Vulnerabilities > CVE-2016-2099 - Use-After-Free Remote Code Execution vulnerability in Apache Xerces
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier allows context-dependent attackers to have unspecified impact via an invalid character in an XML document. <a href="http://cwe.mitre.org/data/definitions/416.html">CWE-416: Use After Free</a>
Vulnerable Configurations
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_CB09A7AA534411E6A7BD14DAE9D210B8.NASL description Apache reports : The Xerces-C XML parser fails to successfully parse a DTD that is deeply nested, and this causes a stack overflow, which makes a denial of service attack against many applications possible by an unauthenticated attacker. Also, CVE-2016-2099: Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier allows context-dependent attackers to have unspecified impact via an invalid character in an XML document. last seen 2020-06-01 modified 2020-06-02 plugin id 92575 published 2016-07-27 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92575 title FreeBSD : xercesi-c3 -- multiple vulnerabilities (cb09a7aa-5344-11e6-a7bd-14dae9d210b8) NASL family Fedora Local Security Checks NASL id FEDORA_2016-84373C5F4F.NASL description Update to xerces-c 3.1.4, fixing CVE-2016-2099 and CVE-2016-4463 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-15 plugin id 92262 published 2016-07-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92262 title Fedora 22 : xerces-c (2016-84373c5f4f) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0008.NASL description An update of [xcerces-c,linux] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111857 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111857 title Photon OS 1.0: Linux PHSA-2017-0008 (deprecated) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL04253390.NASL description Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ 3.1.3 and earlier does not properly handle exceptions raised in the XMLReader class, which allows context-dependent attackers to have unspecified impact via an invalid character in an XML document. (CVE-2016-2099) last seen 2020-03-17 modified 2017-12-28 plugin id 105466 published 2017-12-28 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105466 title F5 Networks BIG-IP : Apache Xerces vulnerability (K04253390) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1046.NASL description xerces-c was updated to fix one security issue. This security issue was fixed : - CVE-2016-2099: Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ did not properly handle exceptions raised in the XMLReader class, which allowed context-dependent attackers to have unspecified impact via an invalid character in an XML document (bsc#979208). - CVE-2016-4463: Apache Xerces-C XML Parser crashed on malformed DTD (bnc#985860). This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-09-06 plugin id 93336 published 2016-09-06 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93336 title openSUSE Security Update : xerces-c (openSUSE-2016-1046) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-46.NASL description The remote host is affected by the vulnerability described in GLSA-201612-46 (Xerces-C++: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xerces-C++. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to process a specially crafted file, possibly resulting in the remote execution of arbitrary code with the privileges of the process, or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96126 published 2016-12-27 reporter This script is Copyright (C) 2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96126 title GLSA-201612-46 : Xerces-C++: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-876.NASL description This update for xerces-c fixes the following issues : - CVE-2016-4463 Apache Xerces-C XML Parser Crashes on Malformed DT (boo#985860) - CVE-2016-2099 Exception handling mistake causing use after free (boo#979208) last seen 2020-06-05 modified 2016-07-18 plugin id 92354 published 2016-07-18 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92354 title openSUSE Security Update : xerces-c (openSUSE-2016-876) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-467.NASL description XMLReader class can raise an exception if an invalid character is encountered, and the exception crosses stack frames in an unsafe way that causes a higher level exception handler to access an already-freed object. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2016-05-13 plugin id 91107 published 2016-05-13 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91107 title Debian DLA-467-1 : xerces-c security update NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3579.NASL description Gustavo Grieco discovered an use-after-free vulnerability in xerces-c, a validating XML parser library for C++, due to not properly handling invalid characters in XML input documents in the DTDScanner. last seen 2020-06-01 modified 2020-06-02 plugin id 91174 published 2016-05-17 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91174 title Debian DSA-3579-1 : xerces-c - security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-833.NASL description xerces-c was updated to fix one security issue. This security issue was fixed : - CVE-2016-2099: Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++. It did not properly handle exceptions raised in the XMLReader class, which allowed context-dependent attackers to have unspecified impact via an invalid character in an XML document (bsc#979208). last seen 2020-06-05 modified 2016-07-06 plugin id 91953 published 2016-07-06 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91953 title openSUSE Security Update : xerces-c (openSUSE-2016-833) NASL family Fedora Local Security Checks NASL id FEDORA_2016-9284772686.NASL description Update to xerces-c 3.1.4, fixing CVE-2016-2099 and CVE-2016-4463 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-15 plugin id 92267 published 2016-07-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92267 title Fedora 24 : xerces-c (2016-9284772686) NASL family Fedora Local Security Checks NASL id FEDORA_2016-87E8468465.NASL description MinGW cross compiled xerces-c 3.1.4, fixing CVE-2016-0729, CVE-2016-2099 and CVE-2016-4463 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-15 plugin id 92263 published 2016-07-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92263 title Fedora 23 : mingw-xerces-c (2016-87e8468465) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2154-1.NASL description xerces-c was updated to fix one security issue. This security issue was fixed : - CVE-2016-2099: Use-after-free vulnerability in validators/DTD/DTDScanner.cpp in Apache Xerces C++ did not properly handle exceptions raised in the XMLReader class, which allowed context-dependent attackers to have unspecified impact via an invalid character in an XML document (bsc#979208). - CVE-2016-4463: Apache Xerces-C XML Parser crashed on malformed DTD (bnc#985860). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 93308 published 2016-09-02 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93308 title SUSE SLED12 / SLES12 Security Update : xerces-c (SUSE-SU-2016:2154-1) NASL family Fedora Local Security Checks NASL id FEDORA_2016-D2D6890690.NASL description Update to xerces-c 3.1.4, fixing CVE-2016-2099 and CVE-2016-4463 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-15 plugin id 92291 published 2016-07-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92291 title Fedora 23 : xerces-c (2016-d2d6890690) NASL family Fedora Local Security Checks NASL id FEDORA_2016-7615FEBBD6.NASL description MinGW cross compiled xerces-c 3.1.4, fixing CVE-2016-0729, CVE-2016-2099 and CVE-2016-4463 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-15 plugin id 92257 published 2016-07-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92257 title Fedora 22 : mingw-xerces-c (2016-7615febbd6) NASL family Fedora Local Security Checks NASL id FEDORA_2016-0A061F6DD9.NASL description MinGW cross compiled xerces-c 3.1.4, fixing CVE-2016-0729, CVE-2016-2099 and CVE-2016-4463 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-15 plugin id 92226 published 2016-07-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92226 title Fedora 24 : mingw-xerces-c (2016-0a061f6dd9)
References
- http://lists.opensuse.org/opensuse-updates/2016-07/msg00016.html
- http://lists.opensuse.org/opensuse-updates/2016-07/msg00053.html
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00013.html
- http://www.debian.org/security/2016/dsa-3579
- http://www.openwall.com/lists/oss-security/2016/05/09/7
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.securityfocus.com/bid/90502
- https://issues.apache.org/jira/browse/XERCESC-2066
- https://security.gentoo.org/glsa/201612-46