Bug 1019176 (CVE-2013-4002)
| Summary: | CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Stefan Cornelius <scorneli> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acathrow, aileenc, akurtako, alazarot, asantos, bazulay, bbaranow, bdawidow, bkearney, bleanhar, bmaxwell, bmcclain, brms-jira, ccoleman, cdewolf, chazlett, cperry, csutherl, dandread, darran.lofthouse, dbhole, dblechte, dchen, dmcphers, dosoudil, dsirrine, epp-bugs, etirelli, felias, fnasser, grocha, gvarsami, hfnukal, huwang, idith, iheim, jason.greene, java-maint, jawilson, jbpapp-maint, jclere, jcoleman, jdetiber, jdg-bugs, jialiu, jkeck, jkurik, jokerman, jolee, jorton, jpallich, jrusnack, jshepherd, jvanek, kanderso, kconner, kejohnso, kkhan, krzysztof.daniel, kseifried, kwills, ldimaggi, lgao, lkocman, lmeyer, lpetrovi, lsurette, mbaluch, mbenitez, meissner, mgoldman, michal.skrivanek, mizdebsk, mjc, mmaslano, mmccomas, mmraka, mnewsome, mweiler, mwinkler, myarboro, nobody+bgollahe, nwallace, ohudlick, patrickm, pavelp, pcheung, pgier, psakar, pslavice, puntogil, rbalakri, Rhev-m-bugs, rhq-maint, rkennke, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, sbaiduzh, security-response-team, soa-p-jira, spinder, taw, tcunning, theute, thomas, tjay, tkirby, tmlcoch, tom.jenkinson, ttarrant, twalsh, vhalbert, vtunka, weli, yeylon, ykaul, ylavi |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | icedtea 2.4.3, icedtea 1.11.14, icedtea 1.12.7, xerces-j2 2.12.0 | Doc Type: | Bug Fix |
| Doc Text: |
A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-04-11 04:21:44 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1140003, 1140004, 1140005, 1140031, 1140033, 1140051, 1140052, 1140053, 1140054, 1140161, 1140466, 1140467, 1140468, 1140469, 1140470, 1160941, 1160942, 1160943, 1160944, 1160946, 1160947, 1160948, 1160949, 1160951, 1160952, 1160953, 1160954, 1161004, 1186995, 1192655, 1192656, 1192657, 1192658, 1192659, 1192660, 1192661, 1375418 | ||
| Bug Blocks: | 1017632, 1139983, 1140063, 1147878, 1181883, 1182400, 1182419, 1196295, 1196328, 1196376, 1200191, 1206755 | ||
|
Description
Stefan Cornelius
2013-10-15 09:10:59 UTC
The issue was already fixed in IBM Java 5.0 SR16-FP3, 6 SR14, and 7 SR5: http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013 Public info on the issue is limited to A denial of service vulnerability in the Apache Xerces-J parser used by IBM Java could result in a complete availability impact on the affected system. http://xforce.iss.net/xforce/xfdb/85260 This JRE contains a variant of Apache-J XML parser (XM4J) that is vulnerable to a denial of service attack triggered by malformed XML data. http://www-01.ibm.com/support/docview.wss?uid=isg3T1019879 Apache Xerces-J upstream indicated the issue was addressed in Xerces-J SVN via the following commit: http://svn.apache.org/viewvc?view=revision&revision=1499506 It is a subset of the OpenJDK patch. External References: http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html Fixed in Oracle Java SE 7u45 and 6u65. OpenJDK upstream commit: http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/rev/32a6df99656c This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2013:1440 https://rhn.redhat.com/errata/RHSA-2013-1440.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1447 https://rhn.redhat.com/errata/RHSA-2013-1447.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1451 https://rhn.redhat.com/errata/RHSA-2013-1451.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1505 https://rhn.redhat.com/errata/RHSA-2013-1505.html Fixed in IcedTea7 2.4.3 and IcedTea6 1.11.14 and 1.12.7: http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-October/025087.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-November/025278.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-November/025328.html This issue has been addressed in following products: Oracle Java for Red Hat Enterprise Linux 6 Oracle Java for Red Hat Enterprise Linux 5 Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html Statement: Fuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/ Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Server 4 and 5; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 4 and 5; and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ Created xerces-j2 tracking bugs for this issue: Affects: fedora-all [bug 1140031] IssueDescription: A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. xerces-j2-2.11.0-22.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. xerces-j2-2.11.0-15.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. xerces-j2-2.11.0-17.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1319 https://rhn.redhat.com/errata/RHSA-2014-1319.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.2 Via RHSA-2014:1823 https://rhn.redhat.com/errata/RHSA-2014-1823.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 5 Via RHSA-2014:1821 https://rhn.redhat.com/errata/RHSA-2014-1821.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 6 Via RHSA-2014:1818 https://rhn.redhat.com/errata/RHSA-2014-1818.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 7 Via RHSA-2014:1822 https://rhn.redhat.com/errata/RHSA-2014-1822.html This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html This issue has been addressed in the following products: Red Hat JBoss Operations Network 3.3.1 Via RHSA-2015:0269 https://rhn.redhat.com/errata/RHSA-2015-0269.html This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html This issue has been addressed in the following products: Red Hat JBoss Data Grid 6.4 Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html Created wildfly tracking bugs for this issue: Affects: fedora-all [bug 1375418] |