National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

CVE-2009-2625 Detail

Description

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Source:  MITRE      Last Modified:  08/06/2009

Quick Info

CVE Dictionary Entry:
CVE-2009-2625
Original release date:
08/06/2009
Last revised:
09/18/2017
Source:
US-CERT/NIST

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score:
5.0 MEDIUM
Vector:
(AV:N/AC:L/Au:N/C:N/I:N/A:P) (legend)
Impact Subscore:
2.9
Exploitability Subscore:
10.0
CVSS Version 2 Metrics:
Access Vector:
Network exploitable
Access Complexity:
Low
Authentication:
Not required to exploit
Impact Type:
Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink Resource Type Source Name
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html External Source APPLE APPLE-SA-2009-09-03-1
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html External Source SUSE SUSE-SR:2009:016
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html External Source SUSE SUSE-SR:2009:017
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html External Source SUSE SUSE-SA:2009:053
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html External Source SUSE SUSE-SR:2010:013
http://marc.info/?l=bugtraq&m=125787273209737&w=2 External Source HP SSRT090250
http://rhn.redhat.com/errata/RHSA-2012-1232.html External Source REDHAT RHSA-2012:1232
http://rhn.redhat.com/errata/RHSA-2012-1537.html External Source REDHAT RHSA-2012:1537
http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026 External Source SLACKWARE SSA:2011-041-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1 Patch External Source CONFIRM http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1 Patch; Vendor Advisory External Source SUNALERT 263489
http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1 External Source SUNALERT 272209
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1 External Source SUNALERT 1021506
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=h External Source CONFIRM http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=h
http://www.cert.fi/en/reports/2009/vulnerability2009085.html External Source MISC http://www.cert.fi/en/reports/2009/vulnerability2009085.html
http://www.codenomicon.com/labs/xml/ External Source MISC http://www.codenomicon.com/labs/xml/
http://www.debian.org/security/2010/dsa-1984 External Source DEBIAN DSA-1984
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209 External Source MANDRIVA MDVSA-2009:209
http://www.mandriva.com/security/advisories?name=MDVSA-2011:108 External Source MANDRIVA MDVSA-2011:108
http://www.networkworld.com/columnists/2009/080509-xml-flaw.html External Source MISC http://www.networkworld.com/columnists/2009/080509-xml-flaw.html
http://www.openwall.com/lists/oss-security/2009/09/06/1 External Source MLIST [oss-security] 20090906 Re: Re: expat bug 1990430
http://www.openwall.com/lists/oss-security/2009/10/22/9 External Source MLIST [oss-security] 20091022 Re: Regarding expat bug 1990430
http://www.openwall.com/lists/oss-security/2009/10/23/6 External Source MLIST [oss-security] 20091023 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]
http://www.openwall.com/lists/oss-security/2009/10/26/3 External Source MLIST [oss-security] 20091026 Re: CVE Request -- expat [was: Re: Regarding expat bug 1990430]
http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html External Source CONFIRM http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html External Source CONFIRM http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://www.redhat.com/support/errata/RHSA-2009-1615.html External Source REDHAT RHSA-2009:1615
http://www.redhat.com/support/errata/RHSA-2011-0858.html External Source REDHAT RHSA-2011:0858
http://www.securityfocus.com/archive/1/archive/1/507985/100/0/threaded External Source BUGTRAQ 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components
http://www.securityfocus.com/bid/35958 External Source BID 35958
http://www.securitytracker.com/id?1022680 External Source SECTRACK 1022680
http://www.ubuntu.com/usn/USN-890-1 External Source UBUNTU USN-890-1
http://www.us-cert.gov/cas/techalerts/TA09-294A.html US Government Resource External Source CERT TA09-294A
http://www.us-cert.gov/cas/techalerts/TA10-012A.html US Government Resource External Source CERT TA10-012A
http://www.vmware.com/security/advisories/VMSA-2009-0016.html External Source CONFIRM http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/2543 External Source VUPEN ADV-2009-2543
http://www.vupen.com/english/advisories/2009/3316 External Source VUPEN ADV-2009-3316
http://www.vupen.com/english/advisories/2011/0359 External Source VUPEN ADV-2011-0359
https://bugzilla.redhat.com/show_bug.cgi?id=512921 External Source CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=512921
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520 External Source OVAL oval:org.mitre.oval:def:8520
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356 External Source OVAL oval:org.mitre.oval:def:9356
https://rhn.redhat.com/errata/RHSA-2009-1199.html External Source REDHAT RHSA-2009:1199
https://rhn.redhat.com/errata/RHSA-2009-1200.html External Source REDHAT RHSA-2009:1200
https://rhn.redhat.com/errata/RHSA-2009-1201.html External Source REDHAT RHSA-2009:1201
https://rhn.redhat.com/errata/RHSA-2009-1636.html External Source REDHAT RHSA-2009:1636
https://rhn.redhat.com/errata/RHSA-2009-1637.html External Source REDHAT RHSA-2009:1637
https://rhn.redhat.com/errata/RHSA-2009-1649.html External Source REDHAT RHSA-2009:1649
https://rhn.redhat.com/errata/RHSA-2009-1650.html External Source REDHAT RHSA-2009:1650
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html External Source FEDORA FEDORA-2009-8329
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html External Source FEDORA FEDORA-2009-8337

References to Check Content

Identifier:
oval:org.mitre.oval:def:8520
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:8520
Identifier:
oval:org.mitre.oval:def:9356
Check System:
http://oval.mitre.org/XMLSchema/oval-definitions-5
Hyperlink:
http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9356

Technical Details

Vulnerability Type (View All)

  • Permissions, Privileges, and Access Control (CWE-264)

Vulnerable software and versions Switch to CPE 2.2

Configuration 1
OR
cpe:2.3:a:sun:jdk:5.0:update_1:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_10:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_11:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_12:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_13:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_14:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_15:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_16:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_17:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_2:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_3:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_4:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_5:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_6:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_7:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_8:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:5.0:update_9:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_1:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_10:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_11:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_12:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:*:update_13:*:*:*:*:*:*    versions up to (including) 6
cpe:2.3:a:sun:jdk:6:update_2:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_3:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_4:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_5:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_6:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_7:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_8:*:*:*:*:*:*
cpe:2.3:a:sun:jdk:6:update_9:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_1:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_10:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_11:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_12:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_13:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_14:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_15:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_16:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_17:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_19:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_2:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_3:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_4:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_5:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_6:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_7:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_8:*:*:*:*:*:*
cpe:2.3:a:sun:jre:5.0:update_9:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_1:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_10:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_11:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_12:*:*:*:*:*:*
cpe:2.3:a:sun:jre:*:update_13:*:*:*:*:*:*    versions up to (including) 6
cpe:2.3:a:sun:jre:6:update_2:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_3:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_4:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_5:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_6:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_7:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_8:*:*:*:*:*:*
cpe:2.3:a:sun:jre:6:update_9:*:*:*:*:*:*

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History 3 change records found - show changes