CVE-2009-2625

JDK: XML parsing Denial-Of-Service (6845701)

Severity Score

5.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Apache Xerces2 Java, tal como se utiliza en Sun Java Runtime Environment (JRE) en JDK y JRE v6 anterior a la actualización 15 y el JDK y JRE v5.0 antes de la actualización 20, y en otros productos, permite a atacantes remotos provocar una denegación de servicio (bucle infinito y la cuelgue de aplicación) a través de una entrada XML malformada, como lo demuestra Codenomicon XML fuzzing framework.

*Credits: N/A

CVSS Scores

NISTv2 5.0

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-07-28 CVE Reserved
2009-08-06 CVE Published
2024-07-13 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (61)

URL	Tag	Source
http://secunia.com/advisories/36162	Third Party Advisory
http://secunia.com/advisories/36176	Third Party Advisory
http://secunia.com/advisories/36180	Third Party Advisory
http://secunia.com/advisories/36199	Third Party Advisory
http://secunia.com/advisories/37300	Third Party Advisory
http://secunia.com/advisories/37460	Third Party Advisory
http://secunia.com/advisories/37671	Third Party Advisory
http://secunia.com/advisories/37754	Third Party Advisory
http://secunia.com/advisories/38231	Third Party Advisory
http://secunia.com/advisories/38342	Third Party Advisory
http://secunia.com/advisories/43300	Third Party Advisory
http://secunia.com/advisories/50549	Third Party Advisory
http://www.cert.fi/en/reports/2009/vulnerability2009085.html	Third Party Advisory
http://www.codenomicon.com/labs/xml	Third Party Advisory
http://www.networkworld.com/columnists/2009/080509-xml-flaw.html	Third Party Advisory
http://www.openwall.com/lists/oss-security/2009/09/06/1	Mailing List
http://www.openwall.com/lists/oss-security/2009/10/23/6	Mailing List
http://www.openwall.com/lists/oss-security/2009/10/26/3	Mailing List
http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html	Third Party Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html	Broken Link
http://www.securityfocus.com/archive/1/507985/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/35958	Third Party Advisory
http://www.securitytracker.com/id?1022680	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA09-294A.html	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA10-012A.html	Third Party Advisory
http://www.vmware.com/security/advisories/VMSA-2009-0016.html	Third Party Advisory
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E	Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356	Signature

URL	Date	SRC

URL	Date	SRC
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1	2023-11-07
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1	2023-11-07
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=h	2023-11-07
http://www.openwall.com/lists/oss-security/2009/10/22/9	2023-11-07

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html	2023-11-07
http://marc.info/?l=bugtraq&m=125787273209737&w=2	2023-11-07
http://rhn.redhat.com/errata/RHSA-2012-1232.html	2023-11-07
http://rhn.redhat.com/errata/RHSA-2012-1537.html	2023-11-07
http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026	2023-11-07
http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1	2023-11-07
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1	2023-11-07
http://www.debian.org/security/2010/dsa-1984	2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209	2023-11-07
http://www.mandriva.com/security/advisories?name=MDVSA-2011:108	2023-11-07
http://www.redhat.com/support/errata/RHSA-2009-1615.html	2023-11-07
http://www.redhat.com/support/errata/RHSA-2011-0858.html	2023-11-07
http://www.ubuntu.com/usn/USN-890-1	2023-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=512921	2013-04-22
https://rhn.redhat.com/errata/RHSA-2009-1199.html	2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1200.html	2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1201.html	2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1636.html	2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1637.html	2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1649.html	2023-11-07
https://rhn.redhat.com/errata/RHSA-2009-1650.html	2023-11-07
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html	2023-11-07
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html	2023-11-07
https://access.redhat.com/security/cve/CVE-2009-2625	2013-04-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		-		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update1		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update10		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update11		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update12		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update13		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update14		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update15		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update16		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update17		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update18		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update19		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update2		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update3		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update4		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update5		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update6		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update7		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update8		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.5.0 Search vendor "Oracle" for product "Jdk" and version "1.5.0"		update9		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		-		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update1		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update10		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update11		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update12		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update13		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update14		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update2		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update3		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update4		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update5		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update6		Affected
Oracle Search vendor "Oracle"		Jdk Search vendor "Oracle" for product "Jdk"				1.6.0 Search vendor "Oracle" for product "Jdk" and version "1.6.0"		update7		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				10 Search vendor "Fedoraproject" for product "Fedora" and version "10"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				11 Search vendor "Fedoraproject" for product "Fedora" and version "11"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				11.0 Search vendor "Opensuse" for product "Opensuse" and version "11.0"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				11.1 Search vendor "Opensuse" for product "Opensuse" and version "11.1"		-		Affected
Opensuse Search vendor "Opensuse"		Opensuse Search vendor "Opensuse" for product "Opensuse"				11.2 Search vendor "Opensuse" for product "Opensuse" and version "11.2"		-		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				9 Search vendor "Suse" for product "Linux Enterprise Server" and version "9"		-		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				10 Search vendor "Suse" for product "Linux Enterprise Server" and version "10"		sp2		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				10 Search vendor "Suse" for product "Linux Enterprise Server" and version "10"		sp3		Affected
Suse Search vendor "Suse"		Linux Enterprise Server Search vendor "Suse" for product "Linux Enterprise Server"				11 Search vendor "Suse" for product "Linux Enterprise Server" and version "11"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				4.0 Search vendor "Debian" for product "Debian Linux" and version "4.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				5.0 Search vendor "Debian" for product "Debian Linux" and version "5.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				6.06 Search vendor "Canonical" for product "Ubuntu Linux" and version "6.06"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				8.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				8.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				9.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "9.04"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				9.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "9.10"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				6.1 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "6.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				6.2.1 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "6.2.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera P6 Enterprise Project Portfolio Management Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management"				7.0 Search vendor "Oracle" for product "Primavera P6 Enterprise Project Portfolio Management" and version "7.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Web Services Search vendor "Oracle" for product "Primavera Web Services"				6.2.1 Search vendor "Oracle" for product "Primavera Web Services" and version "6.2.1"		-		Affected
Oracle Search vendor "Oracle"		Primavera Web Services Search vendor "Oracle" for product "Primavera Web Services"				7.0 Search vendor "Oracle" for product "Primavera Web Services" and version "7.0"		-		Affected
Oracle Search vendor "Oracle"		Primavera Web Services Search vendor "Oracle" for product "Primavera Web Services"				7.0 Search vendor "Oracle" for product "Primavera Web Services" and version "7.0"		sp1		Affected
Apache Search vendor "Apache"		Xerces2 Java Search vendor "Apache" for product "Xerces2 Java"				2.9.1 Search vendor "Apache" for product "Xerces2 Java" and version "2.9.1"		-		Affected