CVE-2014-0191 | Vulnerability Database | Aqua Security

The xmlParserHandlePEReference function in parser.c in libxml2 before 2.9.2, as used in Web Listener in Oracle HTTP Server in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 and other products, loads external parameter entities regardless of whether entity substitution or validation is enabled, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document.

Affected Software

Name	Vendor	Start Version	End Version
Fusion_middleware	Oracle	11.1.1.7.0 (including)	11.1.1.7.0 (including)
Fusion_middleware	Oracle	12.1.2.0.0 (including)	12.1.2.0.0 (including)
Fusion_middleware	Oracle	12.1.3.0.0 (including)	12.1.3.0.0 (including)
Red Hat Enterprise Linux 6	RedHat	libxml2-0:2.7.6-14.el6_5.1	*
Red Hat Enterprise Linux 7	RedHat	libxml2-0:2.9.1-5.el7_1.2	*
Libxml2	Ubuntu	devel	*
Libxml2	Ubuntu	lucid	*
Libxml2	Ubuntu	precise	*
Libxml2	Ubuntu	quantal	*
Libxml2	Ubuntu	saucy	*
Libxml2	Ubuntu	trusty	*

References

http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html
http://lists.opensuse.org/opensuse-updates/2015-12/msg00120.html
http://rhn.redhat.com/errata/RHSA-2015-0749.html
http://www-01.ibm.com/support/docview.wss?uid=swg21678183
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.securityfocus.com/bid/67233
http://xmlsoft.org/news.html
https://bugzilla.redhat.com/show_bug.cgi?id=1090976
https://exchange.xforce.ibmcloud.com/vulnerabilities/93092
https://git.gnome.org/browse/libxml2/commit/?id=9cd1c3cfbd32655d60572c0a413e017260c854df
https://support.apple.com/kb/HT205030
https://support.apple.com/kb/HT205031

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-0191
CWE	https://cwe.mitre.org/data/definitions/.html