CVE-2013-4002

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

References

http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html

http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html

http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html

http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html

http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html

http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html

http://marc.info/?l=bugtraq&m=138674031212883&w=2

http://marc.info/?l=bugtraq&m=138674073720143&w=2

http://rhn.redhat.com/errata/RHSA-2013-1059.html

http://rhn.redhat.com/errata/RHSA-2013-1060.html

http://rhn.redhat.com/errata/RHSA-2013-1081.html

http://rhn.redhat.com/errata/RHSA-2013-1440.html

http://rhn.redhat.com/errata/RHSA-2013-1447.html

http://rhn.redhat.com/errata/RHSA-2013-1451.html

http://rhn.redhat.com/errata/RHSA-2013-1505.html

http://rhn.redhat.com/errata/RHSA-2014-1818.html

http://rhn.redhat.com/errata/RHSA-2014-1821.html

http://rhn.redhat.com/errata/RHSA-2014-1822.html

http://rhn.redhat.com/errata/RHSA-2014-1823.html

http://rhn.redhat.com/errata/RHSA-2015-0675.html

http://rhn.redhat.com/errata/RHSA-2015-0720.html

http://rhn.redhat.com/errata/RHSA-2015-0765.html

http://rhn.redhat.com/errata/RHSA-2015-0773.html

http://secunia.com/advisories/56257

http://security.gentoo.org/glsa/glsa-201406-32.xml

http://support.apple.com/kb/HT5982

http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch

http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html

http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002

http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013

http://www.ibm.com/support/docview.wss?uid=swg21648172

http://www.securityfocus.com/bid/61310

http://www.ubuntu.com/usn/USN-2033-1

http://www.ubuntu.com/usn/USN-2089-1

http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015

http://www-01.ibm.com/support/docview.wss?uid=swg21644197

http://www-01.ibm.com/support/docview.wss?uid=swg21653371

http://www-01.ibm.com/support/docview.wss?uid=swg21657539

https://access.redhat.com/errata/RHSA-2014:0414

https://exchange.xforce.ibmcloud.com/vulnerabilities/85260

https://issues.apache.org/jira/browse/XERCESJ-1679

https://lists.apache.org/thread.html/[email protected]%3Cj-users.xerces.apache.org%3E

https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

Details

Source: MITRE

Published: 2013-07-23

Updated: 2018-12-21

Risk Information

CVSS v2

Base Score: 7.1

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 8.6

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:ibm:java:5.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.11.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.11.1:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.11.2:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.12.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.12.1:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.12.2:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.12.3:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.12.4:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.12.5:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.13.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.14.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.15.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.16.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.16.1:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:5.0.16.2:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:ibm:java:6.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.1.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.2.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.4.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.5.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.6.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.7.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.8.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.8.1:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.9.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.9.1:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.9.2:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.10.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.10.1:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.11.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.12.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.13.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.13.1:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:6.0.13.2:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:ibm:java:7.0.0.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:7.0.1.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:7.0.2.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:7.0.3.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:7.0.4.0:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:7.0.4.1:*:*:*:*:*:*:*

cpe:2.3:a:ibm:java:7.0.4.2:*:*:*:*:*:*:*

Tenable Plugins

View all (59 total)

IDNameProductFamilySeverity
85918F5 Networks BIG-IP : Java Runtime Environment vulnerability (SOL16872)NessusF5 Networks Local Security Checks
high
83601SUSE SLES10 Security Update : IBM Java 5 (SUSE-SU-2013:1669-1)NessusSuSE Local Security Checks
critical
83595SUSE SLES11 Security Update : java-1_7_0-ibm (SUSE-SU-2013:1256-1)NessusSuSE Local Security Checks
critical
79117RHEL 7 : JBoss EAP (RHSA-2014:1822)NessusRed Hat Local Security Checks
high
79116RHEL 5 : JBoss EAP (RHSA-2014:1821)NessusRed Hat Local Security Checks
high
79115RHEL 6 : JBoss EAP (RHSA-2014:1818)NessusRed Hat Local Security Checks
high
79011RHEL 5 / 6 : java-1.6.0-sun (RHSA-2014:0414)NessusRed Hat Local Security Checks
medium
78891Mac OS X : Java for OS X 2014-001NessusMacOS X Local Security Checks
critical
78779Amazon Linux AMI : xerces-j2 (ALAS-2014-436)NessusAmazon Linux Local Security Checks
high
78019Mandriva Linux Security Advisory : xerces-j2 (MDVSA-2014:193)NessusMandriva Local Security Checks
high
77994CentOS 6 / 7 : xerces-j2 (CESA-2014:1319)NessusCentOS Local Security Checks
high
77981Scientific Linux Security Update : xerces-j2 on SL6.x i386/x86_64 (20140929)NessusScientific Linux Local Security Checks
high
77979RHEL 6 / 7 : xerces-j2 (RHSA-2014:1319)NessusRed Hat Local Security Checks
high
77978Oracle Linux 6 / 7 : xerces-j2 (ELSA-2014-1319)NessusOracle Linux Local Security Checks
high
77868Fedora 19 : xerces-j2-2.11.0-15.fc19 (2014-10649)NessusFedora Local Security Checks
high
77867Fedora 20 : xerces-j2-2.11.0-17.fc20 (2014-10626)NessusFedora Local Security Checks
high
77791Fedora 21 : xerces-j2-2.11.0-22.fc21 (2014-10617)NessusFedora Local Security Checks
high
77326Juniper NSM < 2012.2R9 Multiple Java and Apache Vulnerabilities (JSA10642)NessusMisc.
critical
76303GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT)NessusGentoo Local Security Checks
critical
75196openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:1663-1)NessusSuSE Local Security Checks
critical
73970IBM Notes 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple VulnerabilitiesNessusWindows
critical
73969IBM Domino 8.0.x / 8.5.x / 9.0.x with IBM Java < 1.6 SR15 FP1 Multiple Vulnerabilities (credentialed check)NessusWindows
critical
73968IBM Domino 9.x < 9.0.1 Fix Pack 1 Multiple Vulnerabilities (uncredentialed check)NessusMisc.
critical
72117Ubuntu 12.10 / 13.04 / 13.10 : openjdk-7 vulnerabilities (USN-2089-1)NessusUbuntu Local Security Checks
critical
71861IBM Domino 9.x < 9.0.1 Multiple Vulnerabilities (credentialed check)NessusWindows
critical
71859IBM Domino 9.x < 9.0.1 Multiple Vulnerabilities (uncredentialed check)NessusMisc.
critical
71171SuSE 11.2 Security Update : OpenJDK 1.6 (SAT Patch Number 8598)NessusSuSE Local Security Checks
critical
71037Ubuntu 10.04 LTS / 12.04 LTS : openjdk-6 vulnerabilities (USN-2033-1)NessusUbuntu Local Security Checks
critical
70967Mandriva Linux Security Advisory : java-1.7.0-openjdk (MDVSA-2013:267)NessusMandriva Local Security Checks
critical
70908Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2013-246)NessusAmazon Linux Local Security Checks
critical
70897Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2013-235)NessusAmazon Linux Local Security Checks
critical
70873SuSE 11.3 Security Update : OpenJDK 7 (SAT Patch Number 8494)NessusSuSE Local Security Checks
critical
70772Scientific Linux Security Update : java-1.6.0-openjdk on SL5.x, SL6.x i386/x86_64 (20131105)NessusScientific Linux Local Security Checks
critical
70771RHEL 5 / 6 : java-1.6.0-openjdk (RHSA-2013:1505)NessusRed Hat Local Security Checks
critical
70770Oracle Linux 5 / 6 : java-1.6.0-openjdk (ELSA-2013-1505)NessusOracle Linux Local Security Checks
critical
70769CentOS 5 / 6 : java-1.6.0-openjdk (CESA-2013:1505)NessusCentOS Local Security Checks
critical
70744IBM Notes 8.5.x < 8.5.3 FP5 Multiple VulnerabilitiesNessusWindows
critical
70743IBM Domino 8.5.x < 8.5.3 FP5 Multiple VulnerabilitiesNessusWindows
critical
70742IBM Domino 8.5.x < 8.5.3 FP 5 Multiple VulnerabilitiesNessusMisc.
critical
70576Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20131022)NessusScientific Linux Local Security Checks
critical
70571CentOS 6 : java-1.7.0-openjdk (CESA-2013:1451)NessusCentOS Local Security Checks
critical
70554RHEL 6 : java-1.7.0-openjdk (RHSA-2013:1451)NessusRed Hat Local Security Checks
critical
70551Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2013-1451)NessusOracle Linux Local Security Checks
critical
70547CentOS 5 : java-1.7.0-openjdk (CESA-2013:1447)NessusCentOS Local Security Checks
critical
70537Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x i386/x86_64 (20131021)NessusScientific Linux Local Security Checks
critical
70536RHEL 5 : java-1.7.0-openjdk (RHSA-2013:1447)NessusRed Hat Local Security Checks
critical
70535Oracle Linux 5 : java-1.7.0-openjdk (ELSA-2013-1447)NessusOracle Linux Local Security Checks
critical
70488RHEL 5 / 6 : java-1.7.0-oracle (RHSA-2013:1440)NessusRed Hat Local Security Checks
critical
70473Oracle Java SE Multiple Vulnerabilities (October 2013 CPU) (Unix)NessusMisc.
critical
70472Oracle Java SE Multiple Vulnerabilities (October 2013 CPU)NessusWindows
critical
70459Mac OS X : Java for Mac OS X 10.6 Update 17NessusMacOS X Local Security Checks
critical
70458Mac OS X : Java for OS X 2013-005NessusMacOS X Local Security Checks
critical
69093SuSE 10 Security Update : java-1_5_0-ibm (ZYPP Patch Number 8653)NessusSuSE Local Security Checks
critical
69072SuSE 10 Security Update : java-1_6_0-ibm (ZYPP Patch Number 8657)NessusSuSE Local Security Checks
critical
69070SuSE 11.2 / 11.3 Security Update : java-1_7_0-ibm (SAT Patch Numbers 8106 / 8108)NessusSuSE Local Security Checks
critical
69069SuSE 11.2 / 11.3 Security Update : java-1_6_0-ibm (SAT Patch Numbers 8105 / 8107)NessusSuSE Local Security Checks
critical
68922RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2013:1081)NessusRed Hat Local Security Checks
critical
68901RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2013:1060)NessusRed Hat Local Security Checks
critical
68900RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2013:1059)NessusRed Hat Local Security Checks
critical