CVE-2013-4002
Denial of service vulnerability in xercesImpl (Maven)
What is CVE-2013-4002 About?
Apache Xerces2 Java Parser is vulnerable to a denial of service when processing XML attribute names. This affects various Java Runtime Environment versions. An attacker can cause a denial of service by sending crafted XML data with problematic attribute names.
Affected Software
Technical Details
The vulnerability in XMLscanner.java within Apache Xerces2 Java Parser (before 2.12.0) and its bundled versions in IBM Java and Oracle Java SE allows for a denial of service. The parser's handling of XML attribute names is flawed, specifically when parsing XML documents with specially crafted attribute name structures. An attacker can construct an XML document where the attribute naming scheme, particularly in highly nested or complex structures, causes the parser to consume excessive resources (CPU, memory) or trigger an infinite loop or unhandled exception. This resource exhaustion or crash leads to a denial of service for any application using the vulnerable parser. The attack vector involves sending or providing the crafted XML data to an application that processes it using the vulnerable Xerces parser.
What is the Impact of CVE-2013-4002?
Successful exploitation may allow attackers to disrupt service availability, causing the application to become unresponsive or crash, leading to a denial of service.
What is the Exploitability of CVE-2013-4002?
Exploitation of this denial of service vulnerability is of medium complexity. It requires an attacker to provide specially crafted XML input to an application that utilizes the vulnerable Apache Xerces2 Java Parser or a Java Runtime Environment containing it. No specific authentication or privileges are typically required if the application accepts external XML input. The attack can be remote, targeting any service that parses untrusted XML. Prerequisites include the presence of the vulnerable parser version. The attacker needs to understand how the XML attribute naming scheme can trigger the vulnerability. Risk factors involve publicly exposed endpoints that accept and parse XML from untrusted sources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| tafamace | Link | PoC for CVE-2013-4002 |
What are the Available Fixes for CVE-2013-4002?
Available Upgrade Options
- xerces:xercesImpl
- <2.12.0 → Upgrade to 2.12.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://issues.apache.org/jira/browse/XERCESJ-1679
- http://rhn.redhat.com/errata/RHSA-2014-1823.html
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://rhn.redhat.com/errata/RHSA-2013-1505.html
- http://www.ibm.com/support/docview.wss?uid=swg21648172
- http://www-01.ibm.com/support/docview.wss?uid=swg21657539
- http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch
- http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html
- http://rhn.redhat.com/errata/RHSA-2013-1059.html
What are Similar Vulnerabilities to CVE-2013-4002?
Similar Vulnerabilities: CVE-2009-2625 , CVE-2014-0119 , CVE-2015-0254 , CVE-2017-7656 , CVE-2018-12536
