CVE-2019-11068

Q: What is the severity of CVE-2019-11068?

CVE-2019-11068 has a CVSS score of 9.8 (CRITICAL). This vulnerability in libxslt allows attackers to bypass URL access controls by crafting malicious URLs that cause xsltCheckRead to return -1 error codes, which callers incorrectly interpret as permission to load the URL. This affects any application using vulnerable versions of libxslt for XML/XSLT processing, potentially enabling unauthorized file access or remote code execution.

9.8 CRITICAL

📋 TL;DR

This vulnerability in libxslt allows attackers to bypass URL access controls by crafting malicious URLs that cause xsltCheckRead to return -1 error codes, which callers incorrectly interpret as permission to load the URL. This affects any application using vulnerable versions of libxslt for XML/XSLT processing, potentially enabling unauthorized file access or remote code execution.

💻 Affected Systems

Products:

libxslt
Applications using libxslt (e.g., web applications, XML processors, document converters)

Versions: libxslt through version 1.1.33

Operating Systems: Linux, Unix-like systems, Windows (if libxslt is installed)

Default Config Vulnerable: ⚠️ Yes

Notes: Any application that uses libxslt to process XML/XSLT from untrusted sources is vulnerable. Common in web applications, document processing systems, and XML transformation tools.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Unauthorized file access, information disclosure, or denial of service through crafted XSLT transformations.

🟢

If Mitigated

Limited impact with proper network segmentation, application sandboxing, and input validation.

🌐 Internet-Facing: HIGH - Applications processing untrusted XML/XSLT from external sources are directly exploitable.

🏢 Internal Only: MEDIUM - Internal applications processing user-supplied XML/XSLT could be exploited by authenticated users.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting malicious URLs in XSLT documents. Public proof-of-concept demonstrates the bypass mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libxslt 1.1.34 and later

Vendor Advisory: http://xmlsoft.org/XSLT/

Restart Required: Yes

Instructions:

1. Update libxslt to version 1.1.34 or later using your system package manager. 2. For Linux: Use 'apt-get upgrade libxslt1.1' (Debian/Ubuntu) or 'yum update libxslt' (RHEL/CentOS). 3. Restart any services or applications using libxslt. 4. Recompile any statically linked applications with the updated library.

🔧 Temporary Workarounds

Disable external entity processing

all

Configure XML processors to disable external entity resolution and URL fetching in XSLT transformations.

For libxml2: Set XML_PARSE_NOENT and XML_PARSE_NONET parser options to prevent network access

Input validation and sanitization

all

Validate and sanitize all XML/XSLT input before processing to reject malicious URLs.

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems using libxslt from untrusted networks.
Use application sandboxing or containerization to limit the impact of potential exploitation.

🔍 How to Verify

Check if Vulnerable:

Check libxslt version with 'xsltproc --version' or 'dpkg -l libxslt1.1' (Debian) or 'rpm -q libxslt' (RHEL). If version is 1.1.33 or earlier, system is vulnerable.

Check Version:

xsltproc --version | head -1

Verify Fix Applied:

After update, verify version is 1.1.34 or later using the same commands. Test with known malicious XSLT samples if available.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from XML processing applications
Errors in application logs related to XSLT parsing failures
Unexpected network connections from XML processors

Network Indicators:

Outbound connections from XML processors to unexpected URLs
Large or unusual data transfers following XML processing

SIEM Query:

source="application_logs" AND ("xslt" OR "libxslt") AND (error OR failure OR "-1")

📊 Metadata

CVE ID: CVE-2019-11068

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: April 10, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/22/1 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/23/5 Mailing List,Third Party Advisory
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
https://security.netapp.com/advisory/ntap-20191017-0001/ Third Party Advisory
https://usn.ubuntu.com/3947-1/ Third Party Advisory
https://usn.ubuntu.com/3947-2/ Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/22/1 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/23/5 Mailing List,Third Party Advisory
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
https://security.netapp.com/advisory/ntap-20191017-0001/ Third Party Advisory
https://usn.ubuntu.com/3947-1/ Third Party Advisory
https://usn.ubuntu.com/3947-2/ Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Active Iq Unified Manager by Netapp

Cloud Backup by Netapp

Debian Linux by Debian

E Series Santricity Management Plug Ins by Netapp

E Series Santricity Os Controller by Netapp

E Series Santricity Storage Manager by Netapp

E Series Santricity Unified Manager by Netapp

E Series Santricity Web Services Proxy by Netapp

Element Software by Netapp

Fedora by Fedoraproject

Fedora by Fedoraproject

Hci Management Node by Netapp

Jdk by Oracle

Leap by Opensuse

Leap by Opensuse

Leap by Opensuse

Libxslt by Xmlsoft

Oncommand Insight by Netapp

Oncommand Workflow Automation by Netapp

Plug In For Symantec Netbackup by Netapp

Santricity Unified Manager by Netapp

Snapmanager by Netapp

Snapmanager by Netapp

Solidfire by Netapp

Steelstore Cloud Integrated Storage by Netapp

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable external entity processing

Input validation and sanitization

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export