Executive Summary
Summary | |
---|---|
Title | xerces-j2 security update |
Informations | |||
---|---|---|---|
Name | RHSA-2014:1319 | First vendor Publication | 2014-09-29 |
Vendor | RedHat | Last vendor Modification | 2014-09-29 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.1 | Attack Range | Network |
Cvss Impact Score | 6.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated xerces-j2 packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node Optional (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - i386, ppc64, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: Apache Xerces for Java (Xerces-J) is a high performance, standards compliant, validating XML parser written in Java. The xerces-j2 packages provide Xerces-J version 2. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. (CVE-2013-4002) All xerces-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the Xerces-J must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1019176 - CVE-2013-4002 Xerces-J2 OpenJDK: XML parsing Denial of Service (JAXP, 8017298) |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2014-1319.html |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:21576 | |||
Oval ID: | oval:org.mitre.oval:def:21576 | ||
Title: | HP-UX Running Java7, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities | ||
Description: | Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect availability via unknown vectors. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2013-4002 | Version: | 9 |
Platform(s): | HP-UX 11 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26596 | |||
Oval ID: | oval:org.mitre.oval:def:26596 | ||
Title: | ELSA-2014-1319 -- xerces-j2 security update (Moderate) | ||
Description: | Apache Xerces for Java (Xerces-J) is a high performance, standards compliant, validating XML parser written in Java. The xerces-j2 packages provide Xerces-J version 2. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. (CVE-2013-4002) All xerces-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the Xerces-J must be restarted for this update to take effect. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-1319 CVE-2013-4002 | Version: | 3 |
Platform(s): | Oracle Linux 7 | Product(s): | xerces-j2 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27229 | |||
Oval ID: | oval:org.mitre.oval:def:27229 | ||
Title: | RHSA-2014:1319: xerces-j2 security update (Moderate) | ||
Description: | Apache Xerces for Java (Xerces-J) is a high performance, standards compliant, validating XML parser written in Java. The xerces-j2 packages provide Xerces-J version 2. A resource consumption issue was found in the way Xerces-J handled XML declarations. A remote attacker could use an XML document with a specially crafted declaration using a long pseudo-attribute name that, when parsed by an application using Xerces-J, would cause that application to use an excessive amount of CPU. (CVE-2013-4002) All xerces-j2 users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Applications using the Xerces-J must be restarted for this update to take effect. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:1319-00 CESA-2014:1319 CVE-2013-4002 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 CentOS Linux 6 CentOS Linux 7 | Product(s): | xerces-j2 |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2013-10-17 | IAVM : 2013-A-0191 - Multiple Vulnerabilities in Java for Mac OS X Severity : Category I - VMSKEY : V0040779 |
2013-10-17 | IAVM : 2013-A-0200 - Multiple Vulnerabilities in Oracle Java Severity : Category I - VMSKEY : V0040783 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-09-14 | Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL16872.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-1669-1.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2013-1256-1.nasl - Type : ACT_GATHER_INFO |
2014-11-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1822.nasl - Type : ACT_GATHER_INFO |
2014-11-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1821.nasl - Type : ACT_GATHER_INFO |
2014-11-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1818.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-0414.nasl - Type : ACT_GATHER_INFO |
2014-11-06 | Name : The remote host has a version of Java installed that is affected by multiple ... File : macosx_java_2014-001.nasl - Type : ACT_GATHER_INFO |
2014-11-03 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-436.nasl - Type : ACT_GATHER_INFO |
2014-10-02 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-193.nasl - Type : ACT_GATHER_INFO |
2014-10-01 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1319.nasl - Type : ACT_GATHER_INFO |
2014-09-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1319.nasl - Type : ACT_GATHER_INFO |
2014-09-30 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140929_xerces_j2_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2014-09-30 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1319.nasl - Type : ACT_GATHER_INFO |
2014-09-26 | Name : The remote Fedora host is missing a security update. File : fedora_2014-10649.nasl - Type : ACT_GATHER_INFO |
2014-09-26 | Name : The remote Fedora host is missing a security update. File : fedora_2014-10626.nasl - Type : ACT_GATHER_INFO |
2014-09-23 | Name : The remote Fedora host is missing a security update. File : fedora_2014-10617.nasl - Type : ACT_GATHER_INFO |
2014-08-22 | Name : The remote host is affected by multiple vulnerabilities. File : juniper_nsm_jsa10642.nasl - Type : ACT_GATHER_INFO |
2014-06-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201406-32.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-847.nasl - Type : ACT_GATHER_INFO |
2014-05-12 | Name : The remote host has software installed that is affected by multiple vulnerabi... File : lotus_notes_9_0_1_fp1.nasl - Type : ACT_GATHER_INFO |
2014-05-12 | Name : The remote host has software installed that is affected by multiple vulnerabi... File : lotus_domino_9_0_1_fp1.nasl - Type : ACT_GATHER_INFO |
2014-05-12 | Name : The remote server is affected by multiple vulnerabilities. File : domino_9_0_1_fp1.nasl - Type : ACT_GATHER_INFO |
2014-01-24 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2089-1.nasl - Type : ACT_GATHER_INFO |
2014-01-08 | Name : The remote host has software installed that is affected by multiple vulnerabi... File : lotus_domino_9_0_1.nasl - Type : ACT_GATHER_INFO |
2014-01-08 | Name : The remote server is affected by multiple vulnerabilities. File : domino_9_0_1.nasl - Type : ACT_GATHER_INFO |
2013-12-03 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_6_0-openjdk-131129.nasl - Type : ACT_GATHER_INFO |
2013-11-22 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2033-1.nasl - Type : ACT_GATHER_INFO |
2013-11-20 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2013-267.nasl - Type : ACT_GATHER_INFO |
2013-11-14 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-246.nasl - Type : ACT_GATHER_INFO |
2013-11-14 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2013-235.nasl - Type : ACT_GATHER_INFO |
2013-11-13 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_7_0-openjdk-131104.nasl - Type : ACT_GATHER_INFO |
2013-11-06 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131105_java_1_6_0_openjdk_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-11-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1505.nasl - Type : ACT_GATHER_INFO |
2013-11-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1505.nasl - Type : ACT_GATHER_INFO |
2013-11-06 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1505.nasl - Type : ACT_GATHER_INFO |
2013-11-04 | Name : The remote server is affected by multiple vulnerabilities. File : domino_8_5_3fp5.nasl - Type : ACT_GATHER_INFO |
2013-11-04 | Name : The remote host has software installed that is affected by multiple vulnerabi... File : lotus_domino_8_5_3_fp5.nasl - Type : ACT_GATHER_INFO |
2013-11-04 | Name : The remote host has software installed that is affected by multiple vulnerabi... File : lotus_notes_8_5_3_fp5.nasl - Type : ACT_GATHER_INFO |
2013-10-24 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131022_java_1_7_0_openjdk_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2013-10-24 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1451.nasl - Type : ACT_GATHER_INFO |
2013-10-23 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1451.nasl - Type : ACT_GATHER_INFO |
2013-10-23 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2013-1447.nasl - Type : ACT_GATHER_INFO |
2013-10-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1451.nasl - Type : ACT_GATHER_INFO |
2013-10-22 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2013-1447.nasl - Type : ACT_GATHER_INFO |
2013-10-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1447.nasl - Type : ACT_GATHER_INFO |
2013-10-22 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20131021_java_1_7_0_openjdk_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2013-10-18 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1440.nasl - Type : ACT_GATHER_INFO |
2013-10-17 | Name : The remote Unix host contains a programming platform that is potentially affe... File : oracle_java_cpu_oct_2013_unix.nasl - Type : ACT_GATHER_INFO |
2013-10-17 | Name : The remote Windows host contains a programming platform that is potentially a... File : oracle_java_cpu_oct_2013.nasl - Type : ACT_GATHER_INFO |
2013-10-16 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_2013-005.nasl - Type : ACT_GATHER_INFO |
2013-10-16 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_10_6_update17.nasl - Type : ACT_GATHER_INFO |
2013-07-26 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_6_0-ibm-130723.nasl - Type : ACT_GATHER_INFO |
2013-07-26 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_7_0-ibm-130723.nasl - Type : ACT_GATHER_INFO |
2013-07-17 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1081.nasl - Type : ACT_GATHER_INFO |
2013-07-16 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1059.nasl - Type : ACT_GATHER_INFO |
2013-07-16 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-1060.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-11-04 13:27:35 |
|
2014-10-04 13:38:07 |
|
2014-10-03 13:27:24 |
|
2014-10-02 13:27:20 |
|
2014-10-01 13:27:25 |
|
2014-09-30 00:23:11 |
|