[jira] [Commented] (XERCESJ-1679) xercesImpl: Security threat CVE-2013-4002

Wed, 08 Nov 2017 23:56:52 -0800 

    [ 
https://issues.apache.org/jira/browse/XERCESJ-1679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16245331#comment-16245331
 ] 

Divan Mostert commented on XERCESJ-1679:
----------------------------------------

Hi Michael,

I'm with Mark on this one. What is keeping you from releasing v2.12.0?

We also have to satisfy compliance requirements and having 2.12.0 would make a 
lot of pain go away.

Looking forward to your reply.

Regards

Divan

> xercesImpl: Security threat CVE-2013-4002
> -----------------------------------------
>
>                 Key: XERCESJ-1679
>                 URL: https://issues.apache.org/jira/browse/XERCESJ-1679
>             Project: Xerces2-J
>          Issue Type: Bug
>    Affects Versions: 2.4.0, 2.11.0
>            Reporter: Mark Symons
>            Priority: Critical
>             Fix For: 2.12.0
>
>
> CVE-2013-4002 is a CVE that implicates Java... but was later realised to 
> really be caused by Xerces.
> This is picked up as a "Security-High" vulnerability by Sonatype Nexus IQ 
> analysis, who provide the following background info:
> {quote}
> h3.Description from CVE
> Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 
> 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 
> before 7 SR5 allows remote attackers to affect availability via unknown 
> vectors.
> h3.Explanation
> A flaw found in the way Xerces handles the processing of XML declarations 
> allows for a Denial of service(DOS) attack while the server application 
> processes the XML supplied by the remote user. Xerces is used as the built-in 
> XML parser for certain versions of Java, hence the Java Runtime Environment 
> was implicated in the CVE description. If this component showed up on a scan, 
> then it is not because of the Java Runtime Environment.
> h3.Detection
> You are vulnerable if your application uses Xerces to parse untrusted and/or 
> user-created XML.
> h3.Recommendation
> There is no non vulnerable version of this component at the time of this 
> writing, but a fix was committed to the SVN repository. However, the last 
> release was in 2013. Consider updating to the latest Java and switching to 
> JAXP which is now part of the official JDK as of version 1.6
> h3.Root Cause
> xercesImpl-2.11.0.jar <= XMLScanner.class : [, 2.12)
> {quote}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org

Reply via email to