What is the severity of CVE-2009-2625?

CVE-2009-2625 is classified as a denial of service vulnerability, which can critically impact the availability of affected applications.

How do I fix CVE-2009-2625?

To fix CVE-2009-2625, upgrade the affected Java Runtime Environment to the latest version provided by your vendor.

Which products are affected by CVE-2009-2625?

CVE-2009-2625 affects Java Runtime Environment versions, including specific builds from IBM and Red Hat that use Apache Xerces.

Can CVE-2009-2625 be exploited remotely?

Yes, CVE-2009-2625 can be exploited remotely using specially-crafted XML input that triggers an infinite loop.

What impact does CVE-2009-2625 have on my system?

CVE-2009-2625 can cause applications to hang, leading to potential denial of service and disrupting normal operations.

Vulnerability/
CVE-2009-2625

medium

CWE

NVD-CWE-Other

21/7/2009

5/8/2009

6/8/2009

7/8/2024

CVE-2009-2625

First published: Tue Jul 21 2009(Updated: )

Sun Java Runtime Environment (JRE) is vulnerable to a denial of service, caused by an error in Apache Xerces2 Java. A remote attacker could exploit this vulnerability using specially-crafted XML input, to cause the application to enter into an infinite loop and hang.

Credit: cret@cert.org

Affected Software	Affected Version	How to fix
redhat/java	<1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el3	1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el3
redhat/java	<1.5.0-sun-0:1.5.0.20-1jpp.1.el4	1.5.0-sun-0:1.5.0.20-1jpp.1.el4
redhat/java	<1.6.0-sun-1:1.6.0.15-1jpp.1.el4	1.6.0-sun-1:1.6.0.15-1jpp.1.el4
redhat/java	<1.5.0-ibm-1:1.5.0.10-1jpp.4.el4	1.5.0-ibm-1:1.5.0.10-1jpp.4.el4
redhat/java	<1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el4	1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el4
redhat/java	<1.6.0-ibm-1:1.6.0.6-1jpp.3.el4	1.6.0-ibm-1:1.6.0.6-1jpp.3.el4
redhat/glassfish-javamail	<0:1.4.2-0jpp.ep1.5.el4	0:1.4.2-0jpp.ep1.5.el4
redhat/glassfish-jsf	<0:1.2_13-2.1.ep1.el4	0:1.2_13-2.1.ep1.el4
redhat/hibernate3	<1:3.2.4-1.SP1_CP09.0jpp.ep1.1.el4	1:3.2.4-1.SP1_CP09.0jpp.ep1.1.el4
redhat/hibernate3-annotations	<0:3.3.1-1.11.GA_CP02.ep1.el4	0:3.3.1-1.11.GA_CP02.ep1.el4
redhat/hibernate3-entitymanager	<0:3.3.2-2.5.GA_CP01.ep1.el4	0:3.3.2-2.5.GA_CP01.ep1.el4
redhat/jacorb	<0:2.3.0-1jpp.ep1.9.el4	0:2.3.0-1jpp.ep1.9.el4
redhat/jakarta-commons-logging-jboss	<0:1.1-9.ep1.el4	0:1.1-9.ep1.el4
redhat/jboss-aop	<0:1.5.5-3.CP04.2.ep1.el4	0:1.5.5-3.CP04.2.ep1.el4
redhat/jbossas	<0:4.2.0-5.GA_CP08.5.ep1.el4	0:4.2.0-5.GA_CP08.5.ep1.el4
redhat/jboss-common	<0:1.2.1-0jpp.ep1.3.el4	0:1.2.1-0jpp.ep1.3.el4
redhat/jboss-remoting	<0:2.2.3-3.SP1.ep1.el4	0:2.2.3-3.SP1.ep1.el4
redhat/jboss-seam	<0:1.2.1-1.ep1.22.el4	0:1.2.1-1.ep1.22.el4
redhat/jbossts	<1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el4	1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el4
redhat/jbossweb	<0:2.0.0-6.CP12.0jpp.ep1.2.el4	0:2.0.0-6.CP12.0jpp.ep1.2.el4
redhat/jcommon	<0:1.0.16-1.1.ep1.el4	0:1.0.16-1.1.ep1.el4
redhat/jfreechart	<0:1.0.13-2.3.1.ep1.el4	0:1.0.13-2.3.1.ep1.el4
redhat/jgroups	<1:2.4.7-1.ep1.el4	1:2.4.7-1.ep1.el4
redhat/quartz	<0:1.5.2-1jpp.patch01.ep1.4.el4	0:1.5.2-1jpp.patch01.ep1.4.el4
redhat/rh-eap-docs	<0:4.2.0-6.GA_CP08.ep1.3.el4	0:4.2.0-6.GA_CP08.ep1.3.el4
redhat/xerces-j2	<0:2.7.1-9jpp.4.patch_02.1.ep1.el4	0:2.7.1-9jpp.4.patch_02.1.ep1.el4
redhat/xml-security	<0:1.3.0-1.3.patch01.ep1.2.el4	0:1.3.0-1.3.patch01.ep1.2.el4
redhat/glassfish-jsf	<0:1.2_13-2.1.ep1.el5	0:1.2_13-2.1.ep1.el5
redhat/hibernate3	<1:3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5	1:3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
redhat/hibernate3-annotations	<0:3.3.1-1.11GA_CP02.ep1.el5	0:3.3.1-1.11GA_CP02.ep1.el5
redhat/hibernate3-entitymanager	<0:3.3.2-2.5.1.ep1.el5	0:3.3.2-2.5.1.ep1.el5
redhat/jacorb	<0:2.3.0-1jpp.ep1.9.1.el5	0:2.3.0-1jpp.ep1.9.1.el5
redhat/jboss-aop	<0:1.5.5-3.CP04.2.ep1.el5	0:1.5.5-3.CP04.2.ep1.el5
redhat/jbossas	<0:4.2.0-5.GA_CP08.5.2.ep1.el5	0:4.2.0-5.GA_CP08.5.2.ep1.el5
redhat/jboss-common	<0:1.2.1-0jpp.ep1.3.el5.1	0:1.2.1-0jpp.ep1.3.el5.1
redhat/jboss-remoting	<0:2.2.3-3.SP1.ep1.el5	0:2.2.3-3.SP1.ep1.el5
redhat/jboss-seam	<0:1.2.1-1.ep1.14.el5	0:1.2.1-1.ep1.14.el5
redhat/jbossts	<1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el5	1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
redhat/jbossweb	<0:2.0.0-6.CP12.0jpp.ep1.2.el5	0:2.0.0-6.CP12.0jpp.ep1.2.el5
redhat/jcommon	<0:1.0.16-1.1.ep1.el5	0:1.0.16-1.1.ep1.el5
redhat/jfreechart	<0:1.0.13-2.3.1.ep1.el5	0:1.0.13-2.3.1.ep1.el5
redhat/jgroups	<1:2.4.7-1.ep1.el5	1:2.4.7-1.ep1.el5
redhat/quartz	<0:1.5.2-1jpp.patch01.ep1.4.1.el5	0:1.5.2-1jpp.patch01.ep1.4.1.el5
redhat/rh-eap-docs	<0:4.2.0-6.GA_CP08.ep1.3.el5	0:4.2.0-6.GA_CP08.ep1.3.el5
redhat/xml-security	<0:1.3.0-1.3.patch01.ep1.2.1.el5	0:1.3.0-1.3.patch01.ep1.2.1.el5
redhat/java	<1.6.0-openjdk-1:1.6.0.0-1.2.b09.el5	1.6.0-openjdk-1:1.6.0.0-1.2.b09.el5
redhat/xerces-j2	<0:2.7.1-7jpp.2.el5_4.2	0:2.7.1-7jpp.2.el5_4.2
redhat/xerces-j2	<0:2.7.1-12.6.el6_0	0:2.7.1-12.6.el6_0
redhat/glassfish-jaxb	<0:2.1.4-1.12.patch03.ep1.el4	0:2.1.4-1.12.patch03.ep1.el4
redhat/jbossas	<0:4.3.0-6.GA_CP07.4.ep1.el4	0:4.3.0-6.GA_CP07.4.ep1.el4
redhat/jboss-messaging	<0:1.4.0-3.SP3_CP09.4.ep1.el4	0:1.4.0-3.SP3_CP09.4.ep1.el4
redhat/jboss-seam	<0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.18.el4	0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.18.el4
redhat/jboss-seam2	<0:2.0.2.FP-1.ep1.21.el4	0:2.0.2.FP-1.ep1.21.el4
redhat/jbossws	<0:2.0.1-4.SP2_CP07.2.ep1.el4	0:2.0.1-4.SP2_CP07.2.ep1.el4
redhat/jbossws-common	<0:1.0.0-2.GA_CP05.1.ep1.el4	0:1.0.0-2.GA_CP05.1.ep1.el4
redhat/jbossws-framework	<0:2.0.1-1.GA_CP05.1.ep1.el4	0:2.0.1-1.GA_CP05.1.ep1.el4
redhat/rh-eap-docs	<0:4.3.0-6.GA_CP07.ep1.3.el4	0:4.3.0-6.GA_CP07.ep1.3.el4
redhat/glassfish-jaxb	<0:2.1.4-1.12.patch03.1.ep1.el5	0:2.1.4-1.12.patch03.1.ep1.el5
redhat/jbossas	<0:4.3.0-6.GA_CP07.4.2.ep1.el5	0:4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jboss-messaging	<0:1.4.0-3.SP3_CP09.4.ep1.el5	0:1.4.0-3.SP3_CP09.4.ep1.el5
redhat/jboss-seam	<0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1	0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
redhat/jboss-seam2	<0:2.0.2.FP-1.ep1.18.el5	0:2.0.2.FP-1.ep1.18.el5
redhat/jbossws	<0:2.0.1-4.SP2_CP07.2.1.ep1.el5	0:2.0.1-4.SP2_CP07.2.1.ep1.el5
redhat/jbossws-common	<0:1.0.0-2.GA_CP05.1.ep1.el5	0:1.0.0-2.GA_CP05.1.ep1.el5
redhat/jbossws-framework	<0:2.0.1-1.GA_CP05.1.ep1.el5	0:2.0.1-1.GA_CP05.1.ep1.el5
redhat/rh-eap-docs	<0:4.3.0-6.GA_CP07.ep1.3.el5	0:4.3.0-6.GA_CP07.ep1.3.el5
redhat/java	<1.5.0-sun-0:1.5.0.22-1jpp.1.el4	1.5.0-sun-0:1.5.0.22-1jpp.1.el4
redhat/java	<1.6.0-ibm-1:1.6.0.7-1jpp.3.el4	1.6.0-ibm-1:1.6.0.7-1jpp.3.el4
redhat/java	<1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el4_8	1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el4_8
redhat/java	<1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el5_3	1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el5_3
redhat/jasperreports-server-pro	<0:4.7.1-2.el6e	0:4.7.1-2.el6e
redhat/java	<1.5.0-sun-0:1.5.0.20-1jpp.1.el5	1.5.0-sun-0:1.5.0.20-1jpp.1.el5
redhat/java	<1.6.0-sun-1:1.6.0.15-1jpp.1.el5	1.6.0-sun-1:1.6.0.15-1jpp.1.el5
redhat/java	<1.5.0-ibm-1:1.5.0.10-1jpp.4.el5	1.5.0-ibm-1:1.5.0.10-1jpp.4.el5
redhat/java	<1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el5	1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el5
redhat/java	<1.6.0-ibm-1:1.6.0.6-1jpp.3.el5	1.6.0-ibm-1:1.6.0.6-1jpp.3.el5
IBM Security Verify Governance - Identity Manager	<=10.0
Oracle Java SE 7	=1.5.0
Oracle Java SE 7	=1.5.0-update1
Oracle Java SE 7	=1.5.0-update10
Oracle Java SE 7	=1.5.0-update11
Oracle Java SE 7	=1.5.0-update12
Oracle Java SE 7	=1.5.0-update13
Oracle Java SE 7	=1.5.0-update14
Oracle Java SE 7	=1.5.0-update15
Oracle Java SE 7	=1.5.0-update16
Oracle Java SE 7	=1.5.0-update17
Oracle Java SE 7	=1.5.0-update18
Oracle Java SE 7	=1.5.0-update19
Oracle Java SE 7	=1.5.0-update2
Oracle Java SE 7	=1.5.0-update3
Oracle Java SE 7	=1.5.0-update4
Oracle Java SE 7	=1.5.0-update5
Oracle Java SE 7	=1.5.0-update6
Oracle Java SE 7	=1.5.0-update7
Oracle Java SE 7	=1.5.0-update8
Oracle Java SE 7	=1.5.0-update9
Oracle Java SE 7	=1.6.0
Oracle Java SE 7	=1.6.0-update1
Oracle Java SE 7	=1.6.0-update10
Oracle Java SE 7	=1.6.0-update11
Oracle Java SE 7	=1.6.0-update12
Oracle Java SE 7	=1.6.0-update13
Oracle Java SE 7	=1.6.0-update14
Oracle Java SE 7	=1.6.0-update2
Oracle Java SE 7	=1.6.0-update3
Oracle Java SE 7	=1.6.0-update4
Oracle Java SE 7	=1.6.0-update5
Oracle Java SE 7	=1.6.0-update6
Oracle Java SE 7	=1.6.0-update7
Red Hat Fedora	=10
Red Hat Fedora	=11
openSUSE	=11.0
openSUSE	=11.1
openSUSE	=11.2
SUSE Linux Enterprise Server	=9
SUSE Linux Enterprise Server	=10-sp2
SUSE Linux Enterprise Server	=10-sp3
SUSE Linux Enterprise Server	=11
Debian Linux	=4.0
Debian Linux	=5.0
Ubuntu	=6.06
Ubuntu	=8.04
Ubuntu	=8.10
Ubuntu	=9.04
Ubuntu	=9.10
Oracle Primavera P6 Enterprise Project Portfolio Management	=6.1
Oracle Primavera P6 Enterprise Project Portfolio Management	=6.2.1
Oracle Primavera P6 Enterprise Project Portfolio Management	=7.0
Oracle Primavera Web Services	=6.2.1
Oracle Primavera Web Services	=7.0
Oracle Primavera Web Services	=7.0-sp1
Apache Xerces	=2.9.1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the severity of CVE-2009-2625?
CVE-2009-2625 is classified as a denial of service vulnerability, which can critically impact the availability of affected applications.
How do I fix CVE-2009-2625?
To fix CVE-2009-2625, upgrade the affected Java Runtime Environment to the latest version provided by your vendor.
Which products are affected by CVE-2009-2625?
CVE-2009-2625 affects Java Runtime Environment versions, including specific builds from IBM and Red Hat that use Apache Xerces.
Can CVE-2009-2625 be exploited remotely?
Yes, CVE-2009-2625 can be exploited remotely using specially-crafted XML input that triggers an infinite loop.
What impact does CVE-2009-2625 have on my system?
CVE-2009-2625 can cause applications to hang, leading to potential denial of service and disrupting normal operations.

agent/type
agent/first-publish-date
agent/remedy
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2009-2625
agent/weakness
agent/severity
agent/references
collector/redhat-cve
agent/software-canonical-lookup
agent/description
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/trending
agent/source
agent/author
collector/ibm-support
agent/software-canonical-lookup-request
agent/softwarecombine
agent/tags
collector/nvd-api
collector/nvd-index
collector/nvd-historical
package-manager/redhat
vendor/ibm
canonical/ibm security verify governance - identity manager
version/ibm security verify governance - identity manager/10.0
vendor/oracle
canonical/oracle java se 7
version/oracle java se 7/1.5.0
version/oracle java se 7/1.5.0-update1
version/oracle java se 7/1.5.0-update10
version/oracle java se 7/1.5.0-update11
version/oracle java se 7/1.5.0-update12
version/oracle java se 7/1.5.0-update13
version/oracle java se 7/1.5.0-update14
version/oracle java se 7/1.5.0-update15
version/oracle java se 7/1.5.0-update16
version/oracle java se 7/1.5.0-update17
version/oracle java se 7/1.5.0-update18
version/oracle java se 7/1.5.0-update19
version/oracle java se 7/1.5.0-update2
version/oracle java se 7/1.5.0-update3
version/oracle java se 7/1.5.0-update4
version/oracle java se 7/1.5.0-update5
version/oracle java se 7/1.5.0-update6
version/oracle java se 7/1.5.0-update7
version/oracle java se 7/1.5.0-update8
version/oracle java se 7/1.5.0-update9
version/oracle java se 7/1.6.0
version/oracle java se 7/1.6.0-update1
version/oracle java se 7/1.6.0-update10
version/oracle java se 7/1.6.0-update11
version/oracle java se 7/1.6.0-update12
version/oracle java se 7/1.6.0-update13
version/oracle java se 7/1.6.0-update14
version/oracle java se 7/1.6.0-update2
version/oracle java se 7/1.6.0-update3
version/oracle java se 7/1.6.0-update4
version/oracle java se 7/1.6.0-update5
version/oracle java se 7/1.6.0-update6
version/oracle java se 7/1.6.0-update7
vendor/fedoraproject
canonical/red hat fedora
version/red hat fedora/10
version/red hat fedora/11
vendor/opensuse
canonical/opensuse
version/opensuse/11.0
version/opensuse/11.1
version/opensuse/11.2
vendor/suse
canonical/suse linux enterprise server
version/suse linux enterprise server/9
version/suse linux enterprise server/10-sp2
version/suse linux enterprise server/10-sp3
version/suse linux enterprise server/11
vendor/debian
canonical/debian linux
version/debian linux/4.0
version/debian linux/5.0
vendor/canonical
canonical/ubuntu
version/ubuntu/6.06
version/ubuntu/8.04
version/ubuntu/8.10
version/ubuntu/9.04
version/ubuntu/9.10
canonical/oracle primavera p6 enterprise project portfolio management
version/oracle primavera p6 enterprise project portfolio management/6.1
version/oracle primavera p6 enterprise project portfolio management/6.2.1
version/oracle primavera p6 enterprise project portfolio management/7.0
canonical/oracle primavera web services
version/oracle primavera web services/6.2.1
version/oracle primavera web services/7.0
version/oracle primavera web services/7.0-sp1
vendor/apache
canonical/apache xerces
version/apache xerces/2.9.1

CVE-2009-2625

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2009-2625?

How do I fix CVE-2009-2625?

Which products are affected by CVE-2009-2625?

Can CVE-2009-2625 be exploited remotely?

What impact does CVE-2009-2625 have on my system?

Company

Resources

Contact