#VU86824 Input validation error in xerces


Vulnerability identifier: #VU86824

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14338

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
xerces
Other software / Other software solutions

Vendor: jboss

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. A remote attacker can pass specially-crafted XML file to the application and manipulate the validation process in certain cases.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

xerces: 2.9.1-1 - 2.12.0.SP02

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1860054
http://lists.apache.org/thread.html/rf96c5afb26b596b4b97883aa90b6c0b0fc4c26aaeea7123c21912103@%3Cj-users.xerces.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Tivoli Network Manager IP Edition (ITNM)
IBM Jazz Reporting Service update for Wildfly
Multiple vulnerabilities in IBM Engineering Systems Design Rhapsody
Multiple vulnerabilities in IBM Application Performance Management products
Multiple vulnerabilities in IBM Jazz Foundation
Multiple vulnerabilities in IBM Security Verify Governance
Multiple vulnerabilities in IBM Call Center for Commerce
Multiple vulnerabilities in IBM Business Automation Workflow
Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA
Multiple vulnerabilities in IBM Cloud Pak for Business Automation