CVE-2009-2625

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

References

http://www.networkworld.com/columnists/2009/080509-xml-flaw.html

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1

http://www.codenomicon.com/labs/xml/

http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1

http://www.cert.fi/en/reports/2009/vulnerability2009085.html

https://rhn.redhat.com/errata/RHSA-2009-1200.html

https://rhn.redhat.com/errata/RHSA-2009-1201.html

http://www.securitytracker.com/id?1022680

http://secunia.com/advisories/36176

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html

http://secunia.com/advisories/36180

http://secunia.com/advisories/36162

https://rhn.redhat.com/errata/RHSA-2009-1199.html

https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html

http://secunia.com/advisories/36199

http://www.securityfocus.com/bid/35958

http://www.mandriva.com/security/advisories?name=MDVSA-2009:209

http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html

http://www.vupen.com/english/advisories/2009/2543

http://www.us-cert.gov/cas/techalerts/TA09-294A.html

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html

http://www.openwall.com/lists/oss-security/2009/09/06/1

http://www.openwall.com/lists/oss-security/2009/10/22/9

http://www.openwall.com/lists/oss-security/2009/10/23/6

http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=h

http://www.openwall.com/lists/oss-security/2009/10/26/3

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html

http://secunia.com/advisories/37300

http://marc.info/?l=bugtraq&m=125787273209737&w=2

http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1

http://secunia.com/advisories/37671

http://secunia.com/advisories/37754

http://www.vupen.com/english/advisories/2009/3316

https://rhn.redhat.com/errata/RHSA-2009-1650.html

http://www.redhat.com/support/errata/RHSA-2009-1615.html

https://rhn.redhat.com/errata/RHSA-2009-1636.html

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

https://rhn.redhat.com/errata/RHSA-2009-1637.html

http://secunia.com/advisories/37460

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html

https://rhn.redhat.com/errata/RHSA-2009-1649.html

https://bugzilla.redhat.com/show_bug.cgi?id=512921

http://www.us-cert.gov/cas/techalerts/TA10-012A.html

http://www.debian.org/security/2010/dsa-1984

http://secunia.com/advisories/38342

http://secunia.com/advisories/38231

http://www.ubuntu.com/usn/USN-890-1

http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1

http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html

http://secunia.com/advisories/43300

http://www.vupen.com/english/advisories/2011/0359

http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026

http://www.mandriva.com/security/advisories?name=MDVSA-2011:108

http://www.redhat.com/support/errata/RHSA-2011-0858.html

http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html

http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html

http://secunia.com/advisories/50549

http://rhn.redhat.com/errata/RHSA-2012-1232.html

http://rhn.redhat.com/errata/RHSA-2012-1537.html

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520

http://www.securityfocus.com/archive/1/507985/100/0/threaded

https://lists.apache.org/thread.html/[email protected]%3Csolr-user.lucene.apache.org%3E

Details

Source: MITRE

Published: 2009-08-06

Updated: 2021-09-22

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:oracle:jdk:1.5.0:-:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update1:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update10:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update11:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update12:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update13:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update14:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update15:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update16:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update17:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update18:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update19:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update2:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update3:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update4:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update5:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update6:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update7:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update8:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.5.0:update9:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:-:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_01:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_02:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_03:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_04:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_05:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_06:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_07:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_10:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_11:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_12:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_13:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.6.0:update_14:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:o:opensuse:opensuse:11.0:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:11.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:opensuse:11.2:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:10:sp2:*:*:*:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:10:sp3:*:*:-:*:*:*

cpe:2.3:o:suse:linux_enterprise_server:11:-:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:9.10:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:6.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:6.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:7.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_web_services:6.2.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_web_services:7.0:-:*:*:*:*:*:*

cpe:2.3:a:oracle:primavera_web_services:7.0:sp1:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:apache:xerces2_java:2.9.1:*:*:*:*:*:*:*

Tenable Plugins

View all (95 total)

IDNameProductFamilySeverity
107968Solaris 10 (x86) : 128641-30NessusSolaris Local Security Checks
medium
107913Solaris 10 (x86) : 124673-20NessusSolaris Local Security Checks
medium
107810Solaris 10 (x86) : 119167-43NessusSolaris Local Security Checks
high
107469Solaris 10 (sparc) : 128640-30NessusSolaris Local Security Checks
medium
107416Solaris 10 (sparc) : 125136-75NessusSolaris Local Security Checks
critical
107415Solaris 10 (sparc) : 125136-71NessusSolaris Local Security Checks
critical
107410Solaris 10 (sparc) : 124672-20NessusSolaris Local Security Checks
medium
89736VMware ESX Java Runtime Environment (JRE) Multiple Vulnerabilities (VMSA-2010-0002) (remote check)NessusVMware ESX Local Security Checks
critical
89117VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)NessusMisc.
critical
79892F5 Networks BIG-IP : Expat vulnerabilities (K15905)NessusF5 Networks Local Security Checks
medium
78942RHEL 6 : Virtualization Manager (RHSA-2012:1537)NessusRed Hat Local Security Checks
medium
68288Oracle Linux 6 : xerces-j2 (ELSA-2011-0858)NessusOracle Linux Local Security Checks
medium
67963Oracle Linux 5 : xerces-j2 (ELSA-2009-1615)NessusOracle Linux Local Security Checks
medium
67905Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2009-1201)NessusOracle Linux Local Security Checks
critical
64830Sun Java JRE Multiple Vulnerabilities (263408 / 263409 / 263428 ..) (Unix)NessusMisc.
critical
63906RHEL 5 : JBoss EAP (RHSA-2009:1650)NessusRed Hat Local Security Checks
medium
63905RHEL 5 : JBoss EAP (RHSA-2009:1649)NessusRed Hat Local Security Checks
medium
63904RHEL 4 : JBoss EAP (RHSA-2009:1637)NessusRed Hat Local Security Checks
medium
63903RHEL 4 : JBoss EAP (RHSA-2009:1636)NessusRed Hat Local Security Checks
medium
61068Scientific Linux Security Update : xerces-j2 on SL6.x i386/x86_64NessusScientific Linux Local Security Checks
medium
60699Scientific Linux Security Update : xerces-j2 on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
60645Scientific Linux Security Update : java (jdk 1.6.0) on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
critical
60633Scientific Linux Security Update : java-1.6.0-openjdk on SL5.3 i386/x86_64NessusScientific Linux Local Security Checks
critical
55111Mandriva Linux Security Advisory : xerces-j2 (MDVSA-2011:108)NessusMandriva Local Security Checks
medium
55012RHEL 6 : xerces-j2 (RHSA-2011:0858)NessusRed Hat Local Security Checks
medium
53539RHEL 4 : Sun Java Runtime in Satellite Server (RHSA-2009:1662)NessusRed Hat Local Security Checks
critical
51941Slackware 11.0 / 12.0 / 12.1 / 12.2 / 13.0 / 13.1 / current : expat (SSA:2011-041-02)NessusSlackware Local Security Checks
medium
51754SuSE 10 Security Update : libxmlrpc (ZYPP Patch Number 6862)NessusSuSE Local Security Checks
medium
51753SuSE 10 Security Update : libxmlrpc (ZYPP Patch Number 6857)NessusSuSE Local Security Checks
medium
50943SuSE 11 Security Update : Python (SAT Patch Number 2175)NessusSuSE Local Security Checks
medium
49922SuSE 10 Security Update : Python (ZYPP Patch Number 6946)NessusSuSE Local Security Checks
medium
49859SuSE 10 Security Update : IBM Java 1.4.2 (ZYPP Patch Number 6523)NessusSuSE Local Security Checks
high
47107SuSE9 Security Update : xmlrpc-c (YOU Patch Number 12591)NessusSuSE Local Security Checks
medium
46343openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2010:0247-1)NessusSuSE Local Security Checks
medium
46341openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2010:0247-1)NessusSuSE Local Security Checks
medium
46339openSUSE Security Update : libpython2_6-1_0 (openSUSE-SU-2010:0247-1)NessusSuSE Local Security Checks
medium
46335SuSE9 Security Update : Python (YOU Patch Number 12600)NessusSuSE Local Security Checks
medium
45549Ubuntu 8.04 LTS / 8.10 / 9.04 : cmake vulnerabilities (USN-890-6)NessusUbuntu Local Security Checks
medium
45386VMSA-2010-0002 : VMware vCenter update release addresses multiple security issues in Java JRENessusVMware ESX Local Security Checks
critical
44848Debian DSA-1984-1 : libxerces2-java - denial of serviceNessusDebian Local Security Checks
medium
44786Debian DSA-1921-1 : expat - denial of serviceNessusDebian Local Security Checks
medium
44684openSUSE Security Update : libexpat0 (libexpat0-2035)NessusSuSE Local Security Checks
medium
44681openSUSE Security Update : libexpat0 (libexpat0-2035)NessusSuSE Local Security Checks
medium
44679openSUSE Security Update : libexpat0 (libexpat0-2035)NessusSuSE Local Security Checks
medium
44669Ubuntu 9.10 : xmlrpc-c vulnerabilities (USN-890-5)NessusUbuntu Local Security Checks
medium
44323Ubuntu 6.06 LTS : python-xml vulnerabilities (USN-890-4)NessusUbuntu Local Security Checks
medium
44133Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : python2.4 vulnerabilities (USN-890-3)NessusUbuntu Local Security Checks
medium
44115Ubuntu 8.04 LTS / 8.10 / 9.04 / 9.10 : python2.5 vulnerabilities (USN-890-2)NessusUbuntu Local Security Checks
medium
44108Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : expat vulnerabilities (USN-890-1)NessusUbuntu Local Security Checks
medium
44029RHEL 4 / 5 : IBM Java Runtime in Satellite Server (RHSA-2010:0043)NessusRed Hat Local Security Checks
critical
43807CentOS 5 : xerces-j2 (CESA-2009:1615)NessusCentOS Local Security Checks
medium
43774CentOS 5 : java-1.6.0-openjdk (CESA-2009:1201)NessusCentOS Local Security Checks
critical
42944RHEL 5 : xerces-j2 (RHSA-2009:1615)NessusRed Hat Local Security Checks
medium
42870VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.NessusVMware ESX Local Security Checks
medium
42790RHEL 4 / 5 : java-1.6.0-ibm (RHSA-2009:1582)NessusRed Hat Local Security Checks
critical
42396SuSE 11 Security Update : IBM Java 1.6.0 (SAT Patch Number 1497)NessusSuSE Local Security Checks
critical
42135RHEL 3 / 4 / 5 : java-1.4.2-ibm (RHSA-2009:1505)NessusRed Hat Local Security Checks
high
42041openSUSE 10 Security Update : xerces-j2 (xerces-j2-6445)NessusSuSE Local Security Checks
medium
41967SuSE 10 Security Update : IBM Java 1.4.2 (ZYPP Patch Number 6508)NessusSuSE Local Security Checks
high
41956SuSE 11 Security Update : IBM Java 1.4.2 (SAT Patch Number 1336)NessusSuSE Local Security Checks
high
41954SuSE9 Security Update : IBM Java2 JRE and SDK (YOU Patch Number 12511)NessusSuSE Local Security Checks
high
41623openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-1330)NessusSuSE Local Security Checks
critical
41622openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-1330)NessusSuSE Local Security Checks
critical
41599SuSE 10 Security Update : Xerces-j2 (ZYPP Patch Number 6449)NessusSuSE Local Security Checks
medium
41462SuSE 11 Security Update : Xerces-j2 (SAT Patch Number 1235)NessusSuSE Local Security Checks
medium
40873Mac OS X : Java for Mac OS X 10.5 Update 5NessusMacOS X Local Security Checks
high
40819openSUSE Security Update : kompozer (kompozer-1249)NessusSuSE Local Security Checks
medium
40814RHEL 4 / 5 : java-1.5.0-ibm (RHSA-2009:1236)NessusRed Hat Local Security Checks
critical
40792openSUSE Security Update : xerces-j2 (xerces-j2-1233)NessusSuSE Local Security Checks
medium
40786openSUSE Security Update : xerces-j2 (xerces-j2-1233)NessusSuSE Local Security Checks
medium
40749RHEL 4 / 5 : java-1.6.0-sun (RHSA-2009:1200)NessusRed Hat Local Security Checks
critical
40748RHEL 4 / 5 : java-1.5.0-sun (RHSA-2009:1199)NessusRed Hat Local Security Checks
critical
40694Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2009:209)NessusMandriva Local Security Checks
critical
40547Ubuntu 8.10 / 9.04 : openjdk-6 vulnerabilities (USN-814-1)NessusUbuntu Local Security Checks
critical
40515Fedora 10 : java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 (2009-8337)NessusFedora Local Security Checks
critical
40510RHEL 5 : java-1.6.0-openjdk (RHSA-2009:1201)NessusRed Hat Local Security Checks
critical
40507Fedora 11 : java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 (2009-8329)NessusFedora Local Security Checks
critical
40495Sun Java JRE Multiple Vulnerabilities (263408 / 263409 / 263428 ..)NessusWindows
high
35421Solaris 9 (x86) : 128641-30NessusSolaris Local Security Checks
medium
35419Solaris 9 (sparc) : 128640-30NessusSolaris Local Security Checks
medium
35415Solaris 10 (x86) : 128641-30 (deprecated)NessusSolaris Local Security Checks
medium
35409Solaris 10 (sparc) : 128640-30 (deprecated)NessusSolaris Local Security Checks
medium
27509Solaris 8 (sparc) : 124672-20NessusSolaris Local Security Checks
medium
27099Solaris 9 (x86) : 124673-20NessusSolaris Local Security Checks
medium
27092Solaris 9 (sparc) : 124672-20NessusSolaris Local Security Checks
medium
27077Solaris 10 (x86) : 124673-20 (deprecated)NessusSolaris Local Security Checks
medium
27072Solaris 10 (sparc) : 124672-20 (deprecated)NessusSolaris Local Security Checks
medium
27020Solaris 9 (sparc) : 125136-97NessusSolaris Local Security Checks
critical
27008Solaris 8 (sparc) : 125136-97NessusSolaris Local Security Checks
critical
26984Solaris 10 (sparc) : 125136-97 (deprecated)NessusSolaris Local Security Checks
critical
23610Solaris 9 (x86) : 119167-43NessusSolaris Local Security Checks
high
23552Solaris 9 (sparc) : 119166-43NessusSolaris Local Security Checks
high
23413Solaris 8 (sparc) : 119166-43NessusSolaris Local Security Checks
high
22988Solaris 10 (x86) : 119167-43 (deprecated)NessusSolaris Local Security Checks
high
22955Solaris 10 (sparc) : 119166-43 (deprecated)NessusSolaris Local Security Checks
high