CVE-2013-4002

Impact:
Moderate
Public Date:
2013-10-15
IAVA:
2013-A-0191
CWE:
CWE-20
Bugzilla:
1019176: CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298)
A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU.

Find out more about CVE-2013-4002 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Fuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Server 4 and 5; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 4 and 5; and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

CVSS v2 metrics

Base Score 5
Base Metrics AV:N/AC:L/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2014:1818 2014-11-06
Red Hat Enterprise Linux 5 (java-1.7.0-openjdk) RHSA-2013:1447 2013-10-21
Red Hat Enterprise Linux Supplementary 5 (java-1.6.0-ibm) RHSA-2013:1059 2013-07-15
Red Hat Enterprise Linux Supplementary 5 (java-1.5.0-ibm) RHSA-2013:1081 2013-07-16
Oracle Java for Red Hat Enterprise Linux 6 (java-1.6.0-sun) RHSA-2014:0414 2014-04-17
Red Hat Enterprise Linux 5 (java-1.6.0-openjdk) RHSA-2013:1505 2013-11-05
Red Hat JBoss Fuse Service Works 6.0 RHSA-2015:0720 2015-03-24
Red Hat Enterprise Linux 6 (java-1.7.0-openjdk) RHSA-2013:1451 2013-10-22
Red Hat Enterprise Linux 6 (java-1.6.0-openjdk) RHSA-2013:1505 2013-11-05
Red Hat Enterprise Linux 6 (xerces-j2) RHSA-2014:1319 2014-09-29
Red Hat JBoss BPMS 6.0 RHSA-2015:0234 2015-02-17
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2014:1821 2014-11-06
Red Hat JBoss Data Virtualization 6.0 RHSA-2015:0765 2015-03-31
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.0-oracle) RHSA-2013:1440 2013-10-17
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2014:1823 2014-11-06
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2014:1822 2014-11-06
Oracle Java for Red Hat Enterprise Linux 5 (java-1.6.0-sun) RHSA-2014:0414 2014-04-17
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.5.0-ibm) RHSA-2013:1081 2013-07-16
Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-ibm) RHSA-2013:1060 2013-07-15
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.7.0-ibm) RHSA-2013:1060 2013-07-15
Red Hat JBoss Data Virtualization 6.1 RHSA-2015:0675 2015-03-11
Red Hat JBoss BRMS 6.0 RHSA-2015:0235 2015-02-17
Red Hat Enterprise Linux Supplementary (v. 6) (java-1.6.0-ibm) RHSA-2013:1059 2013-07-15
Red Hat Enterprise Linux Supplementary 5 (java-1.7.0-oracle) RHSA-2013:1440 2013-10-17
Red Hat Enterprise Linux 7 (xerces-j2) RHSA-2014:1319 2014-09-29
Red Hat JBoss Operations Network 3.3 RHSA-2015:0269 2015-02-25
Red Hat JBoss Data Grid 6.4 RHSA-2015:0773 2015-04-01

Affected Packages State

Platform Package State
Red Hat Software Collections 1 for Red Hat Enterprise Linux maven30-xerces-j2 Will not fix
Red Hat Satellite 5 xerces-j2 Will not fix
Red Hat OpenShift Enterprise 2 xercesMnimal Not affected
Red Hat OpenShift Enterprise 1 xercesMnimal Not affected
Red Hat JBoss Portal Platform 6 xerces-j2 Will not fix
Red Hat JBoss Portal 5 xerces-j2 Will not fix
Red Hat JBoss Enterprise SOA Platform 5 xerces-j2 Will not fix
Red Hat JBoss Enterprise SOA Platform 4 xerces-j2 Will not fix
Red Hat JBoss EWS 1 xerces-j2 Will not fix
Red Hat JBoss EAP 7 Web Services Not affected
Red Hat JBoss EAP 5 xerces-j2 Will not fix
Red Hat JBoss EAP 4 xerces-j2 Will not fix
Red Hat JBoss BRMS 5 xerces-j2 Will not fix
Red Hat Enterprise Linux 5 xerces-j2 Will not fix
RHEV Manager 3 jasperreports-server-pro Will not fix

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.