Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2013-4002

Disclosure Date: July 23, 2013
CVE-2013-4002
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache,
  • canonical,
  • ibm,
  • opensuse,
  • oracle,
  • suse

Products

  • host on-demand 11.0,
  • host on-demand 11.0.1,
  • host on-demand 11.0.2,
  • host on-demand 11.0.3,
  • host on-demand 11.0.4,
  • host on-demand 11.0.5,
  • host on-demand 11.0.5.1,
  • host on-demand 11.0.6,
  • host on-demand 11.0.6.1,
  • host on-demand 11.0.7,
  • host on-demand 11.0.8,
  • java 5.0.0.0,
  • java 5.0.11.0,
  • java 5.0.11.1,
  • java 5.0.11.2,
  • java 5.0.12.0,
  • java 5.0.12.1,
  • java 5.0.12.2,
  • java 5.0.12.3,
  • java 5.0.12.4,
  • java 5.0.12.5,
  • java 5.0.13.0,
  • java 5.0.14.0,
  • java 5.0.15.0,
  • java 5.0.16.0,
  • java 5.0.16.1,
  • java 5.0.16.2,
  • java 6.0.0.0,
  • java 6.0.1.0,
  • java 6.0.10.0,
  • java 6.0.10.1,
  • java 6.0.11.0,
  • java 6.0.12.0,
  • java 6.0.13.0,
  • java 6.0.13.1,
  • java 6.0.13.2,
  • java 6.0.2.0,
  • java 6.0.3.0,
  • java 6.0.4.0,
  • java 6.0.5.0,
  • java 6.0.6.0,
  • java 6.0.7.0,
  • java 6.0.8.0,
  • java 6.0.8.1,
  • java 6.0.9.0,
  • java 6.0.9.1,
  • java 6.0.9.2,
  • java 7.0.0.0,
  • java 7.0.1.0,
  • java 7.0.2.0,
  • java 7.0.3.0,
  • java 7.0.4.0,
  • java 7.0.4.1,
  • java 7.0.4.2,
  • jdk 1.5.0,
  • jdk 1.6.0,
  • jdk 1.7.0,
  • jre 1.5.0,
  • jre 1.6.0,
  • jre 1.7.0,
  • jrockit,
  • linux enterprise desktop 10,
  • linux enterprise desktop 11,
  • linux enterprise java 10,
  • linux enterprise java 11,
  • linux enterprise sdk 11,
  • linux enterprise server 10,
  • linux enterprise server 11,
  • linux enterprise server 9,
  • opensuse 12.2,
  • opensuse 12.3,
  • sterling b2b integrator 5.1,
  • sterling b2b integrator 5.2,
  • sterling b2b integrator 5.2.4,
  • sterling file gateway 2.1,
  • sterling file gateway 2.2,
  • tivoli application dependency discovery manager 7.2.2,
  • ubuntu linux 10.04,
  • ubuntu linux 12.04,
  • ubuntu linux 12.10,
  • ubuntu linux 13.04,
  • ubuntu linux 13.10,
  • xerces2 java

References

Canonical
CVE-2013-4002 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002)
BID-61310 (http://www.securityfocus.com/bid/61310)
Advisory
http://www.ibm.com/support/docview.wss?uid=swg21648172
IC98015 (http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015)
http://rhn.redhat.com/errata/RHSA-2013-1060.html
https://access.redhat.com/errata/RHSA-2014:0414
GLSA-201406-32 (http://security.gentoo.org/glsa/glsa-201406-32.xml)
http://rhn.redhat.com/errata/RHSA-2013-1447.html
http://rhn.redhat.com/errata/RHSA-2015-0765.html
http://rhn.redhat.com/errata/RHSA-2013-1440.html
http://rhn.redhat.com/errata/RHSA-2015-0675.html
http://www-01.ibm.com/support/docview.wss?uid=swg21657539
http://rhn.redhat.com/errata/RHSA-2015-0773.html
http://rhn.redhat.com/errata/RHSA-2015-0720.html
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html
USN-2033-1 (http://www.ubuntu.com/usn/USN-2033-1)
USN-2089-1 (http://www.ubuntu.com/usn/USN-2089-1)
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html
https://issues.apache.org/jira/browse/XERCESJ-1679
HPSBUX02944 (http://marc.info?l=bugtraq&m=138674073720143&w=2)
http://rhn.redhat.com/errata/RHSA-2013-1505.html
HPSBUX02943 (http://marc.info?l=bugtraq&m=138674031212883&w=2)
http://rhn.redhat.com/errata/RHSA-2014-1822.html
SECUNIA-56257 (http://secunia.com/advisories/56257)
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html
http://rhn.redhat.com/errata/RHSA-2013-1059.html
http://rhn.redhat.com/errata/RHSA-2014-1823.html
http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch
http://www-01.ibm.com/support/docview.wss?uid=swg21644197
APPLE-SA-2013-10-15-1 (http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html)
http://www-01.ibm.com/support/docview.wss?uid=swg21653371
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html
http://rhn.redhat.com/errata/RHSA-2013-1081.html
http://support.apple.com/kb/HT5982
https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
[j-users] 20180503 [ANNOUNCEMENT]: Apache Xerces-J 2.12.0 now available (https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E)
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html
http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002
http://rhn.redhat.com/errata/RHSA-2013-1451.html
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html
http://rhn.redhat.com/errata/RHSA-2014-1818.html
http://rhn.redhat.com/errata/RHSA-2014-1821.html
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html
XF-ibm-java-cve20134002-dos(85260) (https://exchange.xforce.ibmcloud.com/vulnerabilities/85260)
[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report (https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E)
[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1 (https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E)
HPSBUX02944 (http://marc.info/?l=bugtraq&m=138674073720143&w=2)
HPSBUX02943 (http://marc.info/?l=bugtraq&m=138674031212883&w=2)
Miscellaneous
http://www.ibm.com/developerworks/java/jdk/alerts#IBM_Security_Update_July_2013
http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013
https://www.oracle.com/security-alerts/cpuapr2022.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis