CVE-2021-3517: Buffer Overflow
First published: Thu Apr 22 2021(Updated: )
A heap-based buffer overflow was found in libxml2 when processing truncated UTF-8 input. Reference: <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/235">https://gitlab.gnome.org/GNOME/libxml2/-/issues/235</a> Upstream patch: <a href="https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2">https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2</a>
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/nokogiri | <1.11.4 | 1.11.4 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-91.el8 | 0:1.6.1-91.el8 |
| redhat/jbcs-httpd24-curl | <0:7.78.0-3.el8 | 0:7.78.0-3.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-80.el8 | 0:2.4.37-80.el8 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-41.el8 | 0:1.39.2-41.el8 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-11.el8 | 1:1.1.1g-11.el8 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-11.el8 | 0:1.0.0-11.el8 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-26.el8 | 0:0.4.10-26.el8 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-91.jbcs.el7 | 0:1.6.1-91.jbcs.el7 |
| redhat/jbcs-httpd24-curl | <0:7.78.0-3.jbcs.el7 | 0:7.78.0-3.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-80.jbcs.el7 | 0:2.4.37-80.jbcs.el7 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-41.jbcs.el7 | 0:1.39.2-41.jbcs.el7 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1g-11.jbcs.el7 | 1:1.1.1g-11.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-chil | <0:1.0.0-11.jbcs.el7 | 0:1.0.0-11.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-pkcs11 | <0:0.4.10-26.jbcs.el7 | 0:0.4.10-26.jbcs.el7 |
| redhat/libxml2 | <0:2.9.7-9.el8_4.2 | 0:2.9.7-9.el8_4.2 |
| redhat/libxml2 | <2.9.11 | 2.9.11 |
| Xmlsoft Libxml2 | <2.9.11 | |
| Redhat Jboss Core Services | ||
| Redhat Enterprise Linux | =8.0 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Debian Debian Linux | =9.0 | |
| Netapp Active Iq Unified Manager Vmware Vsphere | ||
| Netapp Active Iq Unified Manager Windows | ||
| NetApp Clustered Data ONTAP | ||
| Netapp Clustered Data Ontap Antivirus Connector | ||
| NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.1 | |
| Netapp E-series Santricity Storage Manager | ||
| Netapp E-series Santricity Web Services Web Services Proxy | ||
| Netapp Hci Management Node | ||
| Netapp Manageability Software Development Kit | ||
| NetApp OnCommand Insight | ||
| NetApp OnCommand Workflow Automation | ||
| NetApp ONTAP Select Deploy administration utility | ||
| Netapp Santricity Unified Manager | ||
| Netapp Snapdrive Windows | ||
| Netapp Snapmanager Oracle | ||
| Netapp Snapmanager Sap | ||
| Netapp Solidfire | ||
| Netapp Hci H410c Firmware | ||
| Netapp Hci H410c | ||
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.10.0 | |
| Oracle Enterprise Manager Base Platform | =13.4.0.0 | |
| Oracle Enterprise Manager Base Platform | =13.5.0.0 | |
| Oracle Mysql Workbench | <=8.0.26 | |
| Oracle OpenJDK | =8-update301 | |
| Oracle PeopleSoft Enterprise PeopleTools | =8.58 | |
| Oracle Real User Experience Insight | =13.4.1.0 | |
| Oracle Real User Experience Insight | =13.5.1.0 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.2.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.1.0 | |
| IBM Cloud Pak for Security (CP4S) | <=1.7.0.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2021-3517
- https://bugzilla.redhat.com/show_bug.cgi?id=1954232
- https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
- https://security.gentoo.org/glsa/202107-05
- https://security.netapp.com/advisory/ntap-20210625-0002/
- https://security.netapp.com/advisory/ntap-20211022-0004/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/sparklemotion/nokogiri/issues/2233
- https://github.com/sparklemotion/nokogiri/issues/2274
- https://github.com/sparklemotion/nokogiri/blob/7c19ef5cc6b7c5c36827dd5495f857c6877ec8cf/CHANGELOG.md?plain=1#L579
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2021-3517.yml
- https://github.com/advisories/GHSA-jw9f-hh49-cvp9 (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2021-3517 https://nvd.nist.gov/vuln/detail/CVE-2021-3517
- https://access.redhat.com/errata/RHSA-2022:1389
- https://access.redhat.com/errata/RHSA-2021:2569
- https://access.redhat.com/errata/RHSA-2022:1390
- https://access.redhat.com/errata/RHBA-2021:2854
- https://access.redhat.com/security/cve/cve-2021-3517
- https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
- https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1954234
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1954233
- https://access.redhat.com/support/policy/updates/errata
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://exchange.xforce.ibmcloud.com/vulnerabilities/202526
- https://www.ibm.com/support/pages/node/6493729
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2021-3517.
What is the severity of CVE-2021-3517?
The severity of CVE-2021-3517 is high with a CVSS score of 8.6.
What is the affected software?
The affected software includes libxml2 versions before 2.9.11, Nokogiri version up to 1.11.4, and certain Red Hat packages.
How does the vulnerability occur?
The vulnerability occurs due to a heap-based buffer overflow caused by improper bounds checking in the xml entity encoding functionality of libxml2.
Is there a fix available for CVE-2021-3517?
Yes, a fix is available. Update to libxml2 version 2.9.11 or higher, or follow the recommended remediation for the affected software packages.
- collector/github-advisory-latest
- alias/GHSA-jw9f-hh49-cvp9
- alias/CVE-2021-3517
- collector/github-advisory
- collector/redhat-cve
- agent/author
- agent/remedy
- agent/first-publish-date
- agent/type
- agent/weakness
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/references
- agent/softwarecombine
- agent/tags
- collector/ibm-support
- source/IBM
- package-manager/rubygems
- package-manager/redhat
- vendor/xmlsoft
- canonical/xmlsoft libxml2
- vendor/redhat
- canonical/redhat jboss core services
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/netapp
- canonical/netapp active iq unified manager vmware vsphere
- canonical/netapp active iq unified manager windows
- canonical/netapp clustered data ontap
- canonical/netapp clustered data ontap antivirus connector
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0.0
- version/netapp e-series santricity os controller/11.70.1
- canonical/netapp e-series santricity storage manager
- canonical/netapp e-series santricity web services web services proxy
- canonical/netapp hci management node
- canonical/netapp manageability software development kit
- canonical/netapp oncommand insight
- canonical/netapp oncommand workflow automation
- canonical/netapp ontap select deploy administration utility
- canonical/netapp santricity unified manager
- canonical/netapp snapdrive windows
- canonical/netapp snapmanager oracle
- canonical/netapp snapmanager sap
- canonical/netapp solidfire
- canonical/netapp hci h410c firmware
- canonical/netapp hci h410c
- vendor/oracle
- canonical/oracle communications cloud native core network function cloud native environment
- version/oracle communications cloud native core network function cloud native environment/1.10.0
- canonical/oracle enterprise manager base platform
- version/oracle enterprise manager base platform/13.4.0.0
- version/oracle enterprise manager base platform/13.5.0.0
- canonical/oracle mysql workbench
- version/oracle mysql workbench/8.0.26
- canonical/oracle openjdk
- version/oracle openjdk/8-update301
- canonical/oracle peoplesoft enterprise peopletools
- version/oracle peoplesoft enterprise peopletools/8.58
- canonical/oracle real user experience insight
- version/oracle real user experience insight/13.4.1.0
- version/oracle real user experience insight/13.5.1.0
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- vendor/ibm
- canonical/ibm security verify access
- version/ibm security verify access/10.0.0