IBM Java Apache Xerces-J parser denial of service

ibm-java-cve20134002-dos (85260) The risk level is classified as HighHigh Risk

Description:

A denial of service vulnerability in the Apache Xerces-J parser used by IBM Java could result in a complete availability impact on the affected system.

*CVSS:

Base Score: 7.1
  Access Vector: Network
  Access Complexity: Medium
  Authentication: None
  Confidentiality Impact: None
  Integrity Impact: None
  Availability Impact: Complete
 
Temporal Score: 5.3
  Exploitability: Unproven
  Remediation Level: Official-Fix
  Report Confidence: Confirmed

Consequences:

Denial of Service

Remedy:

Refer to the appropriate IBM Security Bulletin for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system.

References:

  • IBM developerWorks: IBM Security Update July 2013.
  • IBM Security Bulletin 1644565: IBM WebSphere Message Broker and IBM Integration Bus Security Vulnerability: XML4J denial of service attack (CVE-2013-4002).
  • IBM Security Bulletin 1647217: IBM FileNet Business Process Manager XML 4J denial of service attack (CVE-2013-4002).
  • IBM Security Bulletin 1647384: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE.
  • IBM Security Bulletin 1648172: IBM FileNet Content Manager and IBM Content Foundation XML 4J denial of service attack (CVE-2013-4002).
  • IBM Security Bulletin 1648197: IBM InfoSphere Optim Performance Manager affected by vulnerability in IBM Java Runtime Environment (CVE-2013-4002).
  • IBM Security Bulletin 1648416: multiple security vulnerabilities in IBM JRE 6.
  • IBM Security Bulletin 1648418: multiple security vulnerabilities in IBM JRE 5.0.
  • IBM Security Bulletin 1649801: IBM Tivoli Composite Application Manager for Transactions affected by vulnerabilities in IBM JRE (Multiple CVEs).
  • IBM Security Bulletin 1650599: IBM Tivoli System Automation for Integrated Operations Management 2.1.1 Vulnerability.
  • IBM Security Bulletin 1650778: IBM Tivoli Monitoring clients affected by vulnerabilities in IBM JRE executed under a security manager.
  • IBM Security Bulletin 1650876: Vulnerability in Rational Lifecycle Integrations Adapter - HP (CVE-2013-4002).
  • IBM Security Bulletin 1651442: Vulnerability IBM Java XML Parser used in IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2013-4002).
  • IBM Security Bulletin 1651448: Tivoli Provisioning Manager for Software Oracle CPU June 2013 (CVE-2013-4002).
  • IBM Security Bulletin 1651728: IBM QuickFile is affected by vulnerabilities that exist in the IBM Java SDK (CVE-2013-4002).
  • IBM Security Bulletin 1652561: TADDM 7.2.2.0 and 7.2.1.5: Vulnerabilities in embedded JRE.
  • IBM Security Bulletin 1652590: IBM Cognos Business Intelligence (CVE-2013-3030, CVE-2013-4002, CVE-2013-2407, CVE-2013-2450, CVE-2013-4034, CVE-2013-5372).
  • IBM Security Bulletin 1652665: IBM Domino Designer 9.0.1 and 8.5.3 Fix Pack 5 fix for IBM JRE XML Parsing Vulnerability.
  • IBM Security Bulletin 1653309: WebSphere Partner Gateway Advanced/Enterprise is affected by vulnerabilities that exist in the IBM Java SDK (CVE-2013-4002, CVE-2013-1571).
  • IBM Security Bulletin 1653371: TADDM 7.2.2.0, 7.2.1.5 and 7.2.0.10: Apache Xerces-J XML parser Denial of Service attack.
  • IBM Security Bulletin 1653721: Security Bulletin: Potential security vulnerabilities in RQM, RTC and RRC for the Oracle June 2013 CPU (CVE-2013-2407, CVE-2013-4002).
  • IBM Security Bulletin 1653815: Potential XML parser denial of service attack affecting all CLM applications (CVE-2013-4002, CVE-2013-5372).
  • IBM Security Bulletin 1654683: IBM Campaign and IBM Contact Optimization - Apache Xerces-J XML parser vulnerability to a Denial of Service attack triggered by malformed XML data. (CVE-2013-4002).
  • IBM Security Bulletin 1657019: Potential security vulnerabilities in Rational Engineering Lifecycle Manager for the Oracle June 2013 CPU (CVE-2013-2407, CVE-2013-4002).
  • IBM Security Bulletin 1659217: Multiple vulnerabilities in usage of IBM Java SDK in IBM Content Analytics with Enterprise Search and IBM OmniFind Enterprise Edition (CVE-2013-5802, CVE-2013-4002, CVE-2013-5825, CVE-2013-5372).
  • IBM Security Bulletin 1659221: Multiple IBM Java SDK security vulnerabilities exist in IBM InfoSphere Information Server (CVE-2013-4002 and CVE-2013-2407).
  • IBM Security Bulletin 1659804: Security Bulletin: IBM Tivoli Federated Identity Manager and Tivoli Federated Identity Manager Business Gateway can be affected by a vulnerability in the IBM Java SDK (CVE-2013-4002).
  • IBM Security Bulletin 1660080: Multiple security vulnerabilities in IBM Java affect InfoSphere Optim Data Masking Solution (CVE-2013-0169, CVE-2013-2407, CVE-2013-2412, CVE-2013-4002).
  • IBM security Bulletin 1660218: Vulnerabilities in IBM FileNet Content Manager due to security vulnerabilities in Oracle Java Development Kits.
  • IBM Security Bulletin 1660228: Multiple security vulnerabilities in IBM Java affect InfoSphere Optim Data Growth, Test Data Management, and Application Retirement solutions (CVE-2013-2407, CVE-2013-2412, CVE-2013-4002).
  • IBM Security Bulletin 1660230: Multiple security vulnerabilities in IBM Java affect InfoSphere Optim Data Growth Solution for z/OS with Classic Federation (CVE-2013-2407, CVE-2013-2412, CVE-2013-4002.
  • IBM Security Bulletin 1660461: IBM Rational Engineering Lifecycle Manager can be affected by vulnerabilities in the IBM Java JRE/SDK (CVE-2013-5802, CVE-2013-4002, CVE-2013-5825, CVE-2013-5372).
  • IBM Security Bulletin 1660500: IBM Tivoli Security Policy Manager can be affected by multiple vulnerabilities in the IBM Java SDK (CVE-2013-4002, CVE-2013-5825, CVE-2013-5802, CVE-2013-5372).
  • IBM Security Bulletin 1661213: IBM Operational Decision Manager and WebSphere ILOG JRules: Multiple security vulnerabilities in IBM JRE.
  • IBM Security Bulletin 1662870: Multiple security vulnerabilities exist in WebSphere Transformation Extender (CVE-2013-5802 CVE-2013-4002 CVE-2013-5825 CVE-2013-5372 CVE-2013-0599 CVE-2013-0464 CVE-2013-0467 CVE-2013-2962 CVE-2013-2415.
  • IBM Security Bulletin 1663096: Security Bulletin: Java Vulnerability in Rational Automation Framework (CVE-2013-4002, CVE-2013-5825, CVE-2013-5372).
  • IBM Security Bulletin 1663380: Content Integrator- Apache Xerces-J XML parser Denial of Service attack (CVE-2013-4002).
  • IBM Security Bulletin 1663944: IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, 3.2.0, 3.1.
  • IBM Security Bulletin 1666275: Security Bulletin: Multiple vulnerabilities exist in the SOAP Gateway component of IMS Enterprise Suite (CVE-2013-4002, CVE-2013-5825, CVE-2013-5372, CVE-2014-0416, CVE-2014-0411).
  • IBM Security Bulletin N1019760: Multiple vulnerabilities in the IBM i Java SDK.
  • IBM Security Bulletin T1019751: IBM Platform Application Center (CVE-2013-4002).
  • IBM Security Bulletin T1019773: IBM Platform HPC (CVE-2013-4002).
  • IBM Security Bulletin T1019774: IBM Platform Cluster Manager (CVE-2013-4002).
  • IBM Security Bulletin T1019879: Vulnerability IBM Java XML Parser Used in IBM System Networking Switch Center (CVE-2013-4002).
  • IBM Security Bulletin T1019958: Vulnerability IBM Java XML Parser Used in IBM System Networking Element Manager (CVE-2013-4002).
  • McAfee Security Bulletin SB10058: ePO update fixes multiple Java vulnerabilities reported by Oracle.
  • Oracle Web site: Oracle Critical Patch Update - October 2013.
  • BID-61310: IBM Java CVE-2013-4002 Denial of Service Vulnerability
  • CVE-2013-4002: Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect availability via unknown vectors.
  • RHSA-2013-1440: Critical: java-1.7.0-oracle security update
  • RHSA-2013-1447: Important: java-1.7.0-openjdk security update
  • RHSA-2013-1451: Critical: java-1.7.0-openjdk security update
  • RHSA-2013-1505: Important: java-1.6.0-openjdk security update
  • SA54473: IBM Platform Application Center XML Parser Denial of Service Vulnerability
  • SA54474: IBM Platform Cluster Manager XML Parser Denial of Service Vulnerability
  • SA55146: IBM Rational Lifecycle Integrations Adapter XML Parser Denial of Service Vulnerability
  • SA55523: IBM Domino Designer XML Parser Denial of Service Vulnerability
  • SA55590: McAfee ePolicy Orchestrator Java Multiple Vulnerabilities
  • SA56198: IBM Sterling B2B Integrator / IBM Sterling File Gateway Multiple Vulnerabilities

Platforms Affected:

  • Apache Xerces-J XML parser
  • IBM Campaign 7.0
  • IBM Campaign 7.1
  • IBM Campaign 7.2
  • IBM Campaign 7.3
  • IBM Campaign 7.4
  • IBM Campaign 7.5
  • IBM Campaign 7.6
  • IBM Campaign 8.0
  • IBM Campaign 8.1
  • IBM Campaign 8.2
  • IBM Campaign 8.3
  • IBM Campaign 8.4
  • IBM Campaign 8.5
  • IBM Campaign 8.6
  • IBM Campaign 9.0
  • IBM Campaign 9.1
  • IBM Cognos Business Intelligence 10.1
  • IBM Cognos Business Intelligence 10.1.1
  • IBM Cognos Business Intelligence 10.2
  • IBM Cognos Business Intelligence 10.2.1
  • IBM Cognos Business Intelligence 8.4.1
  • IBM Contact Optimization 7.0
  • IBM Contact Optimization 7.1
  • IBM Contact Optimization 7.2
  • IBM Contact Optimization 7.3
  • IBM Contact Optimization 7.4
  • IBM Contact Optimization 7.5
  • IBM Contact Optimization 7.6
  • IBM Contact Optimization 8.0
  • IBM Contact Optimization 8.1
  • IBM Contact Optimization 8.2
  • IBM Contact Optimization 8.3
  • IBM Contact Optimization 8.4
  • IBM Contact Optimization 8.5
  • IBM Contact Optimization 8.6
  • IBM Contact Optimization 9.0
  • IBM Contact Optimization 9.1
  • IBM Content Analytics with Enterprise Search 2.2
  • IBM Content Analytics with Enterprise Search 3.0
  • IBM Content Foundation 5.2.0
  • IBM Content Integrator 8.6
  • IBM Domino Designer 8.5
  • IBM Domino Designer 8.5.1
  • IBM Domino Designer 8.5.2
  • IBM Domino Designer 8.5.3
  • IBM Domino Designer 9.0
  • IBM FileNet Business Process Manager 4.5.1
  • IBM FileNet Business Process Manager 5.0
  • IBM FileNet Business Process Manager 5.1
  • IBM FileNet Content Manager 5.1.0
  • IBM FileNet Content Manager 5.2
  • IBM FileNet Content Manager 5.2.0
  • IBM FileNet Content Manager 5.2.0.1
  • IBM i Java SDK 5.4.0
  • IBM i Java SDK 5.4.5
  • IBM i Java SDK 6.1.0
  • IBM i Java SDK 6.1.1
  • IBM i Java SDK 7.1.0
  • IBM IMS Enterprise Suite SOAP Gateway 2.1
  • IBM IMS Enterprise Suite SOAP Gateway 2.2
  • IBM IMS Enterprise Suite SOAP Gateway 3.1
  • IBM InfoSphere Information Server 8.0
  • IBM InfoSphere Information Server 8.1
  • IBM InfoSphere Information Server 8.5
  • IBM InfoSphere Information Server 8.7
  • IBM InfoSphere Information Server 9.1
  • IBM InfoSphere Optim Data Growth Solution for z/OS with Classic Federation 7.3
  • IBM InfoSphere Optim Data Growth Solution for z/OS with Classic Federation 8.1
  • IBM InfoSphere Optim Data Growth Solution for z/OS with Classic Federation 9.1
  • IBM InfoSphere Optim Data Masking Solution 1.2.0
  • IBM InfoSphere Optim Data Masking Solution 2.1.0
  • IBM InfoSphere Optim Data Masking Solution 2.2.0
  • IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows 5.1
  • IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows 5.1.1
  • IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows 5.1.1.1
  • IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows 5.2
  • IBM InfoSphere Optim Performance Manager for DB2 on Linux, UNIX, and Windows 5.3
  • IBM Integration Bus 9.0.0.0
  • IBM Java SDK 5.0
  • IBM Java SDK 6.0
  • IBM Java SDK 7.0
  • IBM License Metric Tool 7.1.2
  • IBM License Metric Tool 7.2
  • IBM License Metric Tool 7.2.1
  • IBM License Metric Tool 7.2.2
  • IBM License Metric Tool 7.5
  • IBM Omnifind 8.5 Enterprise
  • IBM Omnifind 9.1 Enterprise
  • IBM Operational Decision Manager 7.5
  • IBM Operational Decision Manager 8.0
  • IBM Operational Decision Manager 8.5
  • IBM Optim Performance Manager for DB2 on Linux, UNIX, and Windows 4.1.0.1
  • IBM Optim Performance Manager for DB2 on Linux, UNIX, and Windows 4.1.1
  • IBM Platform Application Center 8.3
  • IBM Platform Application Center 9.1
  • IBM Platform Cluster Manager 3.2
  • IBM Platform Cluster Manager 4.1
  • IBM Platform HPC 3.2
  • IBM QuickFile 1.0
  • IBM QuickFile 1.1
  • IBM Rational Automation Framework 3.0.1
  • IBM Rational Automation Framework 3.0.1.1
  • IBM Rational Engineering Lifecycle Manager 1.0
  • IBM Rational Engineering Lifecycle Manager 1.0.0.1
  • IBM Rational Engineering Lifecycle Manager 4.0.3
  • IBM Rational Engineering Lifecycle Manager 4.0.4
  • IBM Rational Engineering Lifecycle Manager 4.0.5
  • IBM Rational Lifecycle Integrations Adapter - HP 1.0
  • IBM Rational Quality Manager 2.0.1.1
  • IBM Rational Quality Manager 3.0.1.6
  • IBM Rational Quality Manager 4.0.4
  • IBM Rational Requirements Composer 2.0
  • IBM Rational Requirements Composer 3.0
  • IBM Rational Requirements Composer 4.0
  • IBM Rational Team Concert 2.0
  • IBM Rational Team Concert 3.0
  • IBM Rational Team Concert 4.0
  • IBM Sterling B2B Integrator 5.2
  • IBM Sterling File Gateway 2.2
  • IBM System Networking Switch Center 7.1
  • IBM System Networking Switch Center 7.1.1.0
  • IBM System Networking Switch Center 7.1.2.0
  • IBM Systems Networking Element Manager 6.1.0
  • IBM Systems Networking Element Manager 6.1.1
  • IBM Systems Networking Element Manager 6.1.2
  • IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2
  • IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.0
  • IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.1
  • IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.1
  • IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.1.5
  • IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.2
  • IBM Tivoli Asset Discovery for Distributed 7.1.2
  • IBM Tivoli Asset Discovery for Distributed 7.2
  • IBM Tivoli Asset Discovery for Distributed 7.2.1
  • IBM Tivoli Asset Discovery for Distributed 7.2.2
  • IBM Tivoli Asset Discovery for Distributed 7.5
  • IBM Tivoli Composite Application Manager for Transactions 7.1
  • IBM Tivoli Composite Application Manager for Transactions 7.2
  • IBM Tivoli Composite Application Manager for Transactions 7.3
  • IBM Tivoli Federated Identity Manager 6.0
  • IBM Tivoli Federated Identity Manager 6.1
  • IBM Tivoli Federated Identity Manager 6.1.1
  • IBM Tivoli Federated Identity Manager 6.2.0
  • IBM Tivoli Federated Identity Manager 6.2.1
  • IBM Tivoli Federated Identity Manager 6.2.2
  • IBM Tivoli Federated Identity Manager Business Gateway 6.1.1
  • IBM Tivoli Federated Identity Manager Business Gateway 6.2.0
  • IBM Tivoli Federated Identity Manager Business Gateway 6.2.1
  • IBM Tivoli Federated Identity Manager Business Gateway 6.2.2
  • IBM Tivoli Monitoring 6.2.0
  • IBM Tivoli Monitoring 6.2.1
  • IBM Tivoli Monitoring 6.2.2
  • IBM Tivoli Monitoring 6.2.3
  • IBM Tivoli Monitoring 6.3.0
  • IBM Tivoli Provisioning Manager 5.1
  • IBM Tivoli Provisioning Manager 5.1.1
  • IBM Tivoli Provisioning Manager 5.1.1.1
  • IBM Tivoli Provisioning Manager 5.1.1.2
  • IBM Tivoli Provisioning Manager 5.1.1.3
  • IBM Tivoli Security Policy Manager 7.1
  • IBM Tivoli System Automation Application Manager 3.1
  • IBM Tivoli System Automation Application Manager 3.2.0
  • IBM Tivoli System Automation Application Manager 3.2.1
  • IBM Tivoli System Automation Application Manager 3.2.2
  • IBM Tivoli System Automation for Integrated Operations Management 2.1
  • IBM Tivoli System Automation for Integrated Operations Management 2.1.1
  • IBM WebSphere ILOG JRules 7.1
  • IBM WebSphere Message Broker 6.1.0.11
  • IBM WebSphere Message Broker 7.0.0.6
  • IBM WebSphere Message Broker 8.0.0.2
  • IBM WebSphere MQ 7.0
  • IBM WebSphere MQ 7.0.0.1
  • IBM WebSphere MQ 7.0.0.2
  • IBM WebSphere MQ 7.0.1
  • IBM WebSphere MQ 7.0.1.1
  • IBM WebSphere MQ 7.0.1.10
  • IBM WebSphere MQ 7.0.1.2
  • IBM WebSphere MQ 7.0.1.3
  • IBM WebSphere MQ 7.0.1.4
  • IBM WebSphere MQ 7.0.1.5
  • IBM WebSphere MQ 7.0.1.6
  • IBM WebSphere MQ 7.0.1.7
  • IBM WebSphere MQ 7.0.1.8
  • IBM WebSphere MQ 7.0.1.9
  • IBM WebSphere MQ 7.1
  • IBM WebSphere MQ 7.1.0.1
  • IBM WebSphere MQ 7.1.0.2
  • IBM WebSphere MQ 7.1.0.3
  • IBM WebSphere MQ 7.5
  • IBM WebSphere MQ 7.5.0.1
  • IBM WebSphere MQ 7.5.0.2
  • IBM WebSphere Operational Decision Manager 7.5
  • IBM WebSphere Partner Gateway 6.2 Advanced
  • IBM WebSphere Partner Gateway 6.2.0.1 Advanced
  • IBM WebSphere Partner Gateway 6.2.0.2 Advanced
  • IBM WebSphere Partner Gateway 6.2.0.3 Advanced
  • IBM WebSphere Partner Gateway 6.2.0.4 Advanced
  • IBM WebSphere partner Gateway 6.2.0.5 Advanced
  • IBM WebSphere Partner Gateway 6.2.1 Advanced
  • IBM WebSphere Partner Gateway 6.2.1.1 Advanced
  • IBM WebSphere Partner Gateway 6.2.1.2 Advanced
  • IBM WebSphere Transformation Extender Design Studio
  • IBM WebSphere Transformation Extender for Application Programming
  • IBM WebSphere Transformation Extender for Integration Servers
  • IBM WebSphere Transformation Extender for Luncher Hypervisor
  • IBM WebSphere Transformation Extender with Command Server
  • IBM WebSphere Transformation Extender with Launcher
  • McAfee ePolicy Orchestrator 4.0
  • RedHat Enterprise Linux 5
  • RedHat Enterprise Linux 5 Client
  • RedHat Enterprise Linux 6 Server
  • RedHat Enterprise Linux 6 Workstation
  • RedHat Enterprise Linux Desktop 6
  • RedHat Enterprise Linux Desktop Supplementary 6
  • RedHat Enterprise Linux HPC Node 6
  • RedHat Enterprise Linux HPC Node Supplementary 6
  • RedHat Enterprise Linux Server Supplementary 6
  • RedHat Enterprise Linux Workstation Supplementary 6
  • RedHat RHEL Supplementary 5 Server

Reported:

Jul 18, 2013

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Internet Security Systems

IBM Internet Security Systems is a trusted security advisor to thousands of the world's leading businesses and governments, helping to provide pre-emptive protection for networks, desktops and servers. The IBM Proventia? integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shield customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force? research and development team ? an unequivocal world authority in vulnerability and threat research. The IBM Internet Security Systems product line is also complemented by comprehensive Managed Security Services and Professional Security Services. For more information, visit the IBM Internet Security Systems Web site at www.iss.net or call 800-776-2362.