Vulnerabilities > CVE-2015-0851 - Numeric Errors vulnerability in Xmltooling Project Xmltooling 1.5.4

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data.

Vulnerable Configurations

Part Description Count
Application
Xmltooling_Project
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3321.NASL
    descriptionThe InCommon Shibboleth Training team discovered that XMLTooling, a C++ XML parsing library, did not properly handle an exception when parsing well-formed but schema-invalid XML. This could allow remote attackers to cause a denial of service (crash) via crafted XML data.
    last seen2020-06-01
    modified2020-06-02
    plugin id85130
    published2015-07-31
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85130
    titleDebian DSA-3321-1 : xmltooling - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-3321. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(85130);
      script_version("2.5");
      script_cvs_date("Date: 2018/11/10 11:49:37");
    
      script_cve_id("CVE-2015-0851");
      script_xref(name:"DSA", value:"3321");
    
      script_name(english:"Debian DSA-3321-1 : xmltooling - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The InCommon Shibboleth Training team discovered that XMLTooling, a
    C++ XML parsing library, did not properly handle an exception when
    parsing well-formed but schema-invalid XML. This could allow remote
    attackers to cause a denial of service (crash) via crafted XML data."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=793855"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/xmltooling"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/xmltooling"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2015/dsa-3321"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the xmltooling packages.
    
    For the oldstable distribution (wheezy), this problem has been fixed
    in version 1.4.2-5+deb7u1.
    
    For the stable distribution (jessie), this problem has been fixed in
    version 1.5.3-2+deb8u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:xmltooling");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/07/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/31");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"libxmltooling-dev", reference:"1.4.2-5+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libxmltooling-doc", reference:"1.4.2-5+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"libxmltooling5", reference:"1.4.2-5+deb7u1")) flag++;
    if (deb_check(release:"7.0", prefix:"xmltooling-schemas", reference:"1.4.2-5+deb7u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libxmltooling-dev", reference:"1.5.3-2+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libxmltooling-doc", reference:"1.5.3-2+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"libxmltooling6", reference:"1.5.3-2+deb8u1")) flag++;
    if (deb_check(release:"8.0", prefix:"xmltooling-schemas", reference:"1.5.3-2+deb8u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMisc.
    NASL idNETIQ_SENTINEL_7_4_1_0.NASL
    descriptionThe version of Novell NetIQ Sentinel server installed on the remote host is prior to 7.4.1. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in Apache ActiveMQ in the processControlCommand() function within the file broker/TransportConnection.java. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service condition. (CVE-2014-3576) - A flaw exists in the XMLTooling library due to a failure to properly handle integer conversion exceptions. An unauthenticated, remote attacker can exploit this, via a crafted SAML message, to cause a denial of service condition. (CVE-2015-0851) - A remote code execution vulnerability exists due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a specially crafted serialized Java object via the RMI interface, to execute arbitrary code with the privileges of the application.
    last seen2020-06-01
    modified2020-06-02
    plugin id90713
    published2016-04-26
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90713
    titleNetIQ Sentinel < 7.4.1 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(90713);
      script_version("1.9");
      script_cvs_date("Date: 2019/11/19");
    
      script_cve_id("CVE-2014-3576", "CVE-2015-0851");
      script_bugtraq_id(76134, 76272);
      script_xref(name:"CERT", value:"576313");
    
      script_name(english:"NetIQ Sentinel < 7.4.1 Multiple Vulnerabilities");
      script_summary(english:"Checks the version of NetIQ Sentinel.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The NetIQ Sentinel server installed on the remote host is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of Novell NetIQ Sentinel server installed on the remote
    host is prior to 7.4.1. It is, therefore, affected by multiple
    vulnerabilities :
    
      - A flaw exists in Apache ActiveMQ in the
        processControlCommand() function within the file
        broker/TransportConnection.java. An unauthenticated,
        remote attacker can exploit this, via a specially
        crafted packet, to cause a denial of service condition.
        (CVE-2014-3576)
    
      - A flaw exists in the XMLTooling library due to a failure
        to properly handle integer conversion exceptions. An
        unauthenticated, remote attacker can exploit this, via a
        crafted SAML message, to cause a denial of service
        condition. (CVE-2015-0851)
    
      - A remote code execution vulnerability exists due to
        unsafe deserialize calls of unauthenticated Java objects
        to the Apache Commons Collections (ACC) library. An
        unauthenticated, remote attacker can exploit this, by
        sending a specially crafted serialized Java object via
        the RMI interface, to execute arbitrary code with the
        privileges of the application.");
      script_set_attribute(attribute:"see_also", value:"https://download.novell.com/Download?buildid=oY4w8kB7XkI~&patch_redirect=true&old_patch=ZEMvbiAk5k8~");
      # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c6d83db");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Novell NetIQ Sentinel version 7.4.1 or later.
    Alternatively, contact the vendor for a workaround.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-0851");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/03/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/04/26");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:netiq:sentinel");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Misc.");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("netiq_sentinel_detect.nbin");
      script_require_keys("installed_sw/NetIQ Sentinel");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    include("audit.inc");
    
    appname = "NetIQ Sentinel";
    port = 8443 ;
    vuln = FALSE;
    install = get_single_install(
      app_name : appname,
      port     : port,
      exit_if_unknown_ver : TRUE
    );
    ver = install['version'];
    rev = install['Revision'];
    report = NULL;
    fixed_version = "7.4";
    fixed_revision = "2512";
    
    if (ver_compare(ver:ver, fix:fixed_version, strict:FALSE) < 0)
    {
      vuln = TRUE;
    }
    else if (ver_compare(ver:ver, fix:fixed_version, strict:FALSE) == 0)
    {
      if(ver_compare(ver:rev, fix:fixed_revision, strict:FALSE) < 0)
        vuln = TRUE;
    }
    
    if (vuln)
    {
      report =
      '\n' +
      '\n Installed Version: ' + ver +
      '\n Installed Revision: ' + rev +
      '\n Fixed Version: ' + fixed_version +
      '\n Fixed Revision: ' + fixed_revision +
      '\n';
      security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);
    }
    else
    {
      audit(AUDIT_INST_VER_NOT_VULN, appname, ver);
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-290.NASL
    descriptionIt was discovered that opensaml2, a Security Assertion Markup Language library, needed to be rebuilt against a fixed version of the xmltooling package due to its use of macros vulnerable to CVE-2015-0851 as fixed in the DSA 3321-1 update. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2015-08-10
    plugin id85280
    published2015-08-10
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85280
    titleDebian DLA-290-2 : opensaml2 security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-290-2. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(85280);
      script_version("2.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2015-0851");
    
      script_name(english:"Debian DLA-290-2 : opensaml2 security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that opensaml2, a Security Assertion Markup Language
    library, needed to be rebuilt against a fixed version of the
    xmltooling package due to its use of macros vulnerable to
    CVE-2015-0851 as fixed in the DSA 3321-1 update.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2015/08/msg00004.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/squeeze-lts/opensaml2"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libsaml2-dev");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libsaml2-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libsaml6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:opensaml2-schemas");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:opensaml2-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2015/08/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/10");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"6.0", prefix:"libsaml2-dev", reference:"2.3-2+squeeze2")) flag++;
    if (deb_check(release:"6.0", prefix:"libsaml2-doc", reference:"2.3-2+squeeze2")) flag++;
    if (deb_check(release:"6.0", prefix:"libsaml6", reference:"2.3-2+squeeze2")) flag++;
    if (deb_check(release:"6.0", prefix:"opensaml2-schemas", reference:"2.3-2+squeeze2")) flag++;
    if (deb_check(release:"6.0", prefix:"opensaml2-tools", reference:"2.3-2+squeeze2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");