CVE-2009-2625

First published: Tue Jul 21 2009(Updated: )

Sun Java Runtime Environment (JRE) is vulnerable to a denial of service, caused by an error in Apache Xerces2 Java. A remote attacker could exploit this vulnerability using specially-crafted XML input, to cause the application to enter into an infinite loop and hang.

Credit: cret@cert.org cret@cert.org

Affected Software	Affected Version	How to fix
IBM Security Verify Governance	<=10.0
redhat/java	<1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el3	1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el3
redhat/java	<1.5.0-sun-0:1.5.0.20-1jpp.1.el4	1.5.0-sun-0:1.5.0.20-1jpp.1.el4
redhat/java	<1.6.0-sun-1:1.6.0.15-1jpp.1.el4	1.6.0-sun-1:1.6.0.15-1jpp.1.el4
redhat/java	<1.5.0-ibm-1:1.5.0.10-1jpp.4.el4	1.5.0-ibm-1:1.5.0.10-1jpp.4.el4
redhat/java	<1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el4	1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el4
redhat/java	<1.6.0-ibm-1:1.6.0.6-1jpp.3.el4	1.6.0-ibm-1:1.6.0.6-1jpp.3.el4
redhat/glassfish-javamail	<0:1.4.2-0jpp.ep1.5.el4	0:1.4.2-0jpp.ep1.5.el4
redhat/glassfish-jsf	<0:1.2_13-2.1.ep1.el4	0:1.2_13-2.1.ep1.el4
redhat/hibernate3	<1:3.2.4-1.SP1_CP09.0jpp.ep1.1.el4	1:3.2.4-1.SP1_CP09.0jpp.ep1.1.el4
redhat/hibernate3-annotations	<0:3.3.1-1.11.GA_CP02.ep1.el4	0:3.3.1-1.11.GA_CP02.ep1.el4
redhat/hibernate3-entitymanager	<0:3.3.2-2.5.GA_CP01.ep1.el4	0:3.3.2-2.5.GA_CP01.ep1.el4
redhat/jacorb	<0:2.3.0-1jpp.ep1.9.el4	0:2.3.0-1jpp.ep1.9.el4
redhat/jakarta-commons-logging-jboss	<0:1.1-9.ep1.el4	0:1.1-9.ep1.el4
redhat/jboss-aop	<0:1.5.5-3.CP04.2.ep1.el4	0:1.5.5-3.CP04.2.ep1.el4
redhat/jbossas	<0:4.2.0-5.GA_CP08.5.ep1.el4	0:4.2.0-5.GA_CP08.5.ep1.el4
redhat/jboss-common	<0:1.2.1-0jpp.ep1.3.el4	0:1.2.1-0jpp.ep1.3.el4
redhat/jboss-remoting	<0:2.2.3-3.SP1.ep1.el4	0:2.2.3-3.SP1.ep1.el4
redhat/jboss-seam	<0:1.2.1-1.ep1.22.el4	0:1.2.1-1.ep1.22.el4
redhat/jbossts	<1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el4	1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el4
redhat/jbossweb	<0:2.0.0-6.CP12.0jpp.ep1.2.el4	0:2.0.0-6.CP12.0jpp.ep1.2.el4
redhat/jcommon	<0:1.0.16-1.1.ep1.el4	0:1.0.16-1.1.ep1.el4
redhat/jfreechart	<0:1.0.13-2.3.1.ep1.el4	0:1.0.13-2.3.1.ep1.el4
redhat/jgroups	<1:2.4.7-1.ep1.el4	1:2.4.7-1.ep1.el4
redhat/quartz	<0:1.5.2-1jpp.patch01.ep1.4.el4	0:1.5.2-1jpp.patch01.ep1.4.el4
redhat/rh-eap-docs	<0:4.2.0-6.GA_CP08.ep1.3.el4	0:4.2.0-6.GA_CP08.ep1.3.el4
redhat/xerces-j2	<0:2.7.1-9jpp.4.patch_02.1.ep1.el4	0:2.7.1-9jpp.4.patch_02.1.ep1.el4
redhat/xml-security	<0:1.3.0-1.3.patch01.ep1.2.el4	0:1.3.0-1.3.patch01.ep1.2.el4
redhat/glassfish-jsf	<0:1.2_13-2.1.ep1.el5	0:1.2_13-2.1.ep1.el5
redhat/hibernate3	<1:3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5	1:3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
redhat/hibernate3-annotations	<0:3.3.1-1.11GA_CP02.ep1.el5	0:3.3.1-1.11GA_CP02.ep1.el5
redhat/hibernate3-entitymanager	<0:3.3.2-2.5.1.ep1.el5	0:3.3.2-2.5.1.ep1.el5
redhat/jacorb	<0:2.3.0-1jpp.ep1.9.1.el5	0:2.3.0-1jpp.ep1.9.1.el5
redhat/jboss-aop	<0:1.5.5-3.CP04.2.ep1.el5	0:1.5.5-3.CP04.2.ep1.el5
redhat/jbossas	<0:4.2.0-5.GA_CP08.5.2.ep1.el5	0:4.2.0-5.GA_CP08.5.2.ep1.el5
redhat/jboss-common	<0:1.2.1-0jpp.ep1.3.el5.1	0:1.2.1-0jpp.ep1.3.el5.1
redhat/jboss-remoting	<0:2.2.3-3.SP1.ep1.el5	0:2.2.3-3.SP1.ep1.el5
redhat/jboss-seam	<0:1.2.1-1.ep1.14.el5	0:1.2.1-1.ep1.14.el5
redhat/jbossts	<1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el5	1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
redhat/jbossweb	<0:2.0.0-6.CP12.0jpp.ep1.2.el5	0:2.0.0-6.CP12.0jpp.ep1.2.el5
redhat/jcommon	<0:1.0.16-1.1.ep1.el5	0:1.0.16-1.1.ep1.el5
redhat/jfreechart	<0:1.0.13-2.3.1.ep1.el5	0:1.0.13-2.3.1.ep1.el5
redhat/jgroups	<1:2.4.7-1.ep1.el5	1:2.4.7-1.ep1.el5
redhat/quartz	<0:1.5.2-1jpp.patch01.ep1.4.1.el5	0:1.5.2-1jpp.patch01.ep1.4.1.el5
redhat/rh-eap-docs	<0:4.2.0-6.GA_CP08.ep1.3.el5	0:4.2.0-6.GA_CP08.ep1.3.el5
redhat/xml-security	<0:1.3.0-1.3.patch01.ep1.2.1.el5	0:1.3.0-1.3.patch01.ep1.2.1.el5
redhat/java	<1.6.0-openjdk-1:1.6.0.0-1.2.b09.el5	1.6.0-openjdk-1:1.6.0.0-1.2.b09.el5
redhat/xerces-j2	<0:2.7.1-7jpp.2.el5_4.2	0:2.7.1-7jpp.2.el5_4.2
redhat/xerces-j2	<0:2.7.1-12.6.el6_0	0:2.7.1-12.6.el6_0
redhat/glassfish-jaxb	<0:2.1.4-1.12.patch03.ep1.el4	0:2.1.4-1.12.patch03.ep1.el4
redhat/jbossas	<0:4.3.0-6.GA_CP07.4.ep1.el4	0:4.3.0-6.GA_CP07.4.ep1.el4
redhat/jboss-messaging	<0:1.4.0-3.SP3_CP09.4.ep1.el4	0:1.4.0-3.SP3_CP09.4.ep1.el4
redhat/jboss-seam	<0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.18.el4	0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.18.el4
redhat/jboss-seam2	<0:2.0.2.FP-1.ep1.21.el4	0:2.0.2.FP-1.ep1.21.el4
redhat/jbossws	<0:2.0.1-4.SP2_CP07.2.ep1.el4	0:2.0.1-4.SP2_CP07.2.ep1.el4
redhat/jbossws-common	<0:1.0.0-2.GA_CP05.1.ep1.el4	0:1.0.0-2.GA_CP05.1.ep1.el4
redhat/jbossws-framework	<0:2.0.1-1.GA_CP05.1.ep1.el4	0:2.0.1-1.GA_CP05.1.ep1.el4
redhat/rh-eap-docs	<0:4.3.0-6.GA_CP07.ep1.3.el4	0:4.3.0-6.GA_CP07.ep1.3.el4
redhat/glassfish-jaxb	<0:2.1.4-1.12.patch03.1.ep1.el5	0:2.1.4-1.12.patch03.1.ep1.el5
redhat/jbossas	<0:4.3.0-6.GA_CP07.4.2.ep1.el5	0:4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jboss-messaging	<0:1.4.0-3.SP3_CP09.4.ep1.el5	0:1.4.0-3.SP3_CP09.4.ep1.el5
redhat/jboss-seam	<0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1	0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
redhat/jboss-seam2	<0:2.0.2.FP-1.ep1.18.el5	0:2.0.2.FP-1.ep1.18.el5
redhat/jbossws	<0:2.0.1-4.SP2_CP07.2.1.ep1.el5	0:2.0.1-4.SP2_CP07.2.1.ep1.el5
redhat/jbossws-common	<0:1.0.0-2.GA_CP05.1.ep1.el5	0:1.0.0-2.GA_CP05.1.ep1.el5
redhat/jbossws-framework	<0:2.0.1-1.GA_CP05.1.ep1.el5	0:2.0.1-1.GA_CP05.1.ep1.el5
redhat/rh-eap-docs	<0:4.3.0-6.GA_CP07.ep1.3.el5	0:4.3.0-6.GA_CP07.ep1.3.el5
redhat/java	<1.5.0-sun-0:1.5.0.22-1jpp.1.el4	1.5.0-sun-0:1.5.0.22-1jpp.1.el4
redhat/java	<1.6.0-ibm-1:1.6.0.7-1jpp.3.el4	1.6.0-ibm-1:1.6.0.7-1jpp.3.el4
redhat/java	<1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el4_8	1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el4_8
redhat/java	<1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el5_3	1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el5_3
redhat/jasperreports-server-pro	<0:4.7.1-2.el6e	0:4.7.1-2.el6e
redhat/java	<1.5.0-sun-0:1.5.0.20-1jpp.1.el5	1.5.0-sun-0:1.5.0.20-1jpp.1.el5
redhat/java	<1.6.0-sun-1:1.6.0.15-1jpp.1.el5	1.6.0-sun-1:1.6.0.15-1jpp.1.el5
redhat/java	<1.5.0-ibm-1:1.5.0.10-1jpp.4.el5	1.5.0-ibm-1:1.5.0.10-1jpp.4.el5
redhat/java	<1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el5	1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el5
redhat/java	<1.6.0-ibm-1:1.6.0.6-1jpp.3.el5	1.6.0-ibm-1:1.6.0.6-1jpp.3.el5
Oracle JDK	=1.5.0-update11
Oracle JDK	=1.5.0-update1
Oracle JDK	=1.5.0-update2
Oracle JDK	=1.5.0-update3
Oracle JDK	=1.5.0-update5
Oracle JDK	=1.5.0-update6
Oracle JDK	=1.5.0-update7
Oracle JDK	=1.5.0-update8
Oracle JDK	=1.5.0-update9
Oracle JDK	=1.5.0-update10
Oracle JDK	=1.5.0-update12
Oracle JDK	=1.5.0-update13
Oracle JDK	=1.5.0-update14
Oracle JDK	=1.5.0-update15
Oracle JDK	=1.5.0-update16
Oracle JDK	=1.5.0-update17
Oracle JDK	=1.5.0-update18
Oracle JDK	=1.5.0-update19
Oracle JDK	=1.5.0
Oracle JDK	=1.5.0-update4
Oracle JDK	=1.6.0
Oracle JDK	=1.6.0-update10
Oracle JDK	=1.6.0-update12
Oracle JDK	=1.6.0-update13
Oracle JDK	=1.6.0-update14
Oracle JDK	=1.6.0-update11
Oracle JDK	=1.6.0-update1
Oracle JDK	=1.6.0-update2
Oracle JDK	=1.6.0-update3
Oracle JDK	=1.6.0-update4
Oracle JDK	=1.6.0-update5
Oracle JDK	=1.6.0-update7
Oracle JDK	=1.6.0-update6
Fedoraproject Fedora	=11
Fedoraproject Fedora	=10
openSUSE openSUSE	=11.1
SUSE Linux Enterprise Server	=9
openSUSE openSUSE	=11.0
openSUSE openSUSE	=11.2
SUSE Linux Enterprise Server	=10-sp2
SUSE Linux Enterprise Server	=11
SUSE Linux Enterprise Server	=10-sp3
Debian Debian Linux	=5.0
Debian Debian Linux	=4.0
Canonical Ubuntu Linux	=9.04
Canonical Ubuntu Linux	=8.10
Canonical Ubuntu Linux	=9.10
Canonical Ubuntu Linux	=8.04
Canonical Ubuntu Linux	=6.06
Oracle Primavera Web Services	=7.0
Oracle Primavera Web Services	=7.0-sp1
Oracle Primavera Web Services	=6.2.1
Oracle Primavera P6 Enterprise Project Portfolio Management	=6.2.1
Oracle Primavera P6 Enterprise Project Portfolio Management	=7.0
Oracle Primavera P6 Enterprise Project Portfolio Management	=6.1
Apache Xerces2 Java	=2.9.1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

collector/ibm-support
agent/author
agent/type
agent/first-publish-date
agent/last-modified-date
agent/remedy
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2009-2625
agent/weakness
agent/severity
agent/references
agent/event
collector/redhat-cve
agent/software-canonical-lookup
agent/description
agent/tags
collector/nvd-historical
agent/software-canonical-lookup-request
collector/nvd-api
collector/nvd-index
agent/softwarecombine
collector/mitre-cve
source/MITRE
vendor/ibm
canonical/ibm security verify governance
version/ibm security verify governance/10.0
package-manager/redhat
vendor/oracle
canonical/oracle jdk
version/oracle jdk/1.5.0-update11
version/oracle jdk/1.5.0-update1
version/oracle jdk/1.5.0-update2
version/oracle jdk/1.5.0-update3
version/oracle jdk/1.5.0-update5
version/oracle jdk/1.5.0-update6
version/oracle jdk/1.5.0-update7
version/oracle jdk/1.5.0-update8
version/oracle jdk/1.5.0-update9
version/oracle jdk/1.5.0-update10
version/oracle jdk/1.5.0-update12
version/oracle jdk/1.5.0-update13
version/oracle jdk/1.5.0-update14
version/oracle jdk/1.5.0-update15
version/oracle jdk/1.5.0-update16
version/oracle jdk/1.5.0-update17
version/oracle jdk/1.5.0-update18
version/oracle jdk/1.5.0-update19
version/oracle jdk/1.5.0
version/oracle jdk/1.5.0-update4
version/oracle jdk/1.6.0
version/oracle jdk/1.6.0-update10
version/oracle jdk/1.6.0-update12
version/oracle jdk/1.6.0-update13
version/oracle jdk/1.6.0-update14
version/oracle jdk/1.6.0-update11
version/oracle jdk/1.6.0-update1
version/oracle jdk/1.6.0-update2
version/oracle jdk/1.6.0-update3
version/oracle jdk/1.6.0-update4
version/oracle jdk/1.6.0-update5
version/oracle jdk/1.6.0-update7
version/oracle jdk/1.6.0-update6
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/11
version/fedoraproject fedora/10
vendor/opensuse
canonical/opensuse opensuse
version/opensuse opensuse/11.1
vendor/suse
canonical/suse linux enterprise server
version/suse linux enterprise server/9
version/opensuse opensuse/11.0
version/opensuse opensuse/11.2
version/suse linux enterprise server/10-sp2
version/suse linux enterprise server/11
version/suse linux enterprise server/10-sp3
vendor/debian
canonical/debian debian linux
version/debian debian linux/5.0
version/debian debian linux/4.0
vendor/canonical
canonical/canonical ubuntu linux
version/canonical ubuntu linux/9.04
version/canonical ubuntu linux/8.10
version/canonical ubuntu linux/9.10
version/canonical ubuntu linux/8.04
version/canonical ubuntu linux/6.06
canonical/oracle primavera web services
version/oracle primavera web services/7.0
version/oracle primavera web services/7.0-sp1
version/oracle primavera web services/6.2.1
canonical/oracle primavera p6 enterprise project portfolio management
version/oracle primavera p6 enterprise project portfolio management/6.2.1
version/oracle primavera p6 enterprise project portfolio management/7.0
version/oracle primavera p6 enterprise project portfolio management/6.1
vendor/apache
canonical/apache xerces2 java
version/apache xerces2 java/2.9.1

CVE-2009-2625

Remedy

Remedy

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact