We use JBoss Microcontainer 1.0.2 which has xercesImpl.jar version 2.7.1 in the package and probably needs, uses it. We scanned the application using Sonatype Nexus Auditor security scanner to identify vulnerabilities in third party libraries used. It showed that xercesImpl.jar has vulnerability CVE-2013-4002 having description given below:
Unspecified vulnerability in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 allows remote attackers to affect availability via unknown vectors.
A flaw found in the way Xerces handles the processing of XML declarations allows for a Denial of service(DOS) attack while the server application processes the XML supplied by the remote user. Xerces is used as the built-in XML parser for certain versions of Java, hence the Java Runtime Environment was implicated in the CVE description. If this component showed up on a scan, then it is not because of the Java Runtime Environment.
You are vulnerable if your application uses Xerces to parse untrusted and/or user-created XML.
There is no non vulnerable version of this component at the time of this writing, but a fix was committed to the SVN repository. However, the last release was in 2013. Consider updating to the latest Java and switching to JAXP which is now part of the official JDK as of version 1.6. More information can be found at: http://www.oracle.com/technetwork/java/intro-140052.html.
I checked the latest version of JBoss Microcontainer version 2.0.6 GA to see if this vulnerable jar is still used. I found that xercesImpl.jar version 2.9.1 is part of the 2.0.6 GA package and probably used.
Can someone please help me on following questions:
- Your opinion about security impact to JBoss Microcontainer due to use of the vulnerable jar file?
- Plans to stop using xercesImpl.jar in JBoss Microcontainer in favor of say JAXP?
- How did you overcome the vulnerability? Is there some workaround/setting with which JBoss Microcontainer could be configured to not use xercesImpl.jar?