Security Bulletin: Vulnerability IBM Java XML Parser used in IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2013-4002)

Abstract

IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed ships with IBM Java JRE. This JRE contains a variant of Apache-J XML parser (XM4J) that is vulnerable to a denial of service attack triggered by malformed XML data.

Content

CVE ID:CVE-2013-4002

IBM CVSS SCORE: 7.1CVSS

Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85260 for the current score

CVSS Environmental Score*: UndefinedCVSS

Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

DESCRIPTION:

The Apache Xerces-J XML parser is vulnerable to a denial of service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected. This behavior can be used to launch a denial of service attack against IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed.

AFFECTED PRODUCTS AND VERSIONS:

This vulnerability affects all versions prior to and including 7.5.0.10.

REMEDIATION:

Upgrade the IBM Websphere Application Service used by the IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed to versions 7.0.0.31 and 6.1.0.47 or later.

WORKAROUND:

None.

MITIGATION:

None.

REFERENCES:

· Complete CVSS v2 Guide: http://www.first.org/cvss/v2/guide

· X-Force Vulnerability Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/85260

· MITRE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

· WebSphere Application Server - Security Bulletin: _ http://www.ibm.com/support/docview.wss?uid=swg21644157_

RELATED INFORMATION:

_IBM Secure Engineering Web Portal _IBM Product Security Incident Response Blog

[{“Product”:{“code”:“SS8JFY”,“label”:“IBM License Metric Tool”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Not Applicable”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF012”,“label”:“IBM i”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“7.1.2;7.2;7.2.1;7.2.2;7.5”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]