Why are components being flagged as vulnerable to CVE-2013-4002 (IBM Java Runtime Vulnerability)?

The description of CVE-2013-4002 is misleading, it implies that it is a security defect in IBM Java.

In fact, the vulnerability is against the Xerces XML parser:

http://www-01.ibm.com/support/docview.wss?uid=swg21653815

Xerces is often bundled inside of other artifacts, consequentially CVE-2013-4002 will be flagged for components where you might not expect.  For instance, com.google.gwt:gwt-dev:2.7.0 ships with a vulnerable version of Xerces inside of it:

$ jar tvf gwt-dev-2.7.0.jar |grep xerces
1159 Fri Nov 26 15:40:42 CST 2010 org/apache/xerces/dom/ASDOMImplementationImpl.class
4189 Fri Nov 26 15:40:42 CST 2010 org/apache/xerces/dom/ASModelImpl.class
8751 Fri Nov 26 15:40:36 CST 2010 org/apache/xerces/dom/AttrImpl.class
3518 Fri Nov 26 15:40:42 CST 2010 org/apache/xerces/dom/AttrNSImpl.class
6586 Fri Nov 26 15:40:36 CST 2010 org/apache/xerces/dom/AttributeMap.class
457 Fri Nov 26 15:40:42 CST 2010 org/apache/xerces/dom/CDATASectionImpl.class
323 Fri Nov 26 15:40:36 CST 2010 org/apache/xerces/dom/CharacterDataImpl$1.class
3878 Fri Nov 26 15:40:36 CST 2010 org/apache/xerces/dom/CharacterDataImpl.class
1018 Fri Nov 26 15:40:34 CST 2010 org/apache/xerces/dom/ChildNode.class
484 Fri Nov 26 15:40:42 CST 2010 org/apache/xerces/dom/CommentImpl.class
430 Fri Nov 26 15:40:38 CST 2010 org/apache/xerces/dom/CoreDOMImplementationImpl$RevalidationHandlerHolder.class
409 Fri Nov 26 15:40:38 CST 2010 org/apache/xerces/dom/CoreDOMImplementationImpl$XMLDTDLoaderHolder.class
8236 Fri Nov 26 15:40:38 CST 2010 org/apache/xerces/dom/CoreDOMImplementationImpl.class
...
...

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk