RobertHathaway created SOLR-13115:
-------------------------------------
Summary: CVE-2012-0881(CVE-2013-4002) Threat Level 7 Against Solr
v7.6. xerces : xercesImpl : 2.9.1. Apache Xerces2 Java Parser before 2.12.0
allows remote attackers to cause a denial of service (CPU consumption) via a
crafted message to an XML service...
Key: SOLR-13115
URL: https://issues.apache.org/jira/browse/SOLR-13115
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Affects Versions: 7.6
Environment: RedHat Linux. May run from RHEL versions 5, 6 or 7 but
this issue is from Sonatype component scan and should be independent of Linux
platform version.
Reporter: RobertHathaway
We can't move to Solr 7 without fixing this issue flagged by Sonatype scan Of
Solr - 7.6.0 Build,
Using Scanner 1.56.0-01
Threat Level 7 Against Solr v7.6. xerces : xercesImpl : 2.9.1
Two Issues arising due to Apache Xerces2 Java Parser before 2.12.0.
h2. CVE-2012-0881
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a
denial of service (CPU consumption) via a crafted message to an XML service,
which triggers hash table collisions.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
h2. CVE-2013-4002
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the
Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6
SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40
and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit
R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and
earlier, and possibly other products allows remote attackers to cause a denial
of service via vectors related to XML attribute names.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
