ID

VAR-201508-0600


CVE

CVE-2015-0851


TITLE

OpenSAML-C and Shibboleth Service Provider Used in XMLTooling-C Service disruption in (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2015-004047

DESCRIPTION

XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data. WebAccess HMI/SCADA software provides remote control and management, allowing users to easily view and configure automation equipment in facility management systems, power stations and building automation systems. A security vulnerability exists in versions prior to Advantech WebAccess 8.1 that could be exploited by a remote attacker to cause a denial of service (out of bounds memory access). XMLTooling-C is prone to a denial-of-service vulnerability. Remote attackers can exploit this issue to cause the application using affected library to crash, denying service to legitimate users. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-3321-1 security@debian.org https://www.debian.org/security/ Alessandro Ghedini July 30, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : xmltooling CVE ID : CVE-2015-0851 Debian Bug : 793855 The InCommon Shibboleth Training team discovered that XMLTooling, a C++ XML parsing library, did not properly handle an exception when parsing well-formed but schema-invalid XML. For the oldstable distribution (wheezy), this problem has been fixed in version 1.4.2-5+deb7u1. For the stable distribution (jessie), this problem has been fixed in version 1.5.3-2+deb8u1. For the unstable distribution (sid), this problem will be fixed shortly. We recommend that you upgrade your xmltooling packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJVuoLsAAoJEK+lG9bN5XPLpgUP/07/YpmqvpItmNLfLvnE5yRD lLBc5TgD1oOOcV9SWk8fMdwU+YQ/uWOaBOYWXLwmTgriSXZgLSTUVn3BhWp9o7AQ /7E0wCBGrRErx/cQ1FOrRXAaZhXPgimaL9+7RPs+wkruIUyjhzHcj+TR13CkdHIE GI6Ah1NwuMWmqADXZd+XM3nV7Lieg9JBoXxsn0ZSY/7/BwwZh/HSME81+JmEvmTW OL+knet01hwVH39XI7fGgnpfRqxqTNf1gqmAu4Q0lbHcVClLDYtZlPpUQ55/evks rNyFaN5QmzMhZiiAcy6yakVKKFx/fdrAKog9xtfTUicBmkxFREQfy+CjhY7GmY4o o1S4DcV52z5YC3emSHUyQxqlwrKUzJznfVzjCLb289kS7JaySuYRuPM64y33Wyom nqXFZfjzgPIjskBqdxrctabDIcTHy0Mk+97yyMC8R8Wkw/00pzhcu6AIhGczSkCO cyOGOvdaDKFSj0RDqgJWuFtuKiJVSaClMJZTYNJATlKXeHtVHFptSo5POQAFXOEt BBeMRlw+gYhykNIjZTewHhiv/R27bjGaoV1lIcc3MMo6vhbOGmp6rjnMfTUYLO85 eDiiGn406vBB/4C5vvfSBBLpdnm6cSLQHHfLXGpU7wdIh2O1YAIo24Qp6Y9Njo5p p0yQgYhONZ0+MuBclNES =Jzdd -----END PGP SIGNATURE-----

Trust: 2.52

sources: NVD: CVE-2015-0851 // JVNDB: JVNDB-2015-004047 // CNVD: CNVD-2016-00428 // BID: 76134 // PACKETSTORM: 132904

IOT TAXONOMY

category:['ICS']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2016-00428

AFFECTED PRODUCTS

vendor:xmltoolingmodel:xmltoolingscope:lteversion:1.5.4

Trust: 1.0

vendor:shibbolethmodel:opensamlscope:ltversion:-c 2.5.5

Trust: 0.8

vendor:shibbolethmodel:service providerscope: - version: -

Trust: 0.8

vendor:shibbolethmodel:xmltoolingscope:ltversion:-c 1.5.5

Trust: 0.8

vendor:advantechmodel:webaccessscope:ltversion:8.1

Trust: 0.6

vendor:xmltoolingmodel:xmltoolingscope:eqversion:1.5.4

Trust: 0.6

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

sources: CNVD: CNVD-2016-00428 // BID: 76134 // JVNDB: JVNDB-2015-004047 // CNNVD: CNNVD-201508-095 // NVD: CVE-2015-0851

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-0851
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-0851
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2016-00428
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201508-095
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2015-0851
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2016-00428
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

sources: CNVD: CNVD-2016-00428 // JVNDB: JVNDB-2015-004047 // CNNVD: CNNVD-201508-095 // NVD: CVE-2015-0851

PROBLEMTYPE DATA

problemtype:CWE-189

Trust: 1.8

sources: JVNDB: JVNDB-2015-004047 // NVD: CVE-2015-0851

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 132904 // CNNVD: CNNVD-201508-095

TYPE

digital error

Trust: 0.6

sources: CNNVD: CNNVD-201508-095

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-004047

PATCH

title:cpp-xmltooling.git / commitdiffurl:https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900

Trust: 0.8

title:[21 July 2015]url:http://shibboleth.net/community/advisories/secadv_20150721.txt

Trust: 0.8

title:Advantech WebAccess denial of service vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/70373

Trust: 0.6

title:cpp-xmltooling.git-2d795c731e6729309044607154978696a87fd900url:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=57194

Trust: 0.6

sources: CNVD: CNVD-2016-00428 // JVNDB: JVNDB-2015-004047 // CNNVD: CNNVD-201508-095

EXTERNAL IDS

db:NVDid:CVE-2015-0851

Trust: 3.4

db:BIDid:76134

Trust: 1.3

db:JVNDBid:JVNDB-2015-004047

Trust: 0.8

db:CNVDid:CNVD-2016-00428

Trust: 0.6

db:CNNVDid:CNNVD-201508-095

Trust: 0.6

db:PACKETSTORMid:132904

Trust: 0.1

sources: CNVD: CNVD-2016-00428 // BID: 76134 // JVNDB: JVNDB-2015-004047 // PACKETSTORM: 132904 // CNNVD: CNNVD-201508-095 // NVD: CVE-2015-0851

REFERENCES

url:http://shibboleth.net/community/advisories/secadv_20150721.txt

Trust: 1.6

url:http://www.debian.org/security/2015/dsa-3321

Trust: 1.6

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-0851

Trust: 1.4

url:http://www.securityfocus.com/bid/76134

Trust: 1.0

url:https://git.shibboleth.net/view/?p=cpp-xmltooling.git%3ba=commitdiff%3bh=2d795c731e6729309044607154978696a87fd900

Trust: 1.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-0851

Trust: 0.8

url:https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commitdiff;h=2d795c731e6729309044607154978696a87fd900

Trust: 0.6

url:https://nvd.nist.gov/vuln/detail/cve-2015-0851

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

sources: CNVD: CNVD-2016-00428 // JVNDB: JVNDB-2015-004047 // PACKETSTORM: 132904 // CNNVD: CNNVD-201508-095 // NVD: CVE-2015-0851

CREDITS

Scott Cantor

Trust: 0.3

sources: BID: 76134

SOURCES

db:CNVDid:CNVD-2016-00428
db:BIDid:76134
db:JVNDBid:JVNDB-2015-004047
db:PACKETSTORMid:132904
db:CNNVDid:CNNVD-201508-095
db:NVDid:CVE-2015-0851

LAST UPDATE DATE

2024-11-23T21:43:23.365000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2016-00428date:2016-01-25T00:00:00
db:BIDid:76134date:2015-08-12T22:42:00
db:JVNDBid:JVNDB-2015-004047date:2015-08-13T00:00:00
db:CNNVDid:CNNVD-201508-095date:2015-08-13T00:00:00
db:NVDid:CVE-2015-0851date:2024-11-21T02:23:51.180

SOURCES RELEASE DATE

db:CNVDid:CNVD-2016-00428date:2016-01-25T00:00:00
db:BIDid:76134date:2015-07-21T00:00:00
db:JVNDBid:JVNDB-2015-004047date:2015-08-13T00:00:00
db:PACKETSTORMid:132904date:2015-08-03T01:17:30
db:CNNVDid:CNNVD-201508-095date:2015-08-13T00:00:00
db:NVDid:CVE-2015-0851date:2015-08-12T14:59:01.793