Bug 512921 (CVE-2009-2625)

Summary: CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701)
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, andreas.bierfert, aph, atkac, bazulay, bressers, cpelland, dbhole, dyasny, fnasser, iheim, jlieskov, jorton, kreilly, lkundrak, mitr, mjc, mmcallis, ovasik, pcheung, Rhev-m-bugs, rrakus, rruss, security-response-team, vdanen, ykaul, ylavi, zdover
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Previously, a denial-of-service flaw was found in Java which allowed the creation of an inifinte loop in XML headers that would consume all CPU resources. This issue was patched and Java is no longer vulnerable to a denial-of-service flaw due to the initiation of an infinte loop by means of XML headers.
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-22 21:33:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 513391, 513392, 515679, 515680, 515682, 515683, 521225, 521226, 522764, 522765, 522766, 526017, 526018, 526815, 526816, 529660, 529661, 540443, 690926, 690931, 690932, 751500, 751501, 795942, 850657, 850658    
Bug Blocks: 734571, 824237    

Comment 2 Marc Schoenefeld 2009-08-06 14:22:34 UTC
A denial of service flaw was found in the way the JRE processes XML. A
remote attacker could use this flaw to supply crafted XML that would lead
to a denial of service.

http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1

Comment 3 errata-xmlrpc 2009-08-06 20:38:17 UTC
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1199 https://rhn.redhat.com/errata/RHSA-2009-1199.html

Comment 4 errata-xmlrpc 2009-08-06 20:42:10 UTC
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html

Comment 5 errata-xmlrpc 2009-08-06 21:15:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html

Comment 6 Fedora Update System 2009-08-07 04:59:11 UTC
java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2009-08-07 05:01:56 UTC
java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 errata-xmlrpc 2009-08-28 08:57:44 UTC
This issue has been addressed in following products:

  Extras for Red Hat Enterprise Linux 5
  Extras for RHEL 4

Via RHSA-2009:1236 https://rhn.redhat.com/errata/RHSA-2009-1236.html

Comment 14 errata-xmlrpc 2009-10-14 16:08:12 UTC
This issue has been addressed in following products:

  Extras for RHEL 3
  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1505 https://rhn.redhat.com/errata/RHSA-2009-1505.html

Comment 16 Jan Lieskovsky 2009-10-22 11:16:52 UTC
This flaw is present also in expat, the C library for parsing XML, written by James Clark.

References:
-----------
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551936
https://bugs.gentoo.org/show_bug.cgi?id=280615

Upstream bug report:
--------------------
https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127 (not accessible for me)

Upstream patch:
---------------
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch

Upstream log:
-------------
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 17 Jan Lieskovsky 2009-10-22 11:19:09 UTC
This issue affects the versions of expat package, as shipped 
with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of expat package, as shipped
with Fedora releases of 10 and 11 (expat-2.0.1-5, expat-2.0.1-6)
and as scheduled to appear in Fedora 12 release (expat-2.0.1-7).

Please fix.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 23 Jan Lieskovsky 2009-10-22 12:19:01 UTC
This issue does NOT affect the versions of the w3c-libwww package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue does NOT affect the versions of the w3c-libwww package,
as shipped with Fedora releases of 10, 11, and as scheduled to
appear in Fedora 12 (Fedora's w3c-libwww uses system expat library,
so once the issue is updated in expat, w3c-libwww in Fedora is
also safe).

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 25 Jan Lieskovsky 2009-10-22 12:46:19 UTC
This issue does NOT affect the version of the PyXML package, as shipped
with Red Hat Enterprise Linux 3.

This issue affects the versions of the PyXML package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This issue affects the versions of the PyXML package, as shipped
with Fedora release of 10, 11, and as scheduled to appear in
Fedora 12.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 28 Jan Lieskovsky 2009-10-22 14:13:47 UTC
This issue affects the versions of the 4Suite package, as shipped 
with Red Hat Enterprise Linux 3 and 4.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 32 Jan Lieskovsky 2009-10-22 14:59:05 UTC
This issue does NOT affect the versions of the vnc package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

This issue does NOT affect the versions of the vnc package, as shipped
with Fedora releases of 10 and 11.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 34 errata-xmlrpc 2009-11-04 15:14:28 UTC
This issue has been addressed in following products:

  RHEL 4 for SAP
  RHEL 5 for SAP

Via RHSA-2009:1551 https://rhn.redhat.com/errata/RHSA-2009-1551.html

Comment 35 errata-xmlrpc 2009-11-12 18:15:35 UTC
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1582 https://rhn.redhat.com/errata/RHSA-2009-1582.html

Comment 37 errata-xmlrpc 2009-11-30 15:19:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1615 https://rhn.redhat.com/errata/RHSA-2009-1615.html

Comment 38 errata-xmlrpc 2009-12-09 23:14:15 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html

Comment 39 errata-xmlrpc 2009-12-09 23:32:28 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html

Comment 40 errata-xmlrpc 2009-12-09 23:51:59 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html

Comment 41 errata-xmlrpc 2009-12-10 00:03:59 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html

Comment 42 errata-xmlrpc 2009-12-11 13:43:41 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.1

Via RHSA-2009:1662 https://rhn.redhat.com/errata/RHSA-2009-1662.html

Comment 43 errata-xmlrpc 2010-01-14 16:32:55 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3

Via RHSA-2010:0043 https://rhn.redhat.com/errata/RHSA-2010-0043.html

Comment 44 Vincent Danen 2011-03-25 20:15:04 UTC
This has never been fixed in Fedora.  The upstream patch for this is here:

http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&view=patch

Looks like 2.10.0 fixed this upstream, according to the changelog:

http://xerces.apache.org/xerces2-j/releases.html

Comment 45 Vincent Danen 2011-03-25 20:18:28 UTC
Created xerces-j2 tracking bugs for this issue

Affects: fedora-all [bug 690926]

Comment 47 errata-xmlrpc 2011-06-08 14:42:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0858 https://rhn.redhat.com/errata/RHSA-2011-0858.html

Comment 48 Vincent Danen 2011-11-04 22:14:08 UTC
Created centerim tracking bugs for this issue

Affects: fedora-14 [bug 751500]
Affects: epel-5 [bug 751501]

Comment 49 Vincent Danen 2011-11-04 22:15:43 UTC
According to http://www.centerim.org/index.php/Main_Page, centerim 4.22.10 fixes this flaw.  Current EPEL6 and >=F15 have this version already, so only F14 and EPEL5 are vulnerable.

Comment 51 errata-xmlrpc 2012-06-12 23:27:36 UTC
This issue has been addressed in following products:

JBoss Operations Network 3.1.0

Via RHSA-2012:0725 https://rhn.redhat.com/errata/RHSA-2012-0725.html

Comment 55 errata-xmlrpc 2012-09-05 16:26:43 UTC
This issue has been addressed in following products:

JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html

Comment 57 errata-xmlrpc 2012-12-04 19:24:30 UTC
This issue has been addressed in following products:

  RHEV Manager version 3.x

Via RHSA-2012:1537 https://rhn.redhat.com/errata/RHSA-2012-1537.html

Comment 58 errata-xmlrpc 2013-04-22 21:27:08 UTC
This issue has been addressed in following products:

  JBoss Web Framework Kit 2.2.0

Via RHSA-2013:0763 https://rhn.redhat.com/errata/RHSA-2013-0763.html