The BSI has published a current IT security notice for libxml2. You can find out more about the affected operating systems and products as well as CVE numbers here on news.de.
The Federal Office for Security in der Informationstechnik (BSI) published an update on May 5th, 2023 to a vulnerability for libxml2 that became known on September 4th, 2020. The operating systems UNIX, Linux and NetApp Appliance as well as the products Debian Linux, Amazon Linux 2, Red Hat Enterprise Linux, NetApp Data ONTAP, Ubuntu Linux, SUSE Linux, Gentoo Linux, Open Source Arch Linux and Open Source libxml2 are affected by the vulnerability.
The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: Amazon Linux Security Advisory ALAS-2023-1743 (Status: 04.05.2023). Other useful sources are listed later in this article.
Security advisory for libxml2 – risk: medium
Risk level: 3 (medium)
CVSS Base Score: 6,3
CVSS Temporal Score: 5,5
Remoteangriff: Ja
The Common Vulnerability Scoring System (CVSS) is used to assess the severity of security vulnerabilities in computer systems. The CVSS standard makes it possible to compare potential or actual security vulnerabilities based on various metrics in order to better prioritize countermeasures. The attributes “none”, “low”, “medium”, “high” and “critical” are used for the severity of a vulnerability. The base score assesses the prerequisites for an attack (including authentication, complexity, privileges, user interaction) and its consequences. With the temporal score, framework conditions that change over time are included in the evaluation. The risk of the vulnerability discussed here is classified as “medium” according to the CVSS with a base score of 6.3.
libxml2 bug: vulnerability allows unspecified attack
libxml is a C parser and toolkit developed for the Gnome project.
A remote, anonymous attacker could exploit a vulnerability in libxml2 to perform an unspecified attack.
The vulnerability is identified with the individual CVE serial number (Common Vulnerabilities and Exposures) CVE-2020-24977 traded.
Systems affected by the libxml2 vulnerability at a glance
operating systems
UNIX, Linux, NetApp Appliance
Products
Debian Linux (cpe:/o:debian:debian_linux)
Amazon Linux 2 (cpe:/o:amazon:linux_2)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
NetApp Data ONTAP (cpe:/a:netapp:data_ontap)
Ubuntu Linux (cpe:/o:canonical:ubuntu_linux)
SUSE Linux (cpe:/o:suse:suse_linux)
Gentoo Linux (cpe:/o:gentoo:linux)
Open Source Arch Linux (cpe:/o:archlinux:archlinux)
Open Source libxml2 <= 2.9.10 (cpe:/a:xmlsoft:libxml2)
General recommendations for dealing with IT vulnerabilities
- Users of the affected applications should keep them up to date. When security vulnerabilities become known, manufacturers are required to remedy them as quickly as possible by developing a patch or a workaround. If new security updates are available, install them promptly.
- For information, consult the sources listed in the next section. These often contain further information on the latest version of the software in question and the availability of security patches or tips on workarounds.
- If you have any further questions or are uncertain, please contact your responsible administrator. IT security officers should regularly check when the IT security warning affected manufacturers makes a new security update available.
Sources for updates, patches and workarounds
Here you will find further links with information about bug reports, security fixes and workarounds.
Amazon Linux Security Advisory ALAS-2023-1743 vom 2023-05-04 (05.05.2023)
For more information, see: https://alas.aws.amazon.com/ALAS-2023-1743.html
Hitachi Cybersecurity Advisory (03.12.2021)
For more information, see: https://search.abb.com/library/Download.aspx?DocumentID=8DBD000064&LanguageCode=en&DocumentPartId=&Action=Launch
Gentoo Linux Security Advisory GLSA-202107-05 vom 2021-07-06 (06.07.2021)
For more information, see: https://security.gentoo.org/glsa/202107-05
Red Hat Security Advisory RHSA-2021:2543 vom 2021-06-24 (25.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2543
Red Hat Security Advisory RHSA-2021:2532 vom 2021-06-23 (24.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2532
Amazon Linux Security Advisory ALAS-2021-1662 vom 2021-06-23 (24.06.2021)
For more information, see: https://alas.aws.amazon.com/AL2/ALAS-2021-1662.html
Ubuntu Security Notice USN-4991-1 vom 2021-06-17 (18.06.2021)
For more information, see: https://ubuntu.com/security/notices/USN-4991-1
Red Hat Security Advisory RHSA-2021:2479 vom 2021-06-17 (18.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2479
Red Hat Security Advisory RHSA-2021:2461 vom 2021-06-16 (17.06.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:2461
SUSE Security Update SUSE-SU-2021:14729-1 vom 2021-05-19 (20.05.2021)
For more information, see: https://lists.suse.com/pipermail/sle-security-updates/2021-May/008797.html
Red Hat Security Advisory RHSA-2021:1597 vom 2021-05-18 (19.05.2021)
For more information, see: https://access.redhat.com/errata/RHSA-2021:1597
Arch Linux Security Advisory ASA-202011-15 vom 2020-11-17 (18.11.2020)
For more information, see: https://security.archlinux.org/ASA-202011-15/generate
Arch Linux Security Advisory ASA-202011-5 vom 2020-11-09 (10.11.2020)
For more information, see: https://security.archlinux.org/ASA-202011-5/generate
NetApp Security Advisory NTAP-20200924-0001 vom 2020-09-24 (24.09.2020)
For more information, see: https://security.netapp.com/advisory/ntap-20200924-0001/
SUSE Security Update SUSE-SU-2020:2612-1 vom 2020-09-11 (14.09.2020)
For more information, see: http://lists.suse.com/pipermail/sle-security-updates/2020-September/007411.html
SUSE Security Update SUSE-SU-2020:2609-1 vom 2020-09-11 (14.09.2020)
For more information, see: http://lists.suse.com/pipermail/sle-security-updates/2020-September/007409.html
Debian Security Advisory DLA-2369 vom 2020-09-10 (10.09.2020)
For more information, see: https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202009/msg00009.html
libxml2 Issue 178 from 2020-09-04 (04.09.2020)
For more information, see: https://gitlab.gnome.org/GNOME/libxml2/-/issues/178
Version history of this security alert
This is the 16th version of this IT Security Advisory for libxml2. If further updates are announced, this text will be updated. You can read about changes or additions in this version history.
09/04/2020 – Initial version
09/10/2020 – Added new updates from Debian
09/14/2020 – Added new updates of Fedora and SUSE
09/24/2020 – Added new updates from NetApp
11/10/2020 – Added new updates to Arch Linux
2020-11-12 – Reference(s) added: FEDORA-2020-B6AAF25741, FEDORA-2020-7773C53BC8, FEDORA-2020-935F62C3D9, FEDORA-2020-FF317550E4
11/18/2020 – Added new updates to Arch Linux
05/19/2021 – Added new updates from Red Hat
05/20/2021 – Added new updates from SUSE
06/17/2021 – Added new updates from Red Hat
06/18/2021 – Added new updates from Red Hat and Ubuntu
06/24/2021 – Added new updates from Amazon and Red Hat
06/25/2021 – Added new updates from Red Hat
07/06/2021 – Added new updates of Gentoo
12/03/2021 – Added new updates
05/05/2023 – Added new updates from Amazon
+++ Editorial note: This text was created with AI support based on current BSI data. We accept feedback and comments at [email protected]. +++
follow News.de already at Facebook, Twitter, Pinterest and YouTube? Here you will find the latest news, the latest videos and the direct line to the editors.
roj/news.de