Lucene search

[email protected]CVE-2013-4002

HistoryJul 23, 2013 - 11:03 a.m.

CVE-2013-4002

2013-07-2311:03:19

[email protected]

web.nvd.nist.gov

127

cve

2013

4002

xmlscanner.java

apache xerces2

java parser

denial of service

xml

attribute names

7.1 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

6.7 Medium

AI Score

Confidence

Low

0.019 Low

EPSS

Percentile

88.5%

JSON

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Affected configurations

NVD

Node

ibmjavaMatch5.0.0.0

ibmjavaMatch5.0.11.0

ibmjavaMatch5.0.11.1

ibmjavaMatch5.0.11.2

ibmjavaMatch5.0.12.0

ibmjavaMatch5.0.12.1

ibmjavaMatch5.0.12.2

ibmjavaMatch5.0.12.3

ibmjavaMatch5.0.12.4

ibmjavaMatch5.0.12.5

ibmjavaMatch5.0.13.0

ibmjavaMatch5.0.14.0

ibmjavaMatch5.0.15.0

ibmjavaMatch5.0.16.0

ibmjavaMatch5.0.16.1

ibmjavaMatch5.0.16.2

Node

ibmjavaMatch6.0.0.0

ibmjavaMatch6.0.1.0

ibmjavaMatch6.0.2.0

ibmjavaMatch6.0.3.0

ibmjavaMatch6.0.4.0

ibmjavaMatch6.0.5.0

ibmjavaMatch6.0.6.0

ibmjavaMatch6.0.7.0

ibmjavaMatch6.0.8.0

ibmjavaMatch6.0.8.1

ibmjavaMatch6.0.9.0

ibmjavaMatch6.0.9.1

ibmjavaMatch6.0.9.2

ibmjavaMatch6.0.10.0

ibmjavaMatch6.0.10.1

ibmjavaMatch6.0.11.0

ibmjavaMatch6.0.12.0

ibmjavaMatch6.0.13.0

ibmjavaMatch6.0.13.1

ibmjavaMatch6.0.13.2

Node

ibmjavaMatch7.0.0.0

ibmjavaMatch7.0.1.0

ibmjavaMatch7.0.2.0

ibmjavaMatch7.0.3.0

ibmjavaMatch7.0.4.0

ibmjavaMatch7.0.4.1

ibmjavaMatch7.0.4.2

Node

oraclejdkMatch1.5.0update51

oraclejdkMatch1.6.0update60

oraclejdkMatch1.7.0update40

oraclejreMatch1.5.0update51

oraclejreMatch1.6.0update60

oraclejreMatch1.7.0update40

oraclejrockitRanger27.7.0–r27.7.6

oraclejrockitRanger28.0.0–r28.2.8

Node

ibmsterling_b2b_integratorMatch5.2.4

Node

ibmhost_on-demandMatch11.0

ibmhost_on-demandMatch11.0.1

ibmhost_on-demandMatch11.0.2

ibmhost_on-demandMatch11.0.3

ibmhost_on-demandMatch11.0.4

ibmhost_on-demandMatch11.0.5

ibmhost_on-demandMatch11.0.5.1

ibmhost_on-demandMatch11.0.6

ibmhost_on-demandMatch11.0.6.1

ibmhost_on-demandMatch11.0.7

ibmhost_on-demandMatch11.0.8

AND

microsoftwindowsMatch-

Node

ibmtivoli_application_dependency_discovery_managerMatch7.2.2

AND

ibmaixMatch-

linuxlinux_kernelMatch-

microsoftwindowsMatch-

oraclesolarisMatch--

Node

ibmsterling_b2b_integratorMatch5.1

ibmsterling_b2b_integratorMatch5.2

ibmsterling_file_gatewayMatch2.1

ibmsterling_file_gatewayMatch2.2

AND

hphp-uxMatch-

ibmaixMatch-

ibmiMatch-

linuxlinux_kernelMatch-

microsoftwindowsMatch-

oraclesolarisMatch--

Node

opensuseopensuseMatch12.2

opensuseopensuseMatch12.3

suselinux_enterprise_desktopMatch10sp4-

suselinux_enterprise_desktopMatch11sp3

suselinux_enterprise_javaMatch10sp4

suselinux_enterprise_javaMatch11sp2

suselinux_enterprise_javaMatch11sp3

suselinux_enterprise_sdkMatch11sp2

suselinux_enterprise_sdkMatch11sp3

suselinux_enterprise_serverMatch9

suselinux_enterprise_serverMatch10sp3ltss

suselinux_enterprise_serverMatch10sp4-

suselinux_enterprise_serverMatch11sp2-

suselinux_enterprise_serverMatch11sp2vmware

suselinux_enterprise_serverMatch11sp3-

suselinux_enterprise_serverMatch11sp3vmware

Node

canonicalubuntu_linuxMatch10.04-

canonicalubuntu_linuxMatch12.04-

canonicalubuntu_linuxMatch12.10

canonicalubuntu_linuxMatch13.04

canonicalubuntu_linuxMatch13.10

Node

apachexerces2_javaRange2.4.0–2.12.0

CPENameOperatorVersion
ibm:javaibm javaeq5.0.0.0
ibm:javaibm javaeq5.0.11.0
ibm:javaibm javaeq5.0.11.1
ibm:javaibm javaeq5.0.11.2
ibm:javaibm javaeq5.0.12.0
ibm:javaibm javaeq5.0.12.1
ibm:javaibm javaeq5.0.12.2
ibm:javaibm javaeq5.0.12.3
ibm:javaibm javaeq5.0.12.4
ibm:javaibm javaeq5.0.12.5

CPE	Name	Operator	Version
ibm:java	ibm java	eq	5.0.0.0
ibm:java	ibm java	eq	5.0.11.0
ibm:java	ibm java	eq	5.0.11.1
ibm:java	ibm java	eq	5.0.11.2
ibm:java	ibm java	eq	5.0.12.0
ibm:java	ibm java	eq	5.0.12.1
ibm:java	ibm java	eq	5.0.12.2
ibm:java	ibm java	eq	5.0.12.3
ibm:java	ibm java	eq	5.0.12.4
ibm:java	ibm java	eq	5.0.12.5

Rows per page:

1-10 of 161

References

lists.apple.com/archives/security-announce/2013/Oct/msg00001.html

lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html

lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html

lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html

lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html

lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html

lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html

lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html

lists.opensuse.org/opensuse-updates/2013-11/msg00023.html

marc.info/?l=bugtraq&m=138674031212883&w=2

marc.info/?l=bugtraq&m=138674073720143&w=2

rhn.redhat.com/errata/RHSA-2013-1059.html

rhn.redhat.com/errata/RHSA-2013-1060.html

rhn.redhat.com/errata/RHSA-2013-1081.html

rhn.redhat.com/errata/RHSA-2013-1440.html

rhn.redhat.com/errata/RHSA-2013-1447.html

rhn.redhat.com/errata/RHSA-2013-1451.html

rhn.redhat.com/errata/RHSA-2013-1505.html

rhn.redhat.com/errata/RHSA-2014-1818.html

rhn.redhat.com/errata/RHSA-2014-1821.html

rhn.redhat.com/errata/RHSA-2014-1822.html

rhn.redhat.com/errata/RHSA-2014-1823.html

rhn.redhat.com/errata/RHSA-2015-0675.html

rhn.redhat.com/errata/RHSA-2015-0720.html

rhn.redhat.com/errata/RHSA-2015-0765.html

rhn.redhat.com/errata/RHSA-2015-0773.html

secunia.com/advisories/56257

security.gentoo.org/glsa/glsa-201406-32.xml

support.apple.com/kb/HT5982

svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch

www-01.ibm.com/support/docview.wss?uid=swg1IC98015

www-01.ibm.com/support/docview.wss?uid=swg21644197

www-01.ibm.com/support/docview.wss?uid=swg21653371

www-01.ibm.com/support/docview.wss?uid=swg21657539

www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html

www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002

www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013

www.ibm.com/support/docview.wss?uid=swg21648172

www.securityfocus.com/bid/61310

www.ubuntu.com/usn/USN-2033-1

www.ubuntu.com/usn/USN-2089-1

access.redhat.com/errata/RHSA-2014:0414

exchange.xforce.ibmcloud.com/vulnerabilities/85260

issues.apache.org/jira/browse/XERCESJ-1679

lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E

lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E

lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E

www.oracle.com/security-alerts/cpuapr2022.html