CVE-2020-7595
📋 TL;DR
CVE-2020-7595 is an infinite loop vulnerability in libxml2's XML parser that occurs during specific end-of-file conditions. When exploited, it causes denial of service by consuming excessive CPU resources. Any application using vulnerable versions of libxml2 for XML parsing is affected.
💻 Affected Systems
- libxml2
- Applications using libxml2 library
📦 What is this software?
Communications Cloud Native Core Network Function Cloud Native Environment by Oracle
View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →
Enterprise Manager Base Platform by Oracle
Enterprise Manager Base Platform by Oracle
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Libxml2 by Xmlsoft
Peoplesoft Enterprise Peopletools by Oracle
Snapdrive by Netapp
Steelstore Cloud Integrated Storage by Netapp
View all CVEs affecting Steelstore Cloud Integrated Storage →
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service through CPU exhaustion, potentially leading to system instability or crashes in applications processing malicious XML.
Likely Case
Application hangs or becomes unresponsive when processing specially crafted XML files, requiring restart.
If Mitigated
Limited impact with proper input validation and resource limits, though still vulnerable to DoS.
🎯 Exploit Status
Proof of concept available in advisory links. Exploitation requires ability to submit XML to vulnerable parser.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: libxml2 2.9.10 with commit 0e1a49c89076 or later
Vendor Advisory: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076
Restart Required: Yes
Instructions:
1. Update libxml2 package using system package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade libxml2' (Debian/Ubuntu) or 'sudo yum update libxml2' (RHEL/CentOS). 3. Restart affected applications/services using libxml2.
🔧 Temporary Workarounds
Input validation and limits
allImplement XML input validation and resource limits to prevent infinite loops
Set CPU time limits for XML parsing processes
Implement XML schema validation
Disable vulnerable XML features
allDisable or restrict XML parsing in applications where not essential
Configure applications to reject XML input if possible
Use alternative data formats
🧯 If You Can't Patch
- Implement strict input validation for all XML inputs
- Deploy network filtering to block malicious XML payloads
🔍 How to Verify
Check if Vulnerable:
Check libxml2 version: 'xml2-config --version' or 'dpkg -l libxml2' or 'rpm -q libxml2'Check Version:
xml2-config --versionVerify Fix Applied:
Verify version is patched: should be libxml2 2.9.10 with commit 0e1a49c89076 or later distributions' patched versions📡 Detection & Monitoring
Log Indicators:
- High CPU usage by XML parsing processes
- Application hangs/timeouts during XML processing
- Repeated XML parsing errors
Network Indicators:
- Unusually large XML payloads
- Multiple XML parsing requests to same endpoint
SIEM Query:
process.name:"xml" AND cpu.usage > 90%🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf
- https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076
- https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
- https://security.gentoo.org/glsa/202010-04
- https://security.netapp.com/advisory/ntap-20200702-0005/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08
- https://usn.ubuntu.com/4274-1/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00047.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-292794.pdf
- https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c89076
- https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/545SPOI3ZPPNPX4TFRIVE4JVRTJRKULL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R55ZR52RMBX24TQTWHCIWKJVRV6YAWI/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JDPF3AAVKUAKDYFMFKSIQSVVS3EEFPQH/
- https://security.gentoo.org/glsa/202010-04
- https://security.netapp.com/advisory/ntap-20200702-0005/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-08
- https://usn.ubuntu.com/4274-1/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
