Bug 497161 (CVE-2009-1190)
Summary: | CVE-2009-1190 Spring Framework Remote Denial of Service vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marc Schoenefeld <mschoene> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | djorm, dwalluck, fnasser, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-05-27 04:16:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marc Schoenefeld
2009-04-22 15:25:05 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1190 to the following vulnerability: Name: CVE-2009-1190 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1190 Assigned: 20090331 Reference: BUGTRAQ:20090424 CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability Reference: URL: http://www.securityfocus.com/archive/1/archive/1/502926/100/0/threaded Reference: MISC: http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf Reference: CONFIRM: http://www.springsource.com/securityadvisory Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=497161 Reference: SECUNIA:34892 Reference: URL: http://secunia.com/advisories/34892 Reference: XF:springframework-data-dos(50083) Reference: URL: http://xforce.iss.net/xforce/xfdb/50083 Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540. Statement: This flaw affected JBoss Enterprise BRMS Platform 5.1.0 when run on Sun JDK 1.5.x. It was resolved in JBoss Enterprise BRMS Platform 5.2.0, both by updating spring and by dropping support for Sun JDK 1.5.x. |