Bug 1019176 (CVE-2013-4002) - CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298)
Summary: CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4002
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1140003 1140004 1140005 1140031 1140033 1140051 1140052 1140053 1140054 1140161 1140466 1140467 1140468 1140469 1140470 1160941 1160942 1160943 1160944 1160946 1160947 1160948 1160949 1160951 1160952 1160953 1160954 1161004 1186995 1192655 1192656 1192657 1192658 1192659 1192660 1192661 1375418
Blocks: 1017632 1139983 1140063 1147878 1181883 1182400 1182419 1196295 1196328 1196376 1200191 1206755
TreeView+ depends on / blocked
 
Reported: 2013-10-15 09:10 UTC by Stefan Cornelius
Modified: 2021-02-17 07:16 UTC (History)
120 users (show)

Fixed In Version: icedtea 2.4.3, icedtea 1.11.14, icedtea 1.12.7, xerces-j2 2.12.0
Doc Type: Bug Fix
Doc Text:
A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU.
Clone Of:
Environment:
Last Closed: 2016-04-11 04:21:44 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1440 0 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2013-11-13 16:11:19 UTC
Red Hat Product Errata RHSA-2013:1447 0 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2013-10-21 21:42:45 UTC
Red Hat Product Errata RHSA-2013:1451 0 normal SHIPPED_LIVE Critical: java-1.7.0-openjdk security update 2013-10-22 21:17:48 UTC
Red Hat Product Errata RHSA-2013:1505 0 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security update 2013-11-05 23:03:16 UTC
Red Hat Product Errata RHSA-2014:0414 0 normal SHIPPED_LIVE Important: java-1.6.0-sun security update 2017-12-15 19:38:49 UTC
Red Hat Product Errata RHSA-2014:1319 0 normal SHIPPED_LIVE Moderate: xerces-j2 security update 2014-09-30 00:11:53 UTC
Red Hat Product Errata RHSA-2014:1818 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update 2014-11-06 21:47:45 UTC
Red Hat Product Errata RHSA-2014:1821 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update 2014-11-06 21:47:38 UTC
Red Hat Product Errata RHSA-2014:1822 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update 2014-11-06 22:01:06 UTC
Red Hat Product Errata RHSA-2014:1823 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.3.2 update 2014-11-06 21:47:34 UTC
Red Hat Product Errata RHSA-2015:0234 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 security update 2015-02-18 03:27:47 UTC
Red Hat Product Errata RHSA-2015:0235 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2015-02-18 03:27:36 UTC
Red Hat Product Errata RHSA-2015:0269 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Operations Network 3.3.1 update 2015-02-26 02:35:39 UTC
Red Hat Product Errata RHSA-2015:0675 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.1.0 update 2015-03-11 20:51:21 UTC
Red Hat Product Errata RHSA-2015:0720 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2015-03-25 01:05:53 UTC
Red Hat Product Errata RHSA-2015:0765 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.0.0 security update 2015-03-31 21:00:43 UTC
Red Hat Product Errata RHSA-2015:0773 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Grid 6.4.1 update 2015-04-01 18:48:20 UTC

Description Stefan Cornelius 2013-10-15 09:10:59 UTC 
A denial of service flaw was found in the way the JRE processes XML. A remote attacker could use this flaw to supply crafted XML that would lead to a denial of service.
Comment 2 Tomas Hoger 2013-10-15 09:33:14 UTC 
The issue was already fixed in IBM Java 5.0 SR16-FP3, 6 SR14, and 7 SR5:

http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013

Public info on the issue is limited to

  A denial of service vulnerability in the Apache Xerces-J parser used by IBM
  Java could result in a complete availability impact on the affected system.

  http://xforce.iss.net/xforce/xfdb/85260

  This JRE contains a variant of Apache-J XML parser (XM4J) that is vulnerable
  to a denial of service attack triggered by malformed XML data.

  http://www-01.ibm.com/support/docview.wss?uid=isg3T1019879
Comment 3 Tomas Hoger 2013-10-15 16:18:35 UTC 
Apache Xerces-J upstream indicated the issue was addressed in Xerces-J SVN via the following commit:

http://svn.apache.org/viewvc?view=revision&revision=1499506

It is a subset of the OpenJDK patch.
Comment 4 Stefan Cornelius 2013-10-16 06:38:54 UTC 
External References:

http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
Comment 5 Tomas Hoger 2013-10-16 11:09:17 UTC 
Fixed in Oracle Java SE 7u45 and 6u65.

OpenJDK upstream commit:

http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/rev/32a6df99656c
Comment 6 errata-xmlrpc 2013-10-17 17:42:43 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2013:1440 https://rhn.redhat.com/errata/RHSA-2013-1440.html
Comment 7 errata-xmlrpc 2013-10-21 17:48:21 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2013:1447 https://rhn.redhat.com/errata/RHSA-2013-1447.html
Comment 8 errata-xmlrpc 2013-10-22 17:24:34 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1451 https://rhn.redhat.com/errata/RHSA-2013-1451.html
Comment 10 errata-xmlrpc 2013-11-05 18:08:22 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1505 https://rhn.redhat.com/errata/RHSA-2013-1505.html
Comment 11 Tomas Hoger 2013-12-08 22:39:56 UTC 
Fixed in IcedTea7 2.4.3 and IcedTea6 1.11.14 and 1.12.7:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-October/025087.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-November/025278.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-November/025328.html
Comment 12 errata-xmlrpc 2014-04-17 11:38:34 UTC 
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html
Comment 14 Arun Babu Neelicattu 2014-09-10 07:02:38 UTC 
Statement:

Fuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Server 4 and 5; Red Hat JBoss Enterprise Web Platform 5; Red Hat JBoss SOA Platform 4 and 5; and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 17 Tomas Hoger 2014-09-10 08:18:36 UTC 
Created xerces-j2 tracking bugs for this issue:

Affects: fedora-all [bug 1140031]
Comment 23 Martin Prpič 2014-09-12 09:06:12 UTC 
IssueDescription:

A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU.
Comment 24 Fedora Update System 2014-09-23 05:04:22 UTC 
xerces-j2-2.11.0-22.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 25 Fedora Update System 2014-09-25 10:32:59 UTC 
xerces-j2-2.11.0-15.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 26 Fedora Update System 2014-09-25 10:44:17 UTC 
xerces-j2-2.11.0-17.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 27 errata-xmlrpc 2014-09-29 20:13:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 7

Via RHSA-2014:1319 https://rhn.redhat.com/errata/RHSA-2014-1319.html
Comment 30 errata-xmlrpc 2014-11-06 16:47:59 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.3.2

Via RHSA-2014:1823 https://rhn.redhat.com/errata/RHSA-2014-1823.html
Comment 31 errata-xmlrpc 2014-11-06 16:48:17 UTC 
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 5

Via RHSA-2014:1821 https://rhn.redhat.com/errata/RHSA-2014-1821.html
Comment 32 errata-xmlrpc 2014-11-06 16:48:56 UTC 
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 6

Via RHSA-2014:1818 https://rhn.redhat.com/errata/RHSA-2014-1818.html
Comment 33 errata-xmlrpc 2014-11-06 17:02:00 UTC 
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 7

Via RHSA-2014:1822 https://rhn.redhat.com/errata/RHSA-2014-1822.html
Comment 37 errata-xmlrpc 2015-02-17 22:27:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
Comment 38 errata-xmlrpc 2015-02-17 22:31:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
Comment 40 errata-xmlrpc 2015-02-25 21:36:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Operations Network 3.3.1

Via RHSA-2015:0269 https://rhn.redhat.com/errata/RHSA-2015-0269.html
Comment 41 errata-xmlrpc 2015-03-11 16:51:52 UTC 
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
Comment 42 errata-xmlrpc 2015-03-24 21:05:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
Comment 43 errata-xmlrpc 2015-03-31 17:01:10 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
Comment 44 errata-xmlrpc 2015-04-01 14:48:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Grid 6.4

Via RHSA-2015:0773 https://rhn.redhat.com/errata/RHSA-2015-0773.html
Comment 48 Jason Shepherd 2016-09-13 04:05:53 UTC 
Created wildfly tracking bugs for this issue:

Affects: fedora-all [bug 1375418]
Note You need to log in before you can comment on or make changes to this bug.