Vulnerability Description
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Jdk | 1.5.0 |
| Fedoraproject | Fedora | 10 |
| Opensuse | Opensuse | 11.0 |
| Suse | Linux Enterprise Server | 9 |
| Debian | Debian Linux | 4.0 |
| Canonical | Ubuntu Linux | 6.06 |
| Oracle | Primavera P6 Enterprise Project Portfolio Management | 6.1 |
| Oracle | Primavera Web Services | 6.2.1 |
| Apache | Xerces2 Java | 2.9.1 |
References
- http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.htmlMailing ListThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlThird Party Advisory
- http://marc.info/?l=bugtraq&m=125787273209737&w=2Mailing ListThird Party Advisory
- http://rhn.redhat.com/errata/RHSA-2012-1232.htmlBroken Link
- http://rhn.redhat.com/errata/RHSA-2012-1537.htmlBroken Link
- http://secunia.com/advisories/36162Third Party Advisory
- http://secunia.com/advisories/36176Third Party Advisory
- http://secunia.com/advisories/36180Third Party Advisory
- http://secunia.com/advisories/36199Third Party Advisory
- http://secunia.com/advisories/37300Third Party Advisory
- http://secunia.com/advisories/37460Third Party Advisory
- http://secunia.com/advisories/37671Third Party Advisory
FAQ
What is CVE-2009-2625?
CVE-2009-2625 is a vulnerability with a CVSS score of 5.0 (MEDIUM). XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attac...
How severe is CVE-2009-2625?
CVE-2009-2625 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2009-2625?
Check the references section above for vendor advisories and patch information. Affected products include: Oracle Jdk, Fedoraproject Fedora, Opensuse Opensuse, Suse Linux Enterprise Server, Debian Debian Linux.