Bug 1395609 (CVE-2016-9318) - CVE-2016-9318 libxml2: XML External Entity vulnerability
Summary: CVE-2016-9318 libxml2: XML External Entity vulnerability
Alias: CVE-2016-9318
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1395610 1395611 1395612
Blocks: 1395614 CVE-2016-10127
TreeView+ depends on / blocked
Reported: 2016-11-16 09:52 UTC by Adam Mariš
Modified: 2021-06-10 11:40 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-01-09 02:39:46 UTC

Attachments (Terms of Use)

Description Adam Mariš 2016-11-16 09:52:09 UTC
Improper Restriction of XML External Entity Reference vulnerability was found in libxml2. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Upstream bug:


Comment 1 Adam Mariš 2016-11-16 09:52:53 UTC
Created libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1395610]

Comment 2 Adam Mariš 2016-11-16 09:53:01 UTC
Created mingw-libxml2 tracking bugs for this issue:

Affects: fedora-all [bug 1395611]
Affects: epel-7 [bug 1395612]

Comment 7 Doran Moppert 2017-08-30 05:28:48 UTC
See also CVE-2017-7375 (bug 1462203) which is a similar failure to restrict external entities.  The fix for CVE-2016-9318 (when it's ready) should also close that flaw.

Comment 8 Doran Moppert 2018-01-09 02:38:35 UTC
Upstream is still working on a way to disable external entities while allowing internal entity expansion to work, which will likely eventually surface as a new option flag.  Since RPC interfaces and other instances where untrusted documents are parsed normally do not rely on internal entity expansion, the mitigation is acceptable in these environments.  If instances are discovered where this mitigation is not acceptable, Product Security will evaluate these and determine a suitable solution.

Comment 9 Doran Moppert 2018-01-09 02:38:47 UTC

Application parsing untrusted input with libxml2 should be careful to NOT use entity expansion (enabled by XML_PARSE_NOENT) or DTD validation (XML_PARSE_DTDLOAD, XML_PARSE_DTDVALID) on such input.

Note You need to log in before you can comment on or make changes to this bug.