7.1 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed ships with IBM Java JRE. This JRE contains a variant of Apache-J XML parser (XM4J) that is vulnerable to a denial of service attack triggered by malformed XML data.
CVE ID:CVE-2013-4002
IBM CVSS SCORE: 7.1CVSS
Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85260 for the current score
CVSS Environmental Score*: UndefinedCVSS
Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
DESCRIPTION:
The Apache Xerces-J XML parser is vulnerable to a denial of service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected. This behavior can be used to launch a denial of service attack against IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed.
AFFECTED PRODUCTS AND VERSIONS:
This vulnerability affects all versions prior to and including 7.5.0.10.
REMEDIATION:
Upgrade the IBM Websphere Application Service used by the IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed to versions 7.0.0.31 and 6.1.0.47 or later.
WORKAROUND:
None.
MITIGATION:
None.
REFERENCES:
· Complete CVSS v2 Guide: http://www.first.org/cvss/v2/guide
· X-Force Vulnerability Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/85260
· MITRE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
· WebSphere Application Server - Security Bulletin: _ http://www.ibm.com/support/docview.wss?uid=swg21644157_
RELATED INFORMATION:
_IBM Secure Engineering Web Portal _IBM Product Security Incident Response Blog
[{“Product”:{“code”:“SS8JFY”,“label”:“IBM License Metric Tool”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF012”,“label”:“IBM i”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“7.1.2;7.2;7.2.1;7.2.2;7.5”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]