Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2013-4002

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Security Impact Summary

CVE-2013-4002 is a security vulnerability that . Impacting 21 products from ibm, from oracle, from oracle and 18 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

Documented in 2013, this vulnerability occurred amid the cloud computing expansion era, where traditional network perimeter security models were being reevaluated. Organizations were transitioning from isolated infrastructure to interconnected systems, creating new attack surfaces that vulnerabilities like this could exploit.

Published

2013-07-23T11:03:19.790

Last Modified

2025-04-11T00:51:21.963

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 7.1 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:N/I:N/A:C

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: COMPLETE

Exploitability Score

8.6

Impact Score

6.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	ibm	java	5.0.0.0	Yes
Application	ibm	java	5.0.11.0	Yes
Application	ibm	java	5.0.11.1	Yes
Application	ibm	java	5.0.11.2	Yes
Application	ibm	java	5.0.12.0	Yes
Application	ibm	java	5.0.12.1	Yes
Application	ibm	java	5.0.12.2	Yes
Application	ibm	java	5.0.12.3	Yes
Application	ibm	java	5.0.12.4	Yes
Application	ibm	java	5.0.12.5	Yes
Application	ibm	java	5.0.13.0	Yes
Application	ibm	java	5.0.14.0	Yes
Application	ibm	java	5.0.15.0	Yes
Application	ibm	java	5.0.16.0	Yes
Application	ibm	java	5.0.16.1	Yes
Application	ibm	java	5.0.16.2	Yes
Application	ibm	java	6.0.0.0	Yes
Application	ibm	java	6.0.1.0	Yes
Application	ibm	java	6.0.2.0	Yes
Application	ibm	java	6.0.3.0	Yes
Application	ibm	java	6.0.4.0	Yes
Application	ibm	java	6.0.5.0	Yes
Application	ibm	java	6.0.6.0	Yes
Application	ibm	java	6.0.7.0	Yes
Application	ibm	java	6.0.8.0	Yes
Application	ibm	java	6.0.8.1	Yes
Application	ibm	java	6.0.9.0	Yes
Application	ibm	java	6.0.9.1	Yes
Application	ibm	java	6.0.9.2	Yes
Application	ibm	java	6.0.10.0	Yes
Application	ibm	java	6.0.10.1	Yes
Application	ibm	java	6.0.11.0	Yes
Application	ibm	java	6.0.12.0	Yes
Application	ibm	java	6.0.13.0	Yes
Application	ibm	java	6.0.13.1	Yes
Application	ibm	java	6.0.13.2	Yes
Application	ibm	java	7.0.0.0	Yes
Application	ibm	java	7.0.1.0	Yes
Application	ibm	java	7.0.2.0	Yes
Application	ibm	java	7.0.3.0	Yes
Application	ibm	java	7.0.4.0	Yes
Application	ibm	java	7.0.4.1	Yes
Application	ibm	java	7.0.4.2	Yes
Application	oracle	jdk	1.5.0	Yes
Application	oracle	jdk	1.6.0	Yes
Application	oracle	jdk	1.7.0	Yes
Application	oracle	jre	1.5.0	Yes
Application	oracle	jre	1.6.0	Yes
Application	oracle	jre	1.7.0	Yes
Application	oracle	jrockit	≤ r27.7.6	Yes
Application	oracle	jrockit	≤ r28.2.8	Yes
Application	ibm	sterling_b2b_integrator	5.2.4	Yes
Application	ibm	host_on-demand	11.0	Yes
Application	ibm	host_on-demand	11.0.1	Yes
Application	ibm	host_on-demand	11.0.2	Yes
Application	ibm	host_on-demand	11.0.3	Yes
Application	ibm	host_on-demand	11.0.4	Yes
Application	ibm	host_on-demand	11.0.5	Yes
Application	ibm	host_on-demand	11.0.5.1	Yes
Application	ibm	host_on-demand	11.0.6	Yes
Application	ibm	host_on-demand	11.0.6.1	Yes
Application	ibm	host_on-demand	11.0.7	Yes
Application	ibm	host_on-demand	11.0.8	Yes
Operating System	microsoft	windows	-	No
Application	ibm	tivoli_application_dependency_discovery_manager	7.2.2	Yes
Operating System	ibm	aix	-	No
Operating System	linux	linux_kernel	-	No
Operating System	microsoft	windows	-	No
Operating System	oracle	solaris	-	No
Application	ibm	sterling_b2b_integrator	5.1	Yes
Application	ibm	sterling_b2b_integrator	5.2	Yes
Application	ibm	sterling_file_gateway	2.1	Yes
Application	ibm	sterling_file_gateway	2.2	Yes
Operating System	hp	hp-ux	-	No
Operating System	ibm	aix	-	No
Operating System	ibm	i	-	No
Operating System	linux	linux_kernel	-	No
Operating System	microsoft	windows	-	No
Operating System	oracle	solaris	-	No
Operating System	opensuse	opensuse	12.2	Yes
Operating System	opensuse	opensuse	12.3	Yes
Operating System	suse	linux_enterprise_desktop	10	Yes
Operating System	suse	linux_enterprise_desktop	11	Yes
Operating System	suse	linux_enterprise_java	10	Yes
Operating System	suse	linux_enterprise_java	11	Yes
Operating System	suse	linux_enterprise_java	11	Yes
Operating System	suse	linux_enterprise_sdk	11	Yes
Operating System	suse	linux_enterprise_sdk	11	Yes
Operating System	suse	linux_enterprise_server	9	Yes
Operating System	suse	linux_enterprise_server	10	Yes
Operating System	suse	linux_enterprise_server	10	Yes
Operating System	suse	linux_enterprise_server	11	Yes
Operating System	suse	linux_enterprise_server	11	Yes
Operating System	suse	linux_enterprise_server	11	Yes
Operating System	suse	linux_enterprise_server	11	Yes
Operating System	canonical	ubuntu_linux	10.04	Yes
Operating System	canonical	ubuntu_linux	12.04	Yes
Operating System	canonical	ubuntu_linux	12.10	Yes
Operating System	canonical	ubuntu_linux	13.04	Yes
Operating System	canonical	ubuntu_linux	13.10	Yes
Application	apache	xerces2_java	< 2.12.0	Yes

References

http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html Broken Link, Mailing List ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=138674031212883&w=2 Issue Tracking, Mailing List, Third Party Advisory ([email protected])
http://marc.info/?l=bugtraq&m=138674073720143&w=2 Issue Tracking, Mailing List, Third Party Advisory ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-1059.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-1060.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-1081.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-1440.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-1447.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-1451.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2013-1505.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2014-1818.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2014-1821.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2014-1822.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2014-1823.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2015-0675.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2015-0720.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2015-0765.html Broken Link ([email protected])
http://rhn.redhat.com/errata/RHSA-2015-0773.html Broken Link ([email protected])
http://secunia.com/advisories/56257 Third Party Advisory ([email protected])
http://security.gentoo.org/glsa/glsa-201406-32.xml Third Party Advisory ([email protected])
http://support.apple.com/kb/HT5982 Third Party Advisory ([email protected])
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch Patch, Vendor Advisory ([email protected])
http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015 Vendor Advisory ([email protected])
http://www-01.ibm.com/support/docview.wss?uid=swg21644197 Vendor Advisory ([email protected])
http://www-01.ibm.com/support/docview.wss?uid=swg21653371 Vendor Advisory ([email protected])
http://www-01.ibm.com/support/docview.wss?uid=swg21657539 Vendor Advisory ([email protected])
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html Third Party Advisory ([email protected])
http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002 Vendor Advisory ([email protected])
http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013 Vendor Advisory ([email protected])
http://www.ibm.com/support/docview.wss?uid=swg21648172 Broken Link ([email protected])
http://www.securityfocus.com/bid/61310 Third Party Advisory, VDB Entry ([email protected])
http://www.ubuntu.com/usn/USN-2033-1 Third Party Advisory ([email protected])
http://www.ubuntu.com/usn/USN-2089-1 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2014:0414 Third Party Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/85260 VDB Entry, Vendor Advisory ([email protected])
https://issues.apache.org/jira/browse/XERCESJ-1679 Issue Tracking, Vendor Advisory ([email protected])
https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E ([email protected])
https://www.oracle.com/security-alerts/cpuapr2022.html ([email protected])
https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html Third Party Advisory ([email protected])
http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html Broken Link, Mailing List (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=138674031212883&w=2 Issue Tracking, Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=138674073720143&w=2 Issue Tracking, Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-1059.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-1060.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-1081.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-1440.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-1447.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-1451.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2013-1505.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2014-1818.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2014-1821.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2014-1822.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2014-1823.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2015-0675.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2015-0720.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2015-0765.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://rhn.redhat.com/errata/RHSA-2015-0773.html Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/56257 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-201406-32.xml Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT5982 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www-01.ibm.com/support/docview.wss?uid=swg21644197 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www-01.ibm.com/support/docview.wss?uid=swg21653371 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www-01.ibm.com/support/docview.wss?uid=swg21657539 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.ibm.com/support/docview.wss?uid=swg21648172 Broken Link (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/61310 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-2033-1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.ubuntu.com/usn/USN-2089-1 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2014:0414 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/85260 VDB Entry, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://issues.apache.org/jira/browse/XERCESJ-1679 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For ibm's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.