[jira] [Resolved] (XERCESJ-1679) xercesImpl: Security threat CVE-2013-4002

Thu, 03 Nov 2016 08:30:20 -0700 

     [ 
https://issues.apache.org/jira/browse/XERCESJ-1679?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Michael Glavassevich resolved XERCESJ-1679.
-------------------------------------------
    Resolution: Fixed

This issue has already been fixed. If you require a patch it is available in 
the SVN repository here: 
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch.

> xercesImpl: Security threat CVE-2013-4002
> -----------------------------------------
>
>                 Key: XERCESJ-1679
>                 URL: https://issues.apache.org/jira/browse/XERCESJ-1679
>             Project: Xerces2-J
>          Issue Type: Bug
>    Affects Versions: 2.4.0, 2.11.0
>            Reporter: Mark Symons
>            Priority: Critical
>             Fix For: 2.12.0
>
>
> CVE-2013-4002 is a CVE that implicates Java... but was later realised to 
> really be caused by Xerces.
> This is picked up as a "Security-High" vulnerability by Sonatype Nexus IQ 
> analysis, who provide the following background info:
> {quote}
> h3.Description from CVE
> Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 
> 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 
> before 7 SR5 allows remote attackers to affect availability via unknown 
> vectors.
> h3.Explanation
> A flaw found in the way Xerces handles the processing of XML declarations 
> allows for a Denial of service(DOS) attack while the server application 
> processes the XML supplied by the remote user. Xerces is used as the built-in 
> XML parser for certain versions of Java, hence the Java Runtime Environment 
> was implicated in the CVE description. If this component showed up on a scan, 
> then it is not because of the Java Runtime Environment.
> h3.Detection
> You are vulnerable if your application uses Xerces to parse untrusted and/or 
> user-created XML.
> h3.Recommendation
> There is no non vulnerable version of this component at the time of this 
> writing, but a fix was committed to the SVN repository. However, the last 
> release was in 2013. Consider updating to the latest Java and switching to 
> JAXP which is now part of the official JDK as of version 1.6
> h3.Root Cause
> xercesImpl-2.11.0.jar <= XMLScanner.class : [, 2.12)
> {quote}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org

Reply via email to