{ "threat_severity" : "Moderate", "public_date" : "2021-04-22T00:00:00Z", "bugzilla" : { "description" : "libxml2: Heap-based buffer overflow in xmlEncodeEntitiesInternal() in entities.c", "id" : "1954232", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1954232" }, "cvss3" : { "cvss3_base_score" : "8.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.", "There is a flaw in the xml entity encoding functionality of libxml2. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application." ], "statement" : "This flaw is out of support scope for Red Hat Enterprise Linux 6 and 7. To learn more about Red Hat Enterprise Linux support life cycles, please see https://access.redhat.com/support/policy/updates/errata .", "acknowledgement" : "Red Hat would like to thank zodf0055980 (SQLab NCTU Taiwan) for reporting this issue.", "affected_release" : [ { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-apr-util-0:1.6.1-91.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-curl-0:7.78.0-3.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-httpd-0:2.4.37-80.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.16-10.Final_redhat_2.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_http2-0:1.15.7-22.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_jk-0:1.2.48-29.redhat_1.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_md-1:2.0.8-41.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-mod_security-0:2.9.2-68.GA.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-41.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-openssl-1:1.1.1g-11.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-openssl-chil-0:1.0.0-11.el8jbcs" }, { "product_name" : "JBoss Core Services for RHEL 8", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8", "package" : "jbcs-httpd24-openssl-pkcs11-0:0.4.10-26.el8jbcs" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-util-0:1.6.1-91.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-curl-0:7.78.0-3.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.37-80.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.16-10.Final_redhat_2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_http2-0:1.15.7-22.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.48-29.redhat_1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_md-1:2.0.8-41.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_security-0:2.9.2-68.GA.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-41.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-1:1.1.1g-11.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-chil-0:1.0.0-11.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1389", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-pkcs11-0:0.4.10-26.jbcs.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2569", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "libxml2-0:2.9.7-9.el8_4.2" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2569", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "libxml2-0:2.9.7-9.el8_4.2" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-controller-rhel8:v1.4.6-4" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-log-reader-rhel8:v1.4.6-4" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-must-gather-rhel8:v1.4.6-4" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-operator-bundle:v1.4.6-5" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-registry-rhel8:v1.4.6-4" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-rsync-transfer-rhel8:v1.4.6-4" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-ui-rhel8:v1.4.6-4" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-velero-plugin-for-aws-rhel8:v1.4.6-4" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-velero-plugin-for-gcp-rhel8:v1.4.6-3" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8:v1.4.6-4" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-velero-restic-restore-helper-rhel8:v1.4.6-5" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-migration-velero-rhel8:v1.4.6-5" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.4", "release_date" : "2021-07-21T00:00:00Z", "advisory" : "RHBA-2021:2854", "cpe" : "cpe:/a:redhat:rhmt:1.4::el7", "package" : "rhmtc/openshift-velero-plugin-rhel8:v1.4.6-4" }, { "product_name" : "Text-Only JBCS", "release_date" : "2022-04-20T00:00:00Z", "advisory" : "RHSA-2022:1390", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "libxml2" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "compat-expat1", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "libxml2", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "libxml2", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "libxml2", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3517\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3517" ], "name" : "CVE-2021-3517", "csaw" : false }