.com/advisory/ntap-20210513-0004/
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r2dc5588009dc9f0310b7382269f932cc96cae4c3901b747dda1a7fed%40%3Cjava-dev.axis.apache.org%3E
- https://lists.apache.org/thread.html/rbb01d10512098894cd5f22325588197532c64f1c818ea7e4120d40c1%40%3Cjava-dev.axis.apache.org%3E
- https://exchange.xforce.ibmcloud.com/vulnerabilities/194818
- https://www.ibm.com/support/pages/node/6479255 (Advisory)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-23926.
What is the severity of CVE-2021-23926?
The severity of CVE-2021-23926 is critical with a CVSS score of 9.1.
What is the affected software?
The affected software includes Apache XMLBeans up to version 2.6.0, IBM Security Directory Suite VA up to version 8.0.1-8.0.1.19, Netapp Oncommand Unified Manager Core Package, Netapp Snap Creator Framework, Netapp Snapmanager, Debian Debian Linux 9.0, Oracle Middleware Common Libraries And Tools 12.2.1.3.0 and 12.2.1.4.0, and Oracle PeopleSoft Enterprise PeopleTools 8.57, 8.58, and 8.59.
What is the vulnerability description?
The vulnerability is a denial of service vulnerability caused by an XML external entity (XXE) error when processing XML data in Apache XMLBeans, potentially leading to a denial of service or information disclosure.
How can the vulnerability be exploited?
The vulnerability can be exploited by sending a specially-crafted XML request to the affected software.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-23926
- agent/software-canonical-lookup
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/last-modified-date
- agent/event
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/apache
- canonical/apache xmlbeans
- version/apache xmlbeans/2.6.0
- vendor/netapp
- canonical/netapp oncommand unified manager core package
- canonical/netapp snap creator framework
- canonical/netapp snapmanager oracle
- canonical/netapp snapmanager sap
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/oracle
- canonical/oracle middleware common libraries and tools
- version/oracle middleware common libraries and tools/12.2.1.3.0
- version/oracle middleware common libraries and tools/12.2.1.4.0
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.57
- version/oracle peoplesoft enterprise peopletools/8.58
- version/oracle peoplesoft enterprise peopletools/8.59