CVE-2013-5823

Name of the Vulnerable Software and Affected Versions Oracle Java SE versions 7u40 and earlier Oracle Java SE versions 6u60 and earlier JRockit versions R28.2.8 and earlier JRockit versions R27.7.6 and earlier Java SE Embedded versions 7u40 and earlier xmlsec (affected versions not specified) IBM AIX (affected versions not specified)

Description The issue allows remote attackers to affect availability via unknown vectors related to Security. It also concerns a denial of service vulnerability, where checking the signature of a large message can cause an endless loop in the expandSize(int newPos) method of the org.apache.xml.security.utils.UnsyncByteArrayOutputStream class. A remote attacker could exploit this flaw by supplying crafted XML to lead to a denial of service.

Recommendations For Oracle Java SE versions 7u40 and earlier, update to a version later than 7u40. For Oracle Java SE versions 6u60 and earlier, update to a version later than 6u60. For JRockit versions R28.2.8 and earlier, update to a version later than R28.2.8. For JRockit versions R27.7.6 and earlier, update to a version later than R27.7.6. For Java SE Embedded versions 7u40 and earlier, update to a version later than 7u40. For xmlsec, avoid checking signatures of messages larger than 512 MB until a patch is available. For IBM AIX, at the moment, there is no information about a newer version that contains a fix for this issue.