CIMXMLParserImpl.parseMESSAGE() assumes all MESSAGE elements come with a valid ID attribute and use Attr.getNodeValue() without making sure Attr isn't null. Also, the PROTOCOLVERSION isn't verified at all.
Patch sent for community review. During a 2 week period any exploiter may comment on the patch, request changes or turn it down completely (with good reason). For the time being the patch is part of the "Experimental" branch in CVS.
The community review is completed and we received no substantial criticism. Therefore the patch has been approved and merged into the "HEAD" branch. The next release will pick it up.
The patch was picked up by release 2.2.5 and will be closed.