CVE-2013-4002

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

CVSS v2.0 7.1 HIGH

7.1^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:N/A:C

Exploitability : 8.6 / Impact : 6.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact COMPLETE

References

Link	Resource
http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html	Broken Link Mailing List
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html	Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html	Third Party Advisory
http://marc.info/?l=bugtraq&m=138674031212883&w=2	Issue Tracking Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=138674073720143&w=2	Issue Tracking Mailing List Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-1059.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1060.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1081.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1440.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1447.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1451.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1505.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2014-1818.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2014-1821.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2014-1822.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2014-1823.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2015-0675.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2015-0720.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2015-0765.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2015-0773.html	Broken Link
http://secunia.com/advisories/56257	Third Party Advisory
http://security.gentoo.org/glsa/glsa-201406-32.xml	Third Party Advisory
http://support.apple.com/kb/HT5982	Third Party Advisory
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch	Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21644197	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21653371	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21657539	Vendor Advisory
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html	Third Party Advisory
http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002	Vendor Advisory
http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013	Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=swg21648172	Broken Link
http://www.securityfocus.com/bid/61310	Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-2033-1	Third Party Advisory
http://www.ubuntu.com/usn/USN-2089-1	Third Party Advisory
https://access.redhat.com/errata/RHSA-2014:0414	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/85260	VDB Entry Vendor Advisory
https://issues.apache.org/jira/browse/XERCESJ-1679	Issue Tracking Vendor Advisory
https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html	Third Party Advisory
http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html	Broken Link Mailing List
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html	Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html	Third Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html	Third Party Advisory
http://marc.info/?l=bugtraq&m=138674031212883&w=2	Issue Tracking Mailing List Third Party Advisory
http://marc.info/?l=bugtraq&m=138674073720143&w=2	Issue Tracking Mailing List Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-1059.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1060.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1081.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1440.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1447.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1451.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2013-1505.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2014-1818.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2014-1821.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2014-1822.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2014-1823.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2015-0675.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2015-0720.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2015-0765.html	Broken Link
http://rhn.redhat.com/errata/RHSA-2015-0773.html	Broken Link
http://secunia.com/advisories/56257	Third Party Advisory
http://security.gentoo.org/glsa/glsa-201406-32.xml	Third Party Advisory
http://support.apple.com/kb/HT5982	Third Party Advisory
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch	Patch Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21644197	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21653371	Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21657539	Vendor Advisory
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html	Third Party Advisory
http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002	Vendor Advisory
http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013	Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=swg21648172	Broken Link
http://www.securityfocus.com/bid/61310	Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-2033-1	Third Party Advisory
http://www.ubuntu.com/usn/USN-2089-1	Third Party Advisory
https://access.redhat.com/errata/RHSA-2014:0414	Third Party Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/85260	VDB Entry Vendor Advisory
https://issues.apache.org/jira/browse/XERCESJ-1679	Issue Tracking Vendor Advisory
https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:java:5.0.0.0:::::::*
	cpe:2.3:a:ibm:java:5.0.11.0:::::::*
	cpe:2.3:a:ibm:java:5.0.11.1:::::::*
	cpe:2.3:a:ibm:java:5.0.11.2:::::::*
	cpe:2.3:a:ibm:java:5.0.12.0:::::::*
	cpe:2.3:a:ibm:java:5.0.12.1:::::::*
	cpe:2.3:a:ibm:java:5.0.12.2:::::::*
	cpe:2.3:a:ibm:java:5.0.12.3:::::::*
	cpe:2.3:a:ibm:java:5.0.12.4:::::::*
	cpe:2.3:a:ibm:java:5.0.12.5:::::::*
	cpe:2.3:a:ibm:java:5.0.13.0:::::::*
	cpe:2.3:a:ibm:java:5.0.14.0:::::::*
	cpe:2.3:a:ibm:java:5.0.15.0:::::::*
	cpe:2.3:a:ibm:java:5.0.16.0:::::::*
	cpe:2.3:a:ibm:java:5.0.16.1:::::::*
	cpe:2.3:a:ibm:java:5.0.16.2:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:ibm:java:6.0.0.0:::::::*
	cpe:2.3:a:ibm:java:6.0.1.0:::::::*
	cpe:2.3:a:ibm:java:6.0.2.0:::::::*
	cpe:2.3:a:ibm:java:6.0.3.0:::::::*
	cpe:2.3:a:ibm:java:6.0.4.0:::::::*
	cpe:2.3:a:ibm:java:6.0.5.0:::::::*
	cpe:2.3:a:ibm:java:6.0.6.0:::::::*
	cpe:2.3:a:ibm:java:6.0.7.0:::::::*
	cpe:2.3:a:ibm:java:6.0.8.0:::::::*
	cpe:2.3:a:ibm:java:6.0.8.1:::::::*
	cpe:2.3:a:ibm:java:6.0.9.0:::::::*
	cpe:2.3:a:ibm:java:6.0.9.1:::::::*
	cpe:2.3:a:ibm:java:6.0.9.2:::::::*
	cpe:2.3:a:ibm:java:6.0.10.0:::::::*
	cpe:2.3:a:ibm:java:6.0.10.1:::::::*
	cpe:2.3:a:ibm:java:6.0.11.0:::::::*
	cpe:2.3:a:ibm:java:6.0.12.0:::::::*
	cpe:2.3:a:ibm:java:6.0.13.0:::::::*
	cpe:2.3:a:ibm:java:6.0.13.1:::::::*
	cpe:2.3:a:ibm:java:6.0.13.2:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:ibm:java:7.0.0.0:::::::*
	cpe:2.3:a:ibm:java:7.0.1.0:::::::*
	cpe:2.3:a:ibm:java:7.0.2.0:::::::*
	cpe:2.3:a:ibm:java:7.0.3.0:::::::*
	cpe:2.3:a:ibm:java:7.0.4.0:::::::*
	cpe:2.3:a:ibm:java:7.0.4.1:::::::*
	cpe:2.3:a:ibm:java:7.0.4.2:::::::*

Configuration 4 (hide)

OR	cpe:2.3:a:oracle:jdk:1.5.0:update51::::::
	cpe:2.3:a:oracle:jdk:1.6.0:update60::::::
	cpe:2.3:a:oracle:jdk:1.7.0:update40::::::
	cpe:2.3:a:oracle:jre:1.5.0:update51::::::
	cpe:2.3:a:oracle:jre:1.6.0:update60::::::
	cpe:2.3:a:oracle:jre:1.7.0:update40::::::
	cpe:2.3:a:oracle:jrockit::::::::
	cpe:2.3:a:oracle:jrockit::::::::

Configuration 5 (hide)

cpe:2.3:a:ibm:sterling_b2b_integrator:5.2.4:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

OR	cpe:2.3:a:ibm:host_on-demand:11.0:::::::*
	cpe:2.3:a:ibm:host_on-demand:11.0.1:::::::*
	cpe:2.3:a:ibm:host_on-demand:11.0.2:::::::*
	cpe:2.3:a:ibm:host_on-demand:11.0.3:::::::*
	cpe:2.3:a:ibm:host_on-demand:11.0.4:::::::*
	cpe:2.3:a:ibm:host_on-demand:11.0.5:::::::*
	cpe:2.3:a:ibm:host_on-demand:11.0.5.1:::::::*
	cpe:2.3:a:ibm:host_on-demand:11.0.6:::::::*
	cpe:2.3:a:ibm:host_on-demand:11.0.6.1:::::::*
	cpe:2.3:a:ibm:host_on-demand:11.0.7:::::::*
	cpe:2.3:a:ibm:host_on-demand:11.0.8:::::::*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.2.2:*:*:*:*:*:*:*

OR	cpe:2.3:o:ibm:aix:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*
	cpe:2.3:o:oracle:solaris:-::::::-:

Configuration 8 (hide)

AND

OR	cpe:2.3:a:ibm:sterling_b2b_integrator:5.1:::::::*
	cpe:2.3:a:ibm:sterling_b2b_integrator:5.2:::::::*
	cpe:2.3:a:ibm:sterling_file_gateway:2.1:::::::*
	cpe:2.3:a:ibm:sterling_file_gateway:2.2:::::::*

OR	cpe:2.3:o:hp:hp-ux:-:::::::*
	cpe:2.3:o:ibm:aix:-:::::::*
	cpe:2.3:o:ibm:i:-:::::::*
	cpe:2.3:o:linux:linux_kernel:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*
	cpe:2.3:o:oracle:solaris:-::::::-:

Configuration 9 (hide)

OR	cpe:2.3:o:opensuse:opensuse:12.2:::::::*
	cpe:2.3:o:opensuse:opensuse:12.3:::::::*
	cpe:2.3:o:suse:linux_enterprise_desktop:10:sp4:::-:::*
	cpe:2.3:o:suse:linux_enterprise_desktop:11:sp3::::::
	cpe:2.3:o:suse:linux_enterprise_java:10:sp4::::::
	cpe:2.3:o:suse:linux_enterprise_java:11:sp2::::::
	cpe:2.3:o:suse:linux_enterprise_java:11:sp3::::::
	cpe:2.3:o:suse:linux_enterprise_sdk:11:sp2::::::
	cpe:2.3:o:suse:linux_enterprise_sdk:11:sp3::::::
	cpe:2.3:o:suse:linux_enterprise_server:9:::::::*
	cpe:2.3:o:suse:linux_enterprise_server:10:sp3:::ltss:::*
	cpe:2.3:o:suse:linux_enterprise_server:10:sp4:::-:::*
	cpe:2.3:o:suse:linux_enterprise_server:11:sp2::::-::*
	cpe:2.3:o:suse:linux_enterprise_server:11:sp2::::vmware::*
	cpe:2.3:o:suse:linux_enterprise_server:11:sp3::::-::*
	cpe:2.3:o:suse:linux_enterprise_server:11:sp3::::vmware::*

Configuration 10 (hide)

OR	cpe:2.3:o:canonical:ubuntu_linux:10.04::::-:::
	cpe:2.3:o:canonical:ubuntu_linux:12.04::::-:::
	cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:13.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:13.10:::::::*

Configuration 11 (hide)

cpe:2.3:a:apache:xerces2_java:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2013-07-23 11:03

Updated : 2025-04-11 00:51

NVD link : CVE-2013-4002

Mitre link : CVE-2013-4002

CVE.ORG link : CVE-2013-4002

JSON object : View

Products Affected

apache

xerces2_java

suse

linux_enterprise_java
linux_enterprise_sdk
linux_enterprise_desktop
linux_enterprise_server

oracle

jdk
solaris
jre
jrockit

ibm

host_on-demand
java
i
aix
sterling_file_gateway
tivoli_application_dependency_discovery_manager
sterling_b2b_integrator

hp-ux

canonical

ubuntu_linux

linux

linux_kernel

microsoft

windows

opensuse

opensuse

CWE

NVD-CWE-noinfo

7.1 /10