#VU82534 Resource exhaustion in Xerces2 Java XML Parser - CVE-2013-4002


Vulnerability identifier: #VU82534

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2013-4002

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Xerces2 Java XML Parser
Universal components / Libraries / Software for developers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Xerces2 Java XML Parser: before 2.12.0

External links
https://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013
https://www-01.ibm.com/support/docview.wss?uid=swg21644197
https://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html
https://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html
https://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html
https://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html
https://rhn.redhat.com/errata/RHSA-2013-1081.html
https://rhn.redhat.com/errata/RHSA-2013-1060.html
https://www.securityfocus.com/bid/61310
https://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html
https://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002
https://www.ibm.com/support/docview.wss?uid=swg21648172
https://rhn.redhat.com/errata/RHSA-2013-1440.html
https://rhn.redhat.com/errata/RHSA-2013-1451.html
https://rhn.redhat.com/errata/RHSA-2013-1447.html
https://support.apple.com/kb/HT5982
https://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html
https://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html
https://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html
https://www.ubuntu.com/usn/USN-2033-1
https://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html
https://rhn.redhat.com/errata/RHSA-2013-1505.html
https://www-01.ibm.com/support/docview.wss?uid=swg1IC98015
https://www-01.ibm.com/support/docview.wss?uid=swg21657539
https://marc.info/?l=bugtraq&m=138674073720143&w=2
https://marc.info/?l=bugtraq&m=138674031212883&w=2
https://www-01.ibm.com/support/docview.wss?uid=swg21653371
https://secunia.com/advisories/56257
https://rhn.redhat.com/errata/RHSA-2013-1059.html
https://www.ubuntu.com/usn/USN-2089-1
https://security.gentoo.org/glsa/glsa-201406-32.xml
https://rhn.redhat.com/errata/RHSA-2014-1822.html
https://rhn.redhat.com/errata/RHSA-2014-1818.html
https://rhn.redhat.com/errata/RHSA-2014-1821.html
https://rhn.redhat.com/errata/RHSA-2014-1823.html
https://rhn.redhat.com/errata/RHSA-2015-0675.html
https://rhn.redhat.com/errata/RHSA-2015-0720.html
https://rhn.redhat.com/errata/RHSA-2015-0765.html
https://rhn.redhat.com/errata/RHSA-2015-0773.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/85260
https://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html
https://access.redhat.com/errata/RHSA-2014:0414
https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E
https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
https://issues.apache.org/jira/browse/XERCESJ-1679
https://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E
https://www.oracle.com/security-alerts/cpuapr2022.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition (ITNM)
Multiple vulnerabilities in IBM Application Performance Management
Multiple vulnerabilities in IBM Engineering Systems Design Rhapsody
Multiple vulnerabilities in IBM Application Performance Management products
Multiple vulnerabilities in IBM Jazz Foundation
Multiple vulnerabilities in IBM Security Verify Governance
Multiple vulnerabilities in IBM Call Center for Commerce
Multiple vulnerabilities in IBM Sterling Order Management
Multiple vulnerabilities in IBM Operational Decision Manager
Multiple vulnerabilities in IBM Tivoli Composite Application Manager (ITCAM) for Transactions