CVE-2016-4607

Отчет

Initial assessment incorrectly noted RHEL8 as being affected, due to the lack of detail in all available reports, including upstream. Apple’s advisory provided no usable or meaningful information. Further investigation determined that upstream corrected this in version 1.1.29, via one of a number of security-relevant commits that did not disclose CVE names. RHEL 8.0 shipped with libxslt 1.1.32, which included all of these patches. The CVE page has been updated to reflect that RHEL 8 is in fact not affected. Red Hat OpenStack will consume fixes from the base Red Hat Enterprise Linux Operating System. Therefore the package provided by Red Hat OpenStack has been marked as will not fix. Red Hat Product Security could not determine whether Red Hat Enterprise Linux is affected by this flaw due to lack of information on the flaw. Therefore this issue is being marked as won't fix. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-400: Uncontrolled Resource Consumption vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. Red Hat restricts access to all platform information by default, granting access only after successful hard token-based multi-factor authentication (MFA) and enforcing least privilege to ensure only authorized roles can execute or modify code. The environment employs malicious code protections, including IDS/IPS and antimalware tools to detect threats and monitor resource usage, helping prevent uncontrolled consumption that could lead to system failure. Additional safeguards, such as web application firewalls and load-balancing strategies, protect against resource exhaustion and performance degradation. Event logs are centrally collected, correlated, and analyzed to support monitoring, alerting, and retention, aiding in the detection of abnormal behavior and potential denial-of-service (DoS) conditions. Static code analysis and peer reviews enforce strong input validation and error handling, reducing the likelihood of input-based DoS attacks.