CVE-2013-4517

Impact:
Moderate
Public Date:
2013-11-01
CWE:
CWE-400
Bugzilla:
1045257: CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack
It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.

Find out more about CVE-2013-4517 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4, Fuse Mediation Router 2.7, 2.8 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Fuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4; Red Hat JBoss Enterprise Data Services Platform 5; Red Hat JBoss Enterprise Portal Platform 4 and 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

CVSS v2 metrics

Base Score 5
Base Metrics AV:N/AC:L/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Web Platform 5.2 RHSA-2014:1727 2014-10-28
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2014:1725 2014-10-28
Red Hat JBoss Web Platform 5 for RHEL 4 AS (xml-security) RHSA-2014:1728 2014-10-28
Red Hat JBoss Portal Platform 6.1 RHSA-2014:0195 2014-02-20
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (xml-security) RHSA-2014:1726 2014-10-28
Red Hat JBoss SOA Platform 5.3 RHSA-2014:0582 2014-05-29
Red Hat JBoss Enterprise Application Platform 6.2 RHSA-2014:0172 2014-02-13
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2014:0171 2014-02-13
Red Hat JBoss Web Platform 5 for RHEL 6 Server (xml-security) RHSA-2014:1728 2014-10-28
Red Hat JBoss Fuse 6.1 RHSA-2014:0400 2014-04-14
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (xml-security) RHSA-2014:1726 2014-10-28
Red Hat JBoss BRMS 6.0 RHSA-2015:0850 2015-04-16
Red Hat JBoss Data Virtualization 6.1 RHSA-2015:0675 2015-03-11
Red Hat JBoss BPMS 6.0 RHSA-2015:0851 2015-04-16
Red Hat JBoss Web Platform 5 for RHEL 5 Server (xml-security) RHSA-2014:1728 2014-10-28
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (xml-security) RHSA-2014:1726 2014-10-28
Red Hat JBoss Operations Network 3.2 RHSA-2014:0473 2014-05-06
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2014:0170 2014-02-13

Affected Packages State

Platform Package State
Red Hat JBoss Portal Platform 4 xmlsec Will not fix
Red Hat JBoss Fuse Service Works 6 xmlsec Will not fix
Red Hat JBoss Enterprise SOA Platform 4.3 xmlsec Will not fix
Red Hat JBoss EAP 4 xmlsec Will not fix
Red Hat JBoss Data Grid 6 xmlsec Not affected
Red Hat JBoss BRMS 5 xmlsec Will not fix
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.
Last Modified