First published: Thu Apr 22 2021(Updated: )
A heap-based buffer overflow was found in libxml2 when processing truncated UTF-8 input. Reference: <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/235">https://gitlab.gnome.org/GNOME/libxml2/-/issues/235</a> Upstream patch: <a href="https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2">https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2</a>
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
rubygems/nokogiri | <1.11.4 | 1.11.4 |
redhat/jbcs-httpd24-apr-util | <0:1.6.1-91.el8 | 0:1.6.1-91.el8 |
redhat/jbcs-httpd24-curl | <0:7.78.0-3.el8 | 0:7.78.0-3.el8 |
redhat/jbcs-httpd24-httpd | <0:2.4.37-80.el8 | 0:2.4.37-80.el8 |
redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-41.el8 | 0:1.39.2-41.el8 |
redhat/jbcs-httpd24-openssl | <1:1.1.1g-11.el8 | 1:1.1.1g-11.el8 |
redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-11.el8 | 0:1.0.0-11.el8 |
redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-26.el8 | 0:0.4.10-26.el8 |
redhat/jbcs-httpd24-apr-util | <0:1.6.1-91.jbcs.el7 | 0:1.6.1-91.jbcs.el7 |
redhat/jbcs-httpd24-curl | <0:7.78.0-3.jbcs.el7 | 0:7.78.0-3.jbcs.el7 |
redhat/jbcs-httpd24-httpd | <0:2.4.37-80.jbcs.el7 | 0:2.4.37-80.jbcs.el7 |
redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-41.jbcs.el7 | 0:1.39.2-41.jbcs.el7 |
redhat/jbcs-httpd24-openssl | <1:1.1.1g-11.jbcs.el7 | 1:1.1.1g-11.jbcs.el7 |
redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-11.jbcs.el7 | 0:1.0.0-11.jbcs.el7 |
redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-26.jbcs.el7 | 0:0.4.10-26.jbcs.el7 |
redhat/libxml2 | <0:2.9.7-9.el8_4.2 | 0:2.9.7-9.el8_4.2 |
redhat/libxml2 | <2.9.11 | 2.9.11 |
IBM Security Verify Access OIDC Provider | <=10.0.0 | |
libxml2-devel | <2.9.11 | |
Red Hat JBoss Core Services | ||
Red Hat Enterprise Linux | =8.0 | |
Red Hat Fedora | =33 | |
Red Hat Fedora | =34 | |
Debian Linux | =9.0 | |
NetApp Active IQ Unified Manager for VMware vSphere | ||
NetApp Active IQ Unified Manager | ||
IBM Data ONTAP | ||
NetApp ONTAP Antivirus Connector | ||
NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.1 | |
NetApp SANtricity Storage Manager | ||
NetApp E-Series SANtricity Web Services | ||
NetApp SolidFire & HCI Management Node | ||
NetApp Manageability SDK | ||
NetApp OnCommand Insight | ||
NetApp OnCommand Workflow Automation | ||
NetApp ONTAP Select Deploy | ||
NetApp E-Series SANtricity Unified Manager | ||
NetApp SnapDrive for Windows | ||
NetApp SnapManager for Oracle | ||
NetApp SnapManager for SAP | ||
NetApp SolidFire & HCI Storage Node | ||
NetApp H410C | ||
NetApp H410C | ||
Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.10.0 | |
Oracle Enterprise Manager | =13.4.0.0 | |
Oracle Enterprise Manager | =13.5.0.0 | |
MySQL Workbench | <=8.0.26 | |
OpenJDK 8 | =8-update301 | |
Oracle PeopleTools | =8.58 | |
Oracle Real User Experience Insight | =13.4.1.0 | |
Oracle Real User Experience Insight | =13.5.1.0 | |
Oracle Storage Cloud Software Appliance | =8.8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID is CVE-2021-3517.
The severity of CVE-2021-3517 is high with a CVSS score of 8.6.
The affected software includes libxml2 versions before 2.9.11, Nokogiri version up to 1.11.4, and certain Red Hat packages.
The vulnerability occurs due to a heap-based buffer overflow caused by improper bounds checking in the xml entity encoding functionality of libxml2.
Yes, a fix is available. Update to libxml2 version 2.9.11 or higher, or follow the recommended remediation for the affected software packages.