Vulnerabilities > CVE-2015-0851 - Numeric Errors vulnerability in Xmltooling Project Xmltooling 1.5.4
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3321.NASL description The InCommon Shibboleth Training team discovered that XMLTooling, a C++ XML parsing library, did not properly handle an exception when parsing well-formed but schema-invalid XML. This could allow remote attackers to cause a denial of service (crash) via crafted XML data. last seen 2020-06-01 modified 2020-06-02 plugin id 85130 published 2015-07-31 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85130 title Debian DSA-3321-1 : xmltooling - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3321. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(85130); script_version("2.5"); script_cvs_date("Date: 2018/11/10 11:49:37"); script_cve_id("CVE-2015-0851"); script_xref(name:"DSA", value:"3321"); script_name(english:"Debian DSA-3321-1 : xmltooling - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The InCommon Shibboleth Training team discovered that XMLTooling, a C++ XML parsing library, did not properly handle an exception when parsing well-formed but schema-invalid XML. This could allow remote attackers to cause a denial of service (crash) via crafted XML data." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793855" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/xmltooling" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/xmltooling" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2015/dsa-3321" ); script_set_attribute( attribute:"solution", value: "Upgrade the xmltooling packages. For the oldstable distribution (wheezy), this problem has been fixed in version 1.4.2-5+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 1.5.3-2+deb8u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xmltooling"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/07/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"libxmltooling-dev", reference:"1.4.2-5+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libxmltooling-doc", reference:"1.4.2-5+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"libxmltooling5", reference:"1.4.2-5+deb7u1")) flag++; if (deb_check(release:"7.0", prefix:"xmltooling-schemas", reference:"1.4.2-5+deb7u1")) flag++; if (deb_check(release:"8.0", prefix:"libxmltooling-dev", reference:"1.5.3-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libxmltooling-doc", reference:"1.5.3-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libxmltooling6", reference:"1.5.3-2+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"xmltooling-schemas", reference:"1.5.3-2+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Misc. NASL id NETIQ_SENTINEL_7_4_1_0.NASL description The version of Novell NetIQ Sentinel server installed on the remote host is prior to 7.4.1. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in Apache ActiveMQ in the processControlCommand() function within the file broker/TransportConnection.java. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service condition. (CVE-2014-3576) - A flaw exists in the XMLTooling library due to a failure to properly handle integer conversion exceptions. An unauthenticated, remote attacker can exploit this, via a crafted SAML message, to cause a denial of service condition. (CVE-2015-0851) - A remote code execution vulnerability exists due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a specially crafted serialized Java object via the RMI interface, to execute arbitrary code with the privileges of the application. last seen 2020-06-01 modified 2020-06-02 plugin id 90713 published 2016-04-26 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90713 title NetIQ Sentinel < 7.4.1 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(90713); script_version("1.9"); script_cvs_date("Date: 2019/11/19"); script_cve_id("CVE-2014-3576", "CVE-2015-0851"); script_bugtraq_id(76134, 76272); script_xref(name:"CERT", value:"576313"); script_name(english:"NetIQ Sentinel < 7.4.1 Multiple Vulnerabilities"); script_summary(english:"Checks the version of NetIQ Sentinel."); script_set_attribute(attribute:"synopsis", value: "The NetIQ Sentinel server installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Novell NetIQ Sentinel server installed on the remote host is prior to 7.4.1. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in Apache ActiveMQ in the processControlCommand() function within the file broker/TransportConnection.java. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service condition. (CVE-2014-3576) - A flaw exists in the XMLTooling library due to a failure to properly handle integer conversion exceptions. An unauthenticated, remote attacker can exploit this, via a crafted SAML message, to cause a denial of service condition. (CVE-2015-0851) - A remote code execution vulnerability exists due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a specially crafted serialized Java object via the RMI interface, to execute arbitrary code with the privileges of the application."); script_set_attribute(attribute:"see_also", value:"https://download.novell.com/Download?buildid=oY4w8kB7XkI~&patch_redirect=true&old_patch=ZEMvbiAk5k8~"); # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db"); script_set_attribute(attribute:"solution", value: "Upgrade to Novell NetIQ Sentinel version 7.4.1 or later. Alternatively, contact the vendor for a workaround."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0851"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/28"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/26"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:netiq:sentinel"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("netiq_sentinel_detect.nbin"); script_require_keys("installed_sw/NetIQ Sentinel"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); include("audit.inc"); appname = "NetIQ Sentinel"; port = 8443 ; vuln = FALSE; install = get_single_install( app_name : appname, port : port, exit_if_unknown_ver : TRUE ); ver = install['version']; rev = install['Revision']; report = NULL; fixed_version = "7.4"; fixed_revision = "2512"; if (ver_compare(ver:ver, fix:fixed_version, strict:FALSE) < 0) { vuln = TRUE; } else if (ver_compare(ver:ver, fix:fixed_version, strict:FALSE) == 0) { if(ver_compare(ver:rev, fix:fixed_revision, strict:FALSE) < 0) vuln = TRUE; } if (vuln) { report = '\n' + '\n Installed Version: ' + ver + '\n Installed Revision: ' + rev + '\n Fixed Version: ' + fixed_version + '\n Fixed Revision: ' + fixed_revision + '\n'; security_report_v4(port:port, severity:SECURITY_WARNING, extra:report); } else { audit(AUDIT_INST_VER_NOT_VULN, appname, ver); }NASL family Debian Local Security Checks NASL id DEBIAN_DLA-290.NASL description It was discovered that opensaml2, a Security Assertion Markup Language library, needed to be rebuilt against a fixed version of the xmltooling package due to its use of macros vulnerable to CVE-2015-0851 as fixed in the DSA 3321-1 update. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2015-08-10 plugin id 85280 published 2015-08-10 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85280 title Debian DLA-290-2 : opensaml2 security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-290-2. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(85280); script_version("2.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2015-0851"); script_name(english:"Debian DLA-290-2 : opensaml2 security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered that opensaml2, a Security Assertion Markup Language library, needed to be rebuilt against a fixed version of the xmltooling package due to its use of macros vulnerable to CVE-2015-0851 as fixed in the DSA 3321-1 update. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2015/08/msg00004.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/opensaml2" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libsaml2-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libsaml2-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libsaml6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:opensaml2-schemas"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:opensaml2-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/08/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"libsaml2-dev", reference:"2.3-2+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"libsaml2-doc", reference:"2.3-2+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"libsaml6", reference:"2.3-2+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"opensaml2-schemas", reference:"2.3-2+squeeze2")) flag++; if (deb_check(release:"6.0", prefix:"opensaml2-tools", reference:"2.3-2+squeeze2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://shibboleth.net/community/advisories/secadv_20150721.txt
- http://shibboleth.net/community/advisories/secadv_20150721.txt
- http://www.debian.org/security/2015/dsa-3321
- http://www.debian.org/security/2015/dsa-3321
- http://www.securityfocus.com/bid/76134
- http://www.securityfocus.com/bid/76134
- https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900
- https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3Ba=commitdiff%3Bh=2d795c731e6729309044607154978696a87fd900