medium
5
CWE
399
Advisory Published
CVE Published
Updated

CVE-2009-1190

First published: Wed Apr 22 2009(Updated: )

Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
Java Development Kit (JDK)<=1.5.0
Java Development Kit (JDK)=1.1.0
Java Development Kit (JDK)=1.1.6
Java Development Kit (JDK)=1.1.6-update7
Java Development Kit (JDK)=1.1.7b
Java Development Kit (JDK)=1.1.7b-update5
Java Development Kit (JDK)=1.1.8-update10
Java Development Kit (JDK)=1.1.8-update13
Java Development Kit (JDK)=1.1.8-update14
Java Development Kit (JDK)=1.1.8-update2
Java Development Kit (JDK)=1.1.8-update7
Java Development Kit (JDK)=1.1.8-update8
Java Development Kit (JDK)=1.2.0
Java Development Kit (JDK)=1.2.1
Java Development Kit (JDK)=1.2.1-update3
Java Development Kit (JDK)=1.2.2-update4
Java Development Kit (JDK)=1.2.2-update5
Java Development Kit (JDK)=1.3.0
Java Development Kit (JDK)=1.3.0_01
Java Development Kit (JDK)=1.3.0_02
Java Development Kit (JDK)=1.3.0_03
Java Development Kit (JDK)=1.3.0_04
Java Development Kit (JDK)=1.3.0_05
Java Development Kit (JDK)=1.3.1
Java Development Kit (JDK)=1.3.1-update19
Java Development Kit (JDK)=1.3.1-update20
Java Development Kit (JDK)=1.3.1_01
Java Development Kit (JDK)=1.3.1_01a
Java Development Kit (JDK)=1.3.1_02
Java Development Kit (JDK)=1.3.1_03
Java Development Kit (JDK)=1.3.1_04
Java Development Kit (JDK)=1.3.1_05
Java Development Kit (JDK)=1.3.1_06
Java Development Kit (JDK)=1.3.1_07
Java Development Kit (JDK)=1.3.1_08
Java Development Kit (JDK)=1.3.1_09
Java Development Kit (JDK)=1.3.1_10
Java Development Kit (JDK)=1.3.1_11
Java Development Kit (JDK)=1.3.1_12
Java Development Kit (JDK)=1.3.1_13
Java Development Kit (JDK)=1.3.1_14
Java Development Kit (JDK)=1.3.1_15
Java Development Kit (JDK)=1.3.1_16
Java Development Kit (JDK)=1.3.1_17
Java Development Kit (JDK)=1.3.1_18
Java Development Kit (JDK)=1.3.1_19
Java Development Kit (JDK)=1.3.1_20
Java Development Kit (JDK)=1.3.1_21
Java Development Kit (JDK)=1.3.1_22
Java Development Kit (JDK)=1.3.1_23
Java Development Kit (JDK)=1.3.1_24
Java Development Kit (JDK)=1.3.1_25
Java Development Kit (JDK)=1.3.1_26
Java Development Kit (JDK)=1.3.1_27
Java Development Kit (JDK)=1.3.1_28
Java Development Kit (JDK)=1.4.0
Java Development Kit (JDK)=1.4.0_01
Java Development Kit (JDK)=1.4.0_02
Java Development Kit (JDK)=1.4.0_03
Java Development Kit (JDK)=1.4.0_04
Java Development Kit (JDK)=1.4.1
Java Development Kit (JDK)=1.4.1_01
Java Development Kit (JDK)=1.4.1_02
Java Development Kit (JDK)=1.4.1_03
Java Development Kit (JDK)=1.4.1_04
Java Development Kit (JDK)=1.4.1_05
Java Development Kit (JDK)=1.4.1_06
Java Development Kit (JDK)=1.4.1_07
Java Development Kit (JDK)=1.4.2
Java Development Kit (JDK)=1.4.2_1
Java Development Kit (JDK)=1.4.2_2
Java Development Kit (JDK)=1.4.2_3
Java Development Kit (JDK)=1.4.2_4
Java Development Kit (JDK)=1.4.2_5
Java Development Kit (JDK)=1.4.2_6
Java Development Kit (JDK)=1.4.2_7
Java Development Kit (JDK)=1.4.2_8
Java Development Kit (JDK)=1.4.2_9
Java Development Kit (JDK)=1.4.2_10
Java Development Kit (JDK)=1.4.2_11
Java Development Kit (JDK)=1.4.2_12
Java Development Kit (JDK)=1.4.2_13
Java Development Kit (JDK)=1.4.2_14
Java Development Kit (JDK)=1.4.2_15
Java Development Kit (JDK)=1.4.2_16
Java Development Kit (JDK)=1.4.2_17
Java Development Kit (JDK)=1.4.2_18
Java Development Kit (JDK)=1.4.2_19
Java Development Kit (JDK)=1.5.0
Java Development Kit (JDK)=1.5.0-update_1
Java Development Kit (JDK)=1.5.0-update_10
Java Development Kit (JDK)=1.5.0-update_11
Java Development Kit (JDK)=1.5.0-update_12
Java Development Kit (JDK)=1.5.0-update_13
Java Development Kit (JDK)=1.5.0-update_14
Java Development Kit (JDK)=1.5.0-update_15
Java Development Kit (JDK)=1.5.0-update_16
Java Development Kit (JDK)=1.5.0-update_17
Java Development Kit (JDK)=1.5.0-update_18
Java Development Kit (JDK)=1.5.0-update_19
Java Development Kit (JDK)=1.5.0-update_2
Java Development Kit (JDK)=1.5.0-update_20
Java Development Kit (JDK)=1.5.0-update_21
Java Development Kit (JDK)=1.5.0-update_3
Java Development Kit (JDK)=1.5.0-update_4
Java Development Kit (JDK)=1.5.0-update_5
Java Development Kit (JDK)=1.5.0-update_6
Java Development Kit (JDK)=1.5.0-update_7
Java Development Kit (JDK)=1.5.0-update_8
Java Development Kit (JDK)=1.5.0-update_9
Java Development Kit (JDK)=1.5.0-update1
Java Development Kit (JDK)=1.5.0-update10
Java Development Kit (JDK)=1.5.0-update11
Java Development Kit (JDK)=1.5.0-update11_b03
Java Development Kit (JDK)=1.5.0-update12
Java Development Kit (JDK)=1.5.0-update13
Java Development Kit (JDK)=1.5.0-update14
Java Development Kit (JDK)=1.5.0-update15
Java Development Kit (JDK)=1.5.0-update16
Java Development Kit (JDK)=1.5.0-update17
Java Development Kit (JDK)=1.5.0-update18
Java Development Kit (JDK)=1.5.0-update19
Java Development Kit (JDK)=1.5.0-update2
Java Development Kit (JDK)=1.5.0-update20
Java Development Kit (JDK)=1.5.0-update21
Java Development Kit (JDK)=1.5.0-update22
Java Development Kit (JDK)=1.5.0-update23
Java Development Kit (JDK)=1.5.0-update24
Java Development Kit (JDK)=1.5.0-update25
Java Development Kit (JDK)=1.5.0-update3
Java Development Kit (JDK)=1.5.0-update4
Java Development Kit (JDK)=1.5.0-update5
Java Development Kit (JDK)=1.5.0-update6
Java Development Kit (JDK)=1.5.0-update7
Java Development Kit (JDK)=1.5.0-update7_b03
Java Development Kit (JDK)=1.5.0-update8
Java Development Kit (JDK)=1.5.0-update9
Java Development Kit (JDK)=1.5.0_03
Java Development Kit (JDK)=1.5.0_03
SpringSource Dm Server=1.0.0
SpringSource Dm Server=1.0.1
SpringSource Dm Server=1.0.2
Spring Framework=1.1.0
Spring Framework=2.0
Spring Framework=2.0-m1
Spring Framework=2.0-m2
Spring Framework=2.0-m3
Spring Framework=2.0-m4
Spring Framework=2.0-m5
Spring Framework=2.0-rc1
Spring Framework=2.0-rc2
Spring Framework=2.0-rc3
Spring Framework=2.0-rc4
Spring Framework=2.0.1
Spring Framework=2.0.2
Spring Framework=2.0.3
Spring Framework=2.0.4
Spring Framework=2.0.5
Spring Framework=2.1-m1
Spring Framework=2.1-m2
Spring Framework=2.1-m3
Spring Framework=2.1-m4
Spring Framework=2.5.0
Spring Framework=2.5.0-rc1
Spring Framework=2.5.0-rc2
Spring Framework=2.5.1
Spring Framework=2.5.2
Spring Framework=2.5.3
Spring Framework=2.5.4
Spring Framework=2.5.5
Spring Framework=2.5.6
Spring Framework=3.0.0-m1
Spring Framework=3.0.0-m2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2009-1190?

    CVE-2009-1190 is rated as critical due to its potential to allow remote attackers to perform denial of service attacks via crafted regular expressions.

  • How do I fix CVE-2009-1190?

    To fix CVE-2009-1190, update Sun JDK to version 1.6 or later, or use the patched version of affected Spring Framework releases.

  • Which software versions are affected by CVE-2009-1190?

    CVE-2009-1190 affects Sun JDK versions prior to 1.6 and specific versions of Spring Framework from 1.1.0 to 2.5.6.

  • What type of vulnerability is CVE-2009-1190?

    CVE-2009-1190 is an algorithmic complexity vulnerability that targets the regular expression processing in Java.

  • Who is impacted by CVE-2009-1190?

    Users of affected Sun JDK versions prior to 1.6, especially those utilizing Spring Framework within their applications, are at risk.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203