[
https://issues.apache.org/jira/browse/XERCESJ-1679?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mark Symons updated XERCESJ-1679:
---------------------------------
Description:
CVE-2013-4002 is a CVE that implicates Java... but was later realised to really
be caused by Xerces.
This is picked up as a "Security-High" vulnerability by Sonatype Nexus IQ
analysis, who provide the following background info:
{quote}
h3.Description from CVE
Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 5.0
before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7
SR5 allows remote attackers to affect availability via unknown vectors.
h3.Explanation
A flaw found in the way Xerces handles the processing of XML declarations
allows for a Denial of service(DOS) attack while the server application
processes the XML supplied by the remote user. Xerces is used as the built-in
XML parser for certain versions of Java, hence the Java Runtime Environment was
implicated in the CVE description. If this component showed up on a scan, then
it is not because of the Java Runtime Environment.
h3.Detection
You are vulnerable if your application uses Xerces to parse untrusted and/or
user-created XML.
h3.Recommendation
There is no non vulnerable version of this component at the time of this
writing, but a fix was committed to the SVN repository. However, the last
release was in 2013. Consider updating to the latest Java and switching to JAXP
which is now part of the official JDK as of version 1.6
h3.Root Cause
xercesImpl-2.11.0.jar <= XMLScanner.class : [, 2.12)
{quote}
was:
Red Hat have [released a fix for
CVE-2013-4002|https://access.redhat.com/security/cve/CVE-2013-4002] but this
level 9 threat is unfixed in the project itself.
This is picked up as a "Security-High" vulnerability by Sonatype Nexus IQ
analysis, who provide the following background info:
{quote}
h3.Description from CVE
Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 5.0
before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7
SR5 allows remote attackers to affect availability via unknown vectors.
h3.Explanation
A flaw found in the way Xerces handles the processing of XML declarations
allows for a Denial of service(DOS) attack while the server application
processes the XML supplied by the remote user. Xerces is used as the built-in
XML parser for certain versions of Java, hence the Java Runtime Environment was
implicated in the CVE description. If this component showed up on a scan, then
it is not because of the Java Runtime Environment.
h3.Detection
You are vulnerable if your application uses Xerces to parse untrusted and/or
user-created XML.
h3.Recommendation
There is no non vulnerable version of this component at the time of this
writing, but a fix was committed to the SVN repository. However, the last
release was in 2013. Consider updating to the latest Java and switching to JAXP
which is now part of the official JDK as of version 1.6
h3.Root Cause
xercesImpl-2.11.0.jar <= XMLScanner.class : [, 2.12)
{quote}
> xercesImpl: Security threat CVE-2013-4002
> -----------------------------------------
>
> Key: XERCESJ-1679
> URL: https://issues.apache.org/jira/browse/XERCESJ-1679
> Project: Xerces2-J
> Issue Type: Bug
> Affects Versions: 2.4.0, 2.11.0
> Reporter: Mark Symons
> Priority: Critical
>
> CVE-2013-4002 is a CVE that implicates Java... but was later realised to
> really be caused by Xerces.
> This is picked up as a "Security-High" vulnerability by Sonatype Nexus IQ
> analysis, who provide the following background info:
> {quote}
> h3.Description from CVE
> Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java
> 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7
> before 7 SR5 allows remote attackers to affect availability via unknown
> vectors.
> h3.Explanation
> A flaw found in the way Xerces handles the processing of XML declarations
> allows for a Denial of service(DOS) attack while the server application
> processes the XML supplied by the remote user. Xerces is used as the built-in
> XML parser for certain versions of Java, hence the Java Runtime Environment
> was implicated in the CVE description. If this component showed up on a scan,
> then it is not because of the Java Runtime Environment.
> h3.Detection
> You are vulnerable if your application uses Xerces to parse untrusted and/or
> user-created XML.
> h3.Recommendation
> There is no non vulnerable version of this component at the time of this
> writing, but a fix was committed to the SVN repository. However, the last
> release was in 2013. Consider updating to the latest Java and switching to
> JAXP which is now part of the official JDK as of version 1.6
> h3.Root Cause
> xercesImpl-2.11.0.jar <= XMLScanner.class : [, 2.12)
> {quote}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
