製品・ソフトウェアに関する情報

JVN脆弱性詳細

Expat におけるサービス運用妨害 (DoS) の脆弱性

Title	Expat におけるサービス運用妨害 (DoS) の脆弱性
Summary	Expat には、サービス運用妨害 (クラッシュ) 状態にされる、または任意のコードを実行される脆弱性が存在します。
Possible impacts	攻撃者により、不正な形式の入力ドキュメントを介して、バッファオーバーフローを誘発されることで、サービス運用妨害 (クラッシュ) 状態にされる、または任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 18, 2016, midnight
Registration Date	May 30, 2016, 12:38 p.m.
Last Update	Sept. 5, 2016, 6:21 p.m.

CVSS3.0 : 緊急
Score	9.8
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS2.0 : 危険
Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected System

Mozilla Foundation

Mozilla Firefox 48.0 未満

アップル

Apple Mac OS X 10.11.6 未満の 10.11

Debian

Debian GNU/Linux 8.0

Canonical

Ubuntu 12.04 LTS

Ubuntu 14.04 LTS

Ubuntu 15.10

Ubuntu 16.04 LTS

SUSE

SUSE Linux Enterprise Debuginfo 11-SP4

SUSE Linux Enterprise Desktop 12

SUSE Linux Enterprise Desktop 12-SP1

SUSE Linux Enterprise Server 11-SP4

SUSE Linux Enterprise Server 12

SUSE Linux Enterprise Server 12-SP1

SUSE Linux Enterprise Software Development Kit 11-SP4

SUSE Linux Enterprise Software Development Kit 12

SUSE Linux Enterprise Software Development Kit 12-SP1

SUSE Studio Onsite 1.3

openSUSE project

openSUSE Leap 42.1

Expat

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-0718	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0718
National Vulnerability Database (NVD)
2	CVE-2016-0718	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0718

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Apple Mailing Lists
1	APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004	http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
Apple Security Updates
2	HT206903	https://support.apple.com/en-us/HT206903
Apple セキュリティアップデート
3	HT206903	https://support.apple.com/ja-jp/HT206903
Debian Security Advisory
4	DSA-3582	https://www.debian.org/security/2016/dsa-3582
Mozilla Foundation Security Advisory
5	MFSA2016-68	http://www.mozilla.org/security/announce/2016/mfsa2016-68.html
Mozilla Foundation セキュリティアドバイザリ
6	MFSA2016-68	http://www.mozilla-japan.org/security/announce/2016/mfsa2016-68.html
opensuse-security-announce
7	openSUSE-SU-2016	https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00010.html
8	SUSE-SU-2016:1508	https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00006.html
9	SUSE-SU-2016:1512	https://lists.opensuse.org/opensuse-security-announce/2016-06/msg00007.html
Red Hat Bugzilla
10	Bug 1296102	https://bugzilla.redhat.com/show_bug.cgi?id=1296102#c2
SourceForge
11	Expat XML Parser	https://sourceforge.net/projects/expat/
Ubuntu Security Notice
12	USN-2983-1	http://www.ubuntu.com/usn/USN-2983-1/

その他

No	Name	URL
JVN
1	JVNVU#94844193	http://jvn.jp/vu/JVNVU94844193/

Change Log

No	Changed Details	Date of change
0	[2016年05月30日] 掲載 [2016年08月04日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：アップル (HT206903) を追加ベンダ情報：アップル (APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004) を追加参考情報：JVN (JVNVU#94844193) を追加 [2016年09月05日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：Mozilla Foundation (MFSA2016-68) を追加ベンダ情報：openSUSE project (SUSE-SU-2016:1508) を追加ベンダ情報：openSUSE project (SUSE-SU-2016:1512) を追加ベンダ情報：openSUSE project (openSUSE-SU-2016) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-0718

Summary	Expat allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via a malformed input document, which triggers a buffer overflow.
Publication Date	May 27, 2016, 1:59 a.m.
Registration Date	Jan. 26, 2021, 10:40 a.m.
Last Update	Nov. 21, 2024, 11:42 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:mozilla:firefox::::::::					48.0

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:apple:mac_os_x::::::::		10.11.0	10.11.5

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:suse:linux_enterprise_server:11:sp4::::::
cpe:2.3:a:suse:studio_onsite:1.3:::::::*
cpe:2.3:o:suse:linux_enterprise_software_development_kit:11:sp4::::::
cpe:2.3:a:suse:linux_enterprise_debuginfo:11:sp4::::::

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:opensuse:leap:42.1:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_server:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_server:12:-::::::
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:-::::::
cpe:2.3:o:suse:linux_enterprise_desktop:12:-::::::

Configuration6	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:12.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::

Configuration7		or higher	or less	more than	less than
cpe:2.3:a:libexpat_project:libexpat::::::::					2.2.0

Configuration8		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:8.0:::::::*

Configuration9	or higher	or less	more than	less than
cpe:2.3:o:opensuse:opensuse:13.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.2:::::::*

Configuration10		or higher	or less	more than	less than
cpe:2.3:a:mcafee:policy_auditor::::::::					6.5.1

Configuration11	or higher	or less	more than	less than
cpe:2.3:a:python:python::::::::	3.6.0			3.6.2
cpe:2.3:a:python:python::::::::	3.5.0			3.5.4
cpe:2.3:a:python:python::::::::	3.4.0			3.4.7
cpe:2.3:a:python:python::::::::	3.3.0			3.3.7
cpe:2.3:a:python:python::::::::	2.7.0			2.7.15

Related information, measures and tools

No	URL	タグ
1	http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html	Mailing List Third Party Advisory
2	http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html	Mailing List Third Party Advisory
3	http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00064.html	Third Party Advisory
4	http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00064.html	Third Party Advisory
5	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00006.html	Third Party Advisory
6	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00006.html	Third Party Advisory
7	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00007.html	Third Party Advisory
8	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00007.html	Third Party Advisory
9	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00010.html	Third Party Advisory
10	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00010.html	Third Party Advisory
11	http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html	Third Party Advisory
12	http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00004.html	Third Party Advisory
13	http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html	Third Party Advisory
14	http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00029.html	Third Party Advisory
15	http://packetstormsecurity.com/files/141350/ESET-Endpoint-Antivirus-6-Remote-Code-Execution.html	Third Party Advisory VDB Entry
16	http://packetstormsecurity.com/files/141350/ESET-Endpoint-Antivirus-6-Remote-Code-Execution.html	Third Party Advisory VDB Entry
17	http://rhn.redhat.com/errata/RHSA-2016-2824.html	Third Party Advisory
18	http://rhn.redhat.com/errata/RHSA-2016-2824.html	Third Party Advisory
19	http://seclists.org/fulldisclosure/2017/Feb/68	Mailing List Third Party Advisory
20	http://seclists.org/fulldisclosure/2017/Feb/68	Mailing List Third Party Advisory
21	http://support.eset.com/ca6333/	Third Party Advisory
22	http://support.eset.com/ca6333/	Third Party Advisory
23	http://www.debian.org/security/2016/dsa-3582	Third Party Advisory
24	http://www.debian.org/security/2016/dsa-3582	Third Party Advisory
25	http://www.mozilla.org/security/announce/2016/mfsa2016-68.html	Third Party Advisory
26	http://www.mozilla.org/security/announce/2016/mfsa2016-68.html	Third Party Advisory
27	http://www.openwall.com/lists/oss-security/2016/05/17/12	Mailing List Third Party Advisory
28	http://www.openwall.com/lists/oss-security/2016/05/17/12	Mailing List Third Party Advisory
29	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch Third Party Advisory
30	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	Patch Third Party Advisory
31	http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html	Third Party Advisory
32	http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html	Third Party Advisory
33	http://www.securityfocus.com/bid/90729	Third Party Advisory VDB Entry
34	http://www.securityfocus.com/bid/90729	Third Party Advisory VDB Entry
35	http://www.securitytracker.com/id/1036348	Third Party Advisory VDB Entry
36	http://www.securitytracker.com/id/1036348	Third Party Advisory VDB Entry
37	http://www.securitytracker.com/id/1036415	Third Party Advisory VDB Entry
38	http://www.securitytracker.com/id/1036415	Third Party Advisory VDB Entry
39	http://www.securitytracker.com/id/1037705	Third Party Advisory VDB Entry
40	http://www.securitytracker.com/id/1037705	Third Party Advisory VDB Entry
41	http://www.ubuntu.com/usn/USN-2983-1	Third Party Advisory
42	http://www.ubuntu.com/usn/USN-2983-1	Third Party Advisory
43	http://www.ubuntu.com/usn/USN-3044-1	Third Party Advisory
44	http://www.ubuntu.com/usn/USN-3044-1	Third Party Advisory
45	https://access.redhat.com/errata/RHSA-2018:2486	Third Party Advisory
46	https://access.redhat.com/errata/RHSA-2018:2486	Third Party Advisory
47	https://bugzilla.mozilla.org/show_bug.cgi?id=1236923	Issue Tracking Third Party Advisory
48	https://bugzilla.mozilla.org/show_bug.cgi?id=1236923	Issue Tracking Third Party Advisory
49	https://bugzilla.redhat.com/show_bug.cgi?id=1296102	Issue Tracking Third Party Advisory
50	https://bugzilla.redhat.com/show_bug.cgi?id=1296102	Issue Tracking Third Party Advisory
51	https://kc.mcafee.com/corporate/index?page=content&id=SB10365	Third Party Advisory
52	https://kc.mcafee.com/corporate/index?page=content&id=SB10365	Third Party Advisory
53	https://security.gentoo.org/glsa/201701-21	Third Party Advisory
54	https://security.gentoo.org/glsa/201701-21	Third Party Advisory
55	https://source.android.com/security/bulletin/2016-11-01.html	Third Party Advisory
56	https://source.android.com/security/bulletin/2016-11-01.html	Third Party Advisory
57	https://support.apple.com/HT206903	Third Party Advisory
58	https://support.apple.com/HT206903	Third Party Advisory
59	https://www.tenable.com/security/tns-2016-20	Third Party Advisory
60	https://www.tenable.com/security/tns-2016-20	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_server:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_server:12:-::::::
cpe:2.3:o:suse:linux_enterprise_software_development_kit:12:-::::::
cpe:2.3:o:suse:linux_enterprise_desktop:12:-::::::