製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の Apple 製品の libxslt におけるサービス運用妨害 (DoS) の脆弱性

Title	複数の Apple 製品の libxslt におけるサービス運用妨害 (DoS) の脆弱性
Summary	複数の Apple 製品の libxslt には、サービス運用妨害 (メモリ破損) 状態にされるなど、不特定の影響を受ける脆弱性が存在します。本脆弱性は、CVE-2016-4608、CVE-2016-4609、CVE-2016-4610、および CVE-2016-4612 とは異なる脆弱性です。
Possible impacts	第三者により、サービス運用妨害 (メモリ破損) 状態にされるなど、不特定の影響を受ける可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	July 18, 2016, midnight
Registration Date	July 29, 2016, 12:08 p.m.
Last Update	July 29, 2016, 12:08 p.m.

CVSS3.0 : 緊急
Score	9.8
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS2.0 : 危険
Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected System

アップル

Apple Mac OS X 10.10.5

Apple Mac OS X 10.11 およびそれ以降

Apple Mac OS X 10.9.5

iCloud 5.2.1 未満 (Windows 7 以降)

iOS 9.3.3 未満 (iPad 2 以降)

iOS 9.3.3 未満 (iPhone 4s 以降)

iOS 9.3.3 未満 (iPod touch 第 5 世代以降)

iTunes 12.4.2 未満 (Windows 7 以降)

tvOS 9.2.2 未満 (Apple TV 第 4 世代)

watchOS 2.2.2 未満 (Apple Watch Edition)

watchOS 2.2.2 未満 (Apple Watch Hermes)

watchOS 2.2.2 未満 (Apple Watch Sport)

watchOS 2.2.2 未満 (Apple Watch)

xmlsoft.org

libxslt

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-4607	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4607
National Vulnerability Database (NVD)
2	CVE-2016-4607	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4607

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
Apple
1	Apple security updates	https://support.apple.com/en-us/HT201222
Apple Mailing Lists
2	APPLE-SA-2016-07-18-1 OS X El Capitan v10.11.6 and Security Update 2016-004	http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html
3	APPLE-SA-2016-07-18-2 iOS 9.3.3	http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html
4	APPLE-SA-2016-07-18-3 watchOS 2.2.2	http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html
5	APPLE-SA-2016-07-18-4 tvOS 9.2.2	http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html
6	APPLE-SA-2016-07-18-6 iTunes 12.4.2	http://lists.apple.com/archives/security-announce/2016/Jul/msg00005.html
Apple Security Updates
7	HT206899	https://support.apple.com/en-us/HT206899
8	HT206901	https://support.apple.com/en-us/HT206901
9	HT206902	https://support.apple.com/en-us/HT206902
10	HT206903	https://support.apple.com/en-us/HT206903
11	HT206904	https://support.apple.com/en-us/HT206904
12	HT206905	https://support.apple.com/en-us/HT206905
Apple セキュリティアップデート
13	HT206899	https://support.apple.com/ja-jp/HT206899
14	HT206901	https://support.apple.com/ja-jp/HT206901
15	HT206902	https://support.apple.com/ja-jp/HT206902
16	HT206903	https://support.apple.com/ja-jp/HT206903
17	HT206904	https://support.apple.com/ja-jp/HT206904
18	HT206905	https://support.apple.com/ja-jp/HT206905
xmlsoft
19	libxslt	http://xmlsoft.org/libxslt/

その他

No	Name	URL
JVN
1	JVNVU#94844193	http://jvn.jp/vu/JVNVU94844193/index.html

Change Log

No	Changed Details	Date of change
0	[2016年07月29日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-4607

Summary	libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612.
Publication Date	July 22, 2016, 11:59 a.m.
Registration Date	Jan. 26, 2021, 2:12 p.m.
Last Update	Nov. 21, 2024, 11:52 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:xmlsoft:libxslt::::::::					1.1.29

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:apple:iphone_os::::::::				9.3.3
cpe:2.3:o:apple:tvos::::::::				9.2.2
cpe:2.3:o:apple:mac_os_x::::::::				10.11.6
cpe:2.3:o:apple:watchos::::::::				2.2.2

Configuration3		or higher	or less	more than	less than
cpe:2.3:a:apple:icloud::::::::					5.2.1
cpe:2.3:a:apple:itunes::::::::					12.4.2
execution environment
1	cpe:2.3:o:microsoft:windows:-:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:30:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html	Mailing List Vendor Advisory
2	http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.html	Mailing List Vendor Advisory
3	http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html	Mailing List Vendor Advisory
4	http://lists.apple.com/archives/security-announce/2016/Jul/msg00001.html	Mailing List Vendor Advisory
5	http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html	Mailing List Vendor Advisory
6	http://lists.apple.com/archives/security-announce/2016/Jul/msg00002.html	Mailing List Vendor Advisory
7	http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html	Mailing List Vendor Advisory
8	http://lists.apple.com/archives/security-announce/2016/Jul/msg00003.html	Mailing List Vendor Advisory
9	http://lists.apple.com/archives/security-announce/2016/Jul/msg00005.html	Mailing List Vendor Advisory
10	http://lists.apple.com/archives/security-announce/2016/Jul/msg00005.html	Mailing List Vendor Advisory
11	http://www.securityfocus.com/bid/91834	Third Party Advisory VDB Entry
12	http://www.securityfocus.com/bid/91834	Third Party Advisory VDB Entry
13	http://www.securitytracker.com/id/1036348	Third Party Advisory VDB Entry
14	http://www.securitytracker.com/id/1036348	Third Party Advisory VDB Entry
15	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
16	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
17	https://support.apple.com/HT206899	Vendor Advisory
18	https://support.apple.com/HT206899	Vendor Advisory
19	https://support.apple.com/HT206901	Vendor Advisory
20	https://support.apple.com/HT206901	Vendor Advisory
21	https://support.apple.com/HT206902	Vendor Advisory
22	https://support.apple.com/HT206902	Vendor Advisory
23	https://support.apple.com/HT206903	Vendor Advisory
24	https://support.apple.com/HT206903	Vendor Advisory
25	https://support.apple.com/HT206904	Vendor Advisory
26	https://support.apple.com/HT206904	Vendor Advisory
27	https://support.apple.com/HT206905	Vendor Advisory
28	https://support.apple.com/HT206905	Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html