Vulnerabilities > CVE-2017-1000061 - XXE vulnerability in Xmlsec Project Xmlsec
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
HIGH Summary
xmlsec 1.2.23 and before is vulnerable to XML External Entity Expansion when parsing crafted input documents, resulting in possible information disclosure or denial of service
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-890.NASL description It was discovered xmlsec1 last seen 2020-06-01 modified 2020-06-02 plugin id 103224 published 2017-09-15 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103224 title Amazon Linux AMI : xmlsec1 (ALAS-2017-890) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2017-890. # include("compat.inc"); if (description) { script_id(103224); script_version("3.3"); script_cvs_date("Date: 2018/04/18 15:09:36"); script_cve_id("CVE-2017-1000061"); script_xref(name:"ALAS", value:"2017-890"); script_name(english:"Amazon Linux AMI : xmlsec1 (ALAS-2017-890)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was discovered xmlsec1's use of libxml2 inadvertently enabled external entity expansion (XXE) along with validation. An attacker could craft an XML file that would cause xmlsec1 to try and read local files or HTTP/FTP URLs, leading to information disclosure or denial of service. (CVE-2017-1000061)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2017-890.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update xmlsec1' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1-gcrypt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1-gcrypt-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1-gnutls"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1-gnutls-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1-nss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1-nss-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:xmlsec1-openssl-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"xmlsec1-1.2.20-7.4.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"xmlsec1-debuginfo-1.2.20-7.4.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"xmlsec1-devel-1.2.20-7.4.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"xmlsec1-gcrypt-1.2.20-7.4.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"xmlsec1-gcrypt-devel-1.2.20-7.4.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"xmlsec1-gnutls-1.2.20-7.4.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"xmlsec1-gnutls-devel-1.2.20-7.4.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"xmlsec1-nss-1.2.20-7.4.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"xmlsec1-nss-devel-1.2.20-7.4.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"xmlsec1-openssl-1.2.20-7.4.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"xmlsec1-openssl-devel-1.2.20-7.4.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xmlsec1 / xmlsec1-debuginfo / xmlsec1-devel / xmlsec1-gcrypt / etc"); }
NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-891.NASL description The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file. (CVE-2017-1000061) last seen 2020-06-01 modified 2020-06-02 plugin id 103225 published 2017-09-15 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103225 title Amazon Linux AMI : GraphicsMagick (ALAS-2017-891) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2017-891. # include("compat.inc"); if (description) { script_id(103225); script_version("3.3"); script_cvs_date("Date: 2018/04/18 15:09:36"); script_cve_id("CVE-2017-11403"); script_xref(name:"ALAS", value:"2017-891"); script_name(english:"Amazon Linux AMI : GraphicsMagick (ALAS-2017-891)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "The ReadMNGImage function in coders/png.c in GraphicsMagick 1.3.26 has an out-of-order CloseBlob call, resulting in a use-after-free via a crafted file. (CVE-2017-1000061)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2017-891.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update GraphicsMagick' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:GraphicsMagick"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:GraphicsMagick-c++"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:GraphicsMagick-c++-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:GraphicsMagick-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:GraphicsMagick-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:GraphicsMagick-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:GraphicsMagick-perl"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2017/09/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"GraphicsMagick-1.3.26-3.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"GraphicsMagick-c++-1.3.26-3.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"GraphicsMagick-c++-devel-1.3.26-3.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"GraphicsMagick-debuginfo-1.3.26-3.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"GraphicsMagick-devel-1.3.26-3.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"GraphicsMagick-doc-1.3.26-3.11.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"GraphicsMagick-perl-1.3.26-3.11.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "GraphicsMagick / GraphicsMagick-c++ / GraphicsMagick-c++-devel / etc"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1194.NASL description According to the version of the xmlsec1 packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was discovered xmlsec1 last seen 2020-05-06 modified 2017-09-08 plugin id 103032 published 2017-09-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103032 title EulerOS 2.0 SP2 : xmlsec1 (EulerOS-SA-2017-1194) NASL family Fedora Local Security Checks NASL id FEDORA_2020-9573355FF4.NASL description Update to 1.2.29 that last seen 2020-06-01 modified 2020-06-02 plugin id 133427 published 2020-02-03 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133427 title Fedora 31 : xmlsec1 (2020-9573355ff4) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1193.NASL description According to the version of the xmlsec1 packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - It was discovered xmlsec1 last seen 2020-05-06 modified 2017-09-08 plugin id 103031 published 2017-09-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103031 title EulerOS 2.0 SP1 : xmlsec1 (EulerOS-SA-2017-1193) NASL family Scientific Linux Local Security Checks NASL id SL_20170821_XMLSEC1_ON_SL7_X.NASL description Security Fix(es) : - It was discovered xmlsec1 last seen 2020-03-18 modified 2017-08-22 plugin id 102677 published 2017-08-22 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102677 title Scientific Linux Security Update : xmlsec1 on SL7.x x86_64 (20170821) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-2492.NASL description From Red Hat Security Advisory 2017:2492 : An update for xmlsec1 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. XML Security Library is a C library based on LibXML2 and OpenSSL. The library was created with a goal to support major XML security standards last seen 2020-06-01 modified 2020-06-02 plugin id 102633 published 2017-08-22 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102633 title Oracle Linux 7 : xmlsec1 (ELSA-2017-2492) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2492.NASL description An update for xmlsec1 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. XML Security Library is a C library based on LibXML2 and OpenSSL. The library was created with a goal to support major XML security standards last seen 2020-06-01 modified 2020-06-02 plugin id 102634 published 2017-08-22 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102634 title RHEL 7 : xmlsec1 (RHSA-2017:2492) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-2492.NASL description An update for xmlsec1 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. XML Security Library is a C library based on LibXML2 and OpenSSL. The library was created with a goal to support major XML security standards last seen 2020-06-01 modified 2020-06-02 plugin id 102881 published 2017-09-01 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102881 title CentOS 7 : xmlsec1 (CESA-2017:2492)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- https://access.redhat.com/errata/RHSA-2017:2492
- https://access.redhat.com/errata/RHSA-2017:2492
- https://github.com/lsh123/xmlsec/issues/43
- https://github.com/lsh123/xmlsec/issues/43
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3PWHBRWXR3RNPHDSTQI6UWDG5ETOQ7VR/
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html