Bug 512921 - (CVE-2009-2625) CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701)
CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20090805,repor...
: Security
Depends On: 751501 513391 513392 515679 515680 515682 515683 521225 521226 522764 522765 522766 526017 526018 526815 526816 529660 529661 540443 690926 690931 690932 751500 795942 850657 850658
Blocks: 734571 824237
  Show dependency treegraph
 
Reported: 2009-07-21 07:05 EDT by Marc Schoenefeld
Modified: 2015-11-24 09:37 EST (History)
28 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, a denial-of-service flaw was found in Java which allowed the creation of an inifinte loop in XML headers that would consume all CPU resources. This issue was patched and Java is no longer vulnerable to a denial-of-service flaw due to the initiation of an infinte loop by means of XML headers.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-22 17:33:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Sun Bug Database 6845701 None None None Never

  None (edit)
Comment 2 Marc Schoenefeld 2009-08-06 10:22:34 EDT
A denial of service flaw was found in the way the JRE processes XML. A
remote attacker could use this flaw to supply crafted XML that would lead
to a denial of service.

http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1
Comment 3 errata-xmlrpc 2009-08-06 16:38:17 EDT
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1199 https://rhn.redhat.com/errata/RHSA-2009-1199.html
Comment 4 errata-xmlrpc 2009-08-06 16:42:10 EDT
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html
Comment 5 errata-xmlrpc 2009-08-06 17:15:00 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html
Comment 6 Fedora Update System 2009-08-07 00:59:11 EDT
java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2009-08-07 01:01:56 EDT
java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 errata-xmlrpc 2009-08-28 04:57:44 EDT
This issue has been addressed in following products:

  Extras for Red Hat Enterprise Linux 5
  Extras for RHEL 4

Via RHSA-2009:1236 https://rhn.redhat.com/errata/RHSA-2009-1236.html
Comment 14 errata-xmlrpc 2009-10-14 12:08:12 EDT
This issue has been addressed in following products:

  Extras for RHEL 3
  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1505 https://rhn.redhat.com/errata/RHSA-2009-1505.html
Comment 16 Jan Lieskovsky 2009-10-22 07:16:52 EDT
This flaw is present also in expat, the C library for parsing XML, written by James Clark.

References:
-----------
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551936
https://bugs.gentoo.org/show_bug.cgi?id=280615

Upstream bug report:
--------------------
https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127 (not accessible for me)

Upstream patch:
---------------
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch

Upstream log:
-------------
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
Comment 17 Jan Lieskovsky 2009-10-22 07:19:09 EDT
This issue affects the versions of expat package, as shipped 
with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of expat package, as shipped
with Fedora releases of 10 and 11 (expat-2.0.1-5, expat-2.0.1-6)
and as scheduled to appear in Fedora 12 release (expat-2.0.1-7).

Please fix.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
Comment 23 Jan Lieskovsky 2009-10-22 08:19:01 EDT
This issue does NOT affect the versions of the w3c-libwww package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue does NOT affect the versions of the w3c-libwww package,
as shipped with Fedora releases of 10, 11, and as scheduled to
appear in Fedora 12 (Fedora's w3c-libwww uses system expat library,
so once the issue is updated in expat, w3c-libwww in Fedora is
also safe).

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
Comment 25 Jan Lieskovsky 2009-10-22 08:46:19 EDT
This issue does NOT affect the version of the PyXML package, as shipped
with Red Hat Enterprise Linux 3.

This issue affects the versions of the PyXML package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This issue affects the versions of the PyXML package, as shipped
with Fedora release of 10, 11, and as scheduled to appear in
Fedora 12.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
Comment 28 Jan Lieskovsky 2009-10-22 10:13:47 EDT
This issue affects the versions of the 4Suite package, as shipped 
with Red Hat Enterprise Linux 3 and 4.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
Comment 32 Jan Lieskovsky 2009-10-22 10:59:05 EDT
This issue does NOT affect the versions of the vnc package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

This issue does NOT affect the versions of the vnc package, as shipped
with Fedora releases of 10 and 11.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
Comment 34 errata-xmlrpc 2009-11-04 10:14:28 EST
This issue has been addressed in following products:

  RHEL 4 for SAP
  RHEL 5 for SAP

Via RHSA-2009:1551 https://rhn.redhat.com/errata/RHSA-2009-1551.html
Comment 35 errata-xmlrpc 2009-11-12 13:15:35 EST
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1582 https://rhn.redhat.com/errata/RHSA-2009-1582.html
Comment 37 errata-xmlrpc 2009-11-30 10:19:00 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1615 https://rhn.redhat.com/errata/RHSA-2009-1615.html
Comment 38 errata-xmlrpc 2009-12-09 18:14:15 EST
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html
Comment 39 errata-xmlrpc 2009-12-09 18:32:28 EST
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html
Comment 40 errata-xmlrpc 2009-12-09 18:51:59 EST
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html
Comment 41 errata-xmlrpc 2009-12-09 19:03:59 EST
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html
Comment 42 errata-xmlrpc 2009-12-11 08:43:41 EST
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.1

Via RHSA-2009:1662 https://rhn.redhat.com/errata/RHSA-2009-1662.html
Comment 43 errata-xmlrpc 2010-01-14 11:32:55 EST
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3

Via RHSA-2010:0043 https://rhn.redhat.com/errata/RHSA-2010-0043.html
Comment 44 Vincent Danen 2011-03-25 16:15:04 EDT
This has never been fixed in Fedora.  The upstream patch for this is here:

http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&view=patch

Looks like 2.10.0 fixed this upstream, according to the changelog:

http://xerces.apache.org/xerces2-j/releases.html
Comment 45 Vincent Danen 2011-03-25 16:18:28 EDT
Created xerces-j2 tracking bugs for this issue

Affects: fedora-all [bug 690926]
Comment 47 errata-xmlrpc 2011-06-08 10:42:32 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0858 https://rhn.redhat.com/errata/RHSA-2011-0858.html
Comment 48 Vincent Danen 2011-11-04 18:14:08 EDT
Created centerim tracking bugs for this issue

Affects: fedora-14 [bug 751500]
Affects: epel-5 [bug 751501]
Comment 49 Vincent Danen 2011-11-04 18:15:43 EDT
According to http://www.centerim.org/index.php/Main_Page, centerim 4.22.10 fixes this flaw.  Current EPEL6 and >=F15 have this version already, so only F14 and EPEL5 are vulnerable.
Comment 51 errata-xmlrpc 2012-06-12 19:27:36 EDT
This issue has been addressed in following products:

JBoss Operations Network 3.1.0

Via RHSA-2012:0725 https://rhn.redhat.com/errata/RHSA-2012-0725.html
Comment 55 errata-xmlrpc 2012-09-05 12:26:43 EDT
This issue has been addressed in following products:

JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html
Comment 57 errata-xmlrpc 2012-12-04 14:24:30 EST
This issue has been addressed in following products:

  RHEV Manager version 3.x

Via RHSA-2012:1537 https://rhn.redhat.com/errata/RHSA-2012-1537.html
Comment 58 errata-xmlrpc 2013-04-22 17:27:08 EDT
This issue has been addressed in following products:

  JBoss Web Framework Kit 2.2.0

Via RHSA-2013:0763 https://rhn.redhat.com/errata/RHSA-2013-0763.html

Note You need to log in before you can comment on or make changes to this bug.