CVE-2021-3516: Use After Free
First published: Wed Apr 21 2021(Updated: )
An use-after-free was found in xmllint when used with --html and --push options when processing crafted files. Reference: <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/230">https://gitlab.gnome.org/GNOME/libxml2/-/issues/230</a> Upstream patch: <a href="https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539">https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-91.el8 | 0:1.6.1-91.el8 |
| redhat/jbcs-httpd24-curl | <0:7.78.0-3.el8 | 0:7.78.0-3.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-80.el8 | 0:2.4.37-80.el8 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-41.el8 | 0:1.39.2-41.el8 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-11.el8 | 1:1.1.1g-11.el8 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-11.el8 | 0:1.0.0-11.el8 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-26.el8 | 0:0.4.10-26.el8 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-91.jbcs.el7 | 0:1.6.1-91.jbcs.el7 |
| redhat/jbcs-httpd24-curl | <0:7.78.0-3.jbcs.el7 | 0:7.78.0-3.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-80.jbcs.el7 | 0:2.4.37-80.jbcs.el7 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-41.jbcs.el7 | 0:1.39.2-41.jbcs.el7 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-11.jbcs.el7 | 1:1.1.1g-11.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-11.jbcs.el7 | 0:1.0.0-11.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-26.jbcs.el7 | 0:0.4.10-26.jbcs.el7 |
| redhat/libxml2 | <0:2.9.7-9.el8_4.2 | 0:2.9.7-9.el8_4.2 |
| IBM Security Verify Access | <=10.0.0 | |
| redhat/libxml2 | <2.9.11 | 2.9.11 |
| Xmlsoft Xmllint | <2.9.11 | |
| Debian Debian Linux | =9.0 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Redhat Jboss Core Services | ||
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| NetApp Clustered Data ONTAP | ||
| Netapp Clustered Data Ontap Antivirus Connector | ||
| NetApp ONTAP Select Deploy administration utility | ||
| Oracle ZFS Storage Appliance Kit | =8.8 |
Remedy
This flaw can be mitigated by not using xmllint with the --html and --push options together.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/202838
- https://www.ibm.com/support/pages/node/6538418 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi?id=1954225
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/230
- https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
- https://security.gentoo.org/glsa/202107-05
- https://security.netapp.com/advisory/ntap-20210716-0005/
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1954227
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1954226
- https://access.redhat.com/support/policy/updates/errata
- https://access.redhat.com/errata/RHSA-2021:2569
- https://access.redhat.com/security/cve/cve-2021-3516
- https://access.redhat.com/errata/RHSA-2022:1390
- https://access.redhat.com/errata/RHSA-2022:1389
- https://www.cve.org/CVERecord?id=CVE-2021-3516 https://nvd.nist.gov/vuln/detail/CVE-2021-3516
- https://access.redhat.com/errata/RHBA-2021:2854
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this flaw in libxml2's xmllint?
The vulnerability ID for this flaw in libxml2's xmllint is CVE-2021-3516.
What is the severity of CVE-2021-3516?
The severity of CVE-2021-3516 is high, with a severity value of 7.8.
How does CVE-2021-3516 impact the system?
CVE-2021-3516 allows a remote attacker to execute arbitrary code on the system.
What is the affected software for CVE-2021-3516?
The affected software for CVE-2021-3516 includes libxml2 version up to 2.9.11, jbcs-httpd24-apr-util version up to 0:1.6.1-91.el8, jbcs-httpd24-curl version up to 0:7.78.0-3.el8, jbcs-httpd24-httpd version up to 0:2.4.37-80.el8, jbcs-httpd24-nghttp2 version up to 0:1.39.2-41.el8, jbcs-httpd24-openssl version up to 1:1.1.1g-11.el8, jbcs-httpd24-openssl-chil version up to 0:1.0.0-11.el8, jbcs-httpd24-openssl-pkcs11 version up to 0:0.4.10-26.el8, jbcs-httpd24-apr-util version up to 0:1.6.1-91.jbcs.el7, jbcs-httpd24-curl version up to 0:7.78.0-3.jbcs.el7, jbcs-httpd24-httpd version up to 0:2.4.37-80.jbcs.el7, jbcs-httpd24-nghttp2 version up to 0:1.39.2-41.jbcs.el7, jbcs-httpd24-openssl version up to 1:1.1.1g-11.jbcs.el7, jbcs-httpd24-openssl-chil version up to 0:1.0.0-11.jbcs.el7, libxml2 version up to 0:2.9.7-9.el8_4.2, IBM Security Verify Access up to version 10.0.0, Xmlsoft Xmllint up to version 2.9.11, Debian Debian Linux version 9.0, Fedoraproject Fedora versions 33 and 34, Microsoft .NET 7.0, Redhat Enterprise Linux versions 6.0, 7.0, and 8.0, NetApp Clustered Data ONTAP, Netapp Clustered Data Ontap Antivirus Connector, NetApp ONTAP Select Deploy administration utility, and Oracle ZFS Storage Appliance Kit version 8.8.
How can I fix the vulnerability in libxml2's xmllint (CVE-2021-3516)?
To fix the vulnerability in libxml2's xmllint (CVE-2021-3516), it is recommended to update to version 2.9.11 or apply the appropriate patch provided by the software vendor.
- collector/redhat-cve
- collector/ibm-support
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/references
- agent/description
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3516
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/ibm
- canonical/ibm security verify access
- version/ibm security verify access/10.0.0
- vendor/xmlsoft
- canonical/xmlsoft xmllint
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/redhat
- canonical/redhat jboss core services
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/netapp
- canonical/netapp clustered data ontap
- canonical/netapp clustered data ontap antivirus connector
- canonical/netapp ontap select deploy administration utility
- vendor/oracle
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8