CVE-2019-18197 – CVE-2019-18197 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2019-18197?

CVE-2019-18197 has a CVSS score of 7.5 (HIGH). CVE-2019-18197 is a use-after-free vulnerability in libxslt's XSLT transformation function that can lead to memory corruption. When exploited, it could allow attackers to write outside buffer boundaries or disclose uninitialized memory data. This affects any application using vulnerable versions of libxslt for XML/XSLT processing.

📋 TL;DR

CVE-2019-18197 is a use-after-free vulnerability in libxslt's XSLT transformation function that can lead to memory corruption. When exploited, it could allow attackers to write outside buffer boundaries or disclose uninitialized memory data. This affects any application using vulnerable versions of libxslt for XML/XSLT processing.

💻 Affected Systems

Products:

libxslt
Applications using libxslt library (e.g., web browsers, XML processors, various Linux packages)

Versions: libxslt 1.1.33 and earlier versions

Operating Systems: Linux distributions, Unix-like systems, Windows if libxslt is installed

Default Config Vulnerable: ⚠️ Yes

Notes: Applications must use the vulnerable xsltCopyText function in transform.c to be affected. Many Linux distributions ship libxslt as part of their packages.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the vulnerable library is used in a network service processing untrusted XSLT content.

🟠

Likely Case

Application crash (denial of service) or information disclosure of memory contents, potentially including sensitive data.

🟢

If Mitigated

Limited impact if proper memory protections (ASLR, DEP) are enabled and the application has proper privilege separation.

🌐 Internet-Facing: MEDIUM - Risk depends on whether internet-facing applications process untrusted XSLT content using libxslt.

🏢 Internal Only: LOW - Lower risk for internal systems unless they process untrusted XSLT content from internal sources.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious XSLT content that triggers the use-after-free condition. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: libxslt 1.1.34 and later

Vendor Advisory: http://xmlsoft.org/xslt/

Restart Required: Yes

Instructions:

1. Update libxslt package to version 1.1.34 or later. 2. For Linux distributions: Use package manager (apt-get update && apt-get upgrade libxslt1.1, yum update libxslt, etc.). 3. Recompile applications if statically linked. 4. Restart affected services.

🔧 Temporary Workarounds

Disable XSLT processing

all

If possible, disable XSLT processing in applications that use libxslt

Input validation

all

Implement strict input validation for XSLT content before processing

🧯 If You Can't Patch

Implement network segmentation to isolate systems using vulnerable libxslt
Deploy memory protection mechanisms (ASLR, DEP) and monitor for crashes

🔍 How to Verify

Check if Vulnerable:

Check libxslt version: xsltproc --version or locate libxslt library and check version

Check Version:

xsltproc --version 2>/dev/null | head -1

Verify Fix Applied:

Verify libxslt version is 1.1.34 or later: xsltproc --version | grep -q '1.1.3[4-9]\|1.1.[4-9]'

📡 Detection & Monitoring

Log Indicators:

Application crashes related to libxslt or XSLT processing
Memory access violation errors in application logs

Network Indicators:

Unusual XSLT content being sent to applications
Traffic patterns indicating attempted exploitation

SIEM Query:

source="application.logs" AND ("libxslt" OR "xslt" OR "XSLT") AND ("crash" OR "segfault" OR "memory")

📊 Metadata

CVE ID: CVE-2019-18197

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: October 18, 2019

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
http://www.openwall.com/lists/oss-security/2019/11/17/2 Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0514
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746 Issue Tracking,Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768 Issue Tracking,Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914 Issue Tracking,Third Party Advisory
https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00037.html Third Party Advisory
https://security.netapp.com/advisory/ntap-20191031-0004/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20200416-0004/
https://usn.ubuntu.com/4164-1/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
http://www.openwall.com/lists/oss-security/2019/11/17/2 Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0514
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746 Issue Tracking,Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768 Issue Tracking,Third Party Advisory
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914 Issue Tracking,Third Party Advisory
https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/10/msg00037.html Third Party Advisory
https://security.netapp.com/advisory/ntap-20191031-0004/ Third Party Advisory
https://security.netapp.com/advisory/ntap-20200416-0004/
https://usn.ubuntu.com/4164-1/ Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18197, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Libxslt by Xmlsoft

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

Ubuntu Linux by Canonical

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable XSLT processing

Input validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities