Bug 512921 (CVE-2009-2625) - CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701)
Summary: CVE-2009-2625 xerces-j2, JDK: XML parsing Denial-Of-Service (6845701)
Status: CLOSED ERRATA
Alias: CVE-2009-2625
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20090805,repor...
Keywords: Security
Depends On: 513391 513392 515679 515680 515682 515683 521225 521226 522764 522765 522766 526017 526018 526815 526816 529660 529661 540443 690926 690931 690932 751500 751501 795942 850657 850658
Blocks: 734571 824237
TreeView+ depends on / blocked
 
Reported: 2009-07-21 11:05 UTC by Marc Schoenefeld
Modified: 2019-06-08 12:47 UTC (History)
28 users (show)

(edit)
Previously, a denial-of-service flaw was found in Java which allowed the creation of an inifinte loop in XML headers that would consume all CPU resources. This issue was patched and Java is no longer vulnerable to a denial-of-service flaw due to the initiation of an infinte loop by means of XML headers.
Clone Of:
(edit)
Last Closed: 2013-04-22 21:33:19 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1199 normal SHIPPED_LIVE Critical: java-1.5.0-sun security update 2009-08-06 20:38:05 UTC
Sun Bug Database 6845701 None None None Never
Red Hat Product Errata RHSA-2009:1200 normal SHIPPED_LIVE Critical: java-1.6.0-sun security update 2009-08-06 20:41:36 UTC
Red Hat Product Errata RHSA-2009:1201 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security and bug fix update 2009-08-06 21:14:44 UTC
Red Hat Product Errata RHSA-2009:1236 normal SHIPPED_LIVE Critical: java-1.5.0-ibm security update 2009-08-28 08:57:25 UTC
Red Hat Product Errata RHSA-2009:1505 normal SHIPPED_LIVE Moderate: java-1.4.2-ibm security update 2009-10-14 16:08:08 UTC
Red Hat Product Errata RHSA-2009:1551 normal SHIPPED_LIVE Moderate: java-1.4.2-ibm security update 2009-11-04 15:14:26 UTC
Red Hat Product Errata RHSA-2009:1582 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2009-11-12 18:15:19 UTC
Red Hat Product Errata RHSA-2009:1615 normal SHIPPED_LIVE Moderate: xerces-j2 security update 2009-11-30 15:18:57 UTC
Red Hat Product Errata RHSA-2009:1636 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update 2009-12-09 23:14:02 UTC
Red Hat Product Errata RHSA-2009:1637 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.2.0.CP08 update 2009-12-09 23:32:14 UTC
Red Hat Product Errata RHSA-2009:1649 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.3.0.CP07 update 2009-12-09 23:51:47 UTC
Red Hat Product Errata RHSA-2009:1650 normal SHIPPED_LIVE Moderate: JBoss Enterprise Application Platform 4.2.0.CP08 update 2009-12-10 00:03:48 UTC
Red Hat Product Errata RHSA-2009:1662 normal SHIPPED_LIVE Low: Red Hat Network Satellite Server Sun Java Runtime security update 2009-12-11 13:42:50 UTC
Red Hat Product Errata RHSA-2010:0043 normal SHIPPED_LIVE Low: Red Hat Network Satellite Server IBM Java Runtime security update 2010-01-14 16:32:02 UTC
Red Hat Product Errata RHSA-2011:0858 normal SHIPPED_LIVE Moderate: xerces-j2 security update 2011-06-08 14:42:25 UTC
Red Hat Product Errata RHSA-2012:0725 normal SHIPPED_LIVE Moderate: JBoss Operations Network 3.1.0 update 2012-06-13 03:26:53 UTC
Red Hat Product Errata RHSA-2012:1232 normal SHIPPED_LIVE Important: JBoss Enterprise Portal Platform 5.2.2 update 2012-09-05 20:25:36 UTC
Red Hat Product Errata RHSA-2012:1537 normal SHIPPED_LIVE Moderate: jasperreports-server-pro security and bug fix update 2012-12-05 00:08:54 UTC
Red Hat Product Errata RHSA-2013:0763 normal SHIPPED_LIVE Moderate: JBoss Web Framework Kit 2.2.0 update 2013-04-23 01:25:28 UTC

Comment 2 Marc Schoenefeld 2009-08-06 14:22:34 UTC
A denial of service flaw was found in the way the JRE processes XML. A
remote attacker could use this flaw to supply crafted XML that would lead
to a denial of service.

http://sunsolve.sun.com/search/document.do?assetkey=1-21-118667-22-1

Comment 3 errata-xmlrpc 2009-08-06 20:38:17 UTC
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1199 https://rhn.redhat.com/errata/RHSA-2009-1199.html

Comment 4 errata-xmlrpc 2009-08-06 20:42:10 UTC
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1200 https://rhn.redhat.com/errata/RHSA-2009-1200.html

Comment 5 errata-xmlrpc 2009-08-06 21:15:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1201 https://rhn.redhat.com/errata/RHSA-2009-1201.html

Comment 6 Fedora Update System 2009-08-07 04:59:11 UTC
java-1.6.0-openjdk-1.6.0.0-27.b16.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2009-08-07 05:01:56 UTC
java-1.6.0-openjdk-1.6.0.0-20.b16.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 errata-xmlrpc 2009-08-28 08:57:44 UTC
This issue has been addressed in following products:

  Extras for Red Hat Enterprise Linux 5
  Extras for RHEL 4

Via RHSA-2009:1236 https://rhn.redhat.com/errata/RHSA-2009-1236.html

Comment 14 errata-xmlrpc 2009-10-14 16:08:12 UTC
This issue has been addressed in following products:

  Extras for RHEL 3
  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1505 https://rhn.redhat.com/errata/RHSA-2009-1505.html

Comment 16 Jan Lieskovsky 2009-10-22 11:16:52 UTC
This flaw is present also in expat, the C library for parsing XML, written by James Clark.

References:
-----------
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=551936
https://bugs.gentoo.org/show_bug.cgi?id=280615

Upstream bug report:
--------------------
https://sourceforge.net/tracker/?func=detail&aid=1990430&group_id=10127&atid=110127 (not accessible for me)

Upstream patch:
---------------
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?r1=1.13&r2=1.15&view=patch

Upstream log:
-------------
http://expat.cvs.sourceforge.net/viewvc/expat/expat/lib/xmltok_impl.c?view=log

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 17 Jan Lieskovsky 2009-10-22 11:19:09 UTC
This issue affects the versions of expat package, as shipped 
with Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of expat package, as shipped
with Fedora releases of 10 and 11 (expat-2.0.1-5, expat-2.0.1-6)
and as scheduled to appear in Fedora 12 release (expat-2.0.1-7).

Please fix.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 23 Jan Lieskovsky 2009-10-22 12:19:01 UTC
This issue does NOT affect the versions of the w3c-libwww package, as shipped
with Red Hat Enterprise Linux 3 and 4.

This issue does NOT affect the versions of the w3c-libwww package,
as shipped with Fedora releases of 10, 11, and as scheduled to
appear in Fedora 12 (Fedora's w3c-libwww uses system expat library,
so once the issue is updated in expat, w3c-libwww in Fedora is
also safe).

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 25 Jan Lieskovsky 2009-10-22 12:46:19 UTC
This issue does NOT affect the version of the PyXML package, as shipped
with Red Hat Enterprise Linux 3.

This issue affects the versions of the PyXML package, as shipped
with Red Hat Enterprise Linux 4 and 5.

This issue affects the versions of the PyXML package, as shipped
with Fedora release of 10, 11, and as scheduled to appear in
Fedora 12.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 28 Jan Lieskovsky 2009-10-22 14:13:47 UTC
This issue affects the versions of the 4Suite package, as shipped 
with Red Hat Enterprise Linux 3 and 4.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 32 Jan Lieskovsky 2009-10-22 14:59:05 UTC
This issue does NOT affect the versions of the vnc package, as shipped
with Red Hat Enterprise Linux 3, 4, and 5.

This issue does NOT affect the versions of the vnc package, as shipped
with Fedora releases of 10 and 11.

Note: This is now handled under separate CVE id -- CVE-2009-3720,
for more information please have a look at:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720

Comment 34 errata-xmlrpc 2009-11-04 15:14:28 UTC
This issue has been addressed in following products:

  RHEL 4 for SAP
  RHEL 5 for SAP

Via RHSA-2009:1551 https://rhn.redhat.com/errata/RHSA-2009-1551.html

Comment 35 errata-xmlrpc 2009-11-12 18:15:35 UTC
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1582 https://rhn.redhat.com/errata/RHSA-2009-1582.html

Comment 37 errata-xmlrpc 2009-11-30 15:19:00 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1615 https://rhn.redhat.com/errata/RHSA-2009-1615.html

Comment 38 errata-xmlrpc 2009-12-09 23:14:15 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1636 https://rhn.redhat.com/errata/RHSA-2009-1636.html

Comment 39 errata-xmlrpc 2009-12-09 23:32:28 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1637 https://rhn.redhat.com/errata/RHSA-2009-1637.html

Comment 40 errata-xmlrpc 2009-12-09 23:51:59 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1649 https://rhn.redhat.com/errata/RHSA-2009-1649.html

Comment 41 errata-xmlrpc 2009-12-10 00:03:59 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1650 https://rhn.redhat.com/errata/RHSA-2009-1650.html

Comment 42 errata-xmlrpc 2009-12-11 13:43:41 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.1

Via RHSA-2009:1662 https://rhn.redhat.com/errata/RHSA-2009-1662.html

Comment 43 errata-xmlrpc 2010-01-14 16:32:55 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.3

Via RHSA-2010:0043 https://rhn.redhat.com/errata/RHSA-2010-0043.html

Comment 44 Vincent Danen 2011-03-25 20:15:04 UTC
This has never been fixed in Fedora.  The upstream patch for this is here:

http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&view=patch

Looks like 2.10.0 fixed this upstream, according to the changelog:

http://xerces.apache.org/xerces2-j/releases.html

Comment 45 Vincent Danen 2011-03-25 20:18:28 UTC
Created xerces-j2 tracking bugs for this issue

Affects: fedora-all [bug 690926]

Comment 47 errata-xmlrpc 2011-06-08 14:42:32 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0858 https://rhn.redhat.com/errata/RHSA-2011-0858.html

Comment 48 Vincent Danen 2011-11-04 22:14:08 UTC
Created centerim tracking bugs for this issue

Affects: fedora-14 [bug 751500]
Affects: epel-5 [bug 751501]

Comment 49 Vincent Danen 2011-11-04 22:15:43 UTC
According to http://www.centerim.org/index.php/Main_Page, centerim 4.22.10 fixes this flaw.  Current EPEL6 and >=F15 have this version already, so only F14 and EPEL5 are vulnerable.

Comment 51 errata-xmlrpc 2012-06-12 23:27:36 UTC
This issue has been addressed in following products:

JBoss Operations Network 3.1.0

Via RHSA-2012:0725 https://rhn.redhat.com/errata/RHSA-2012-0725.html

Comment 55 errata-xmlrpc 2012-09-05 16:26:43 UTC
This issue has been addressed in following products:

JBoss Enterprise Portal Platform 5.2.2

Via RHSA-2012:1232 https://rhn.redhat.com/errata/RHSA-2012-1232.html

Comment 57 errata-xmlrpc 2012-12-04 19:24:30 UTC
This issue has been addressed in following products:

  RHEV Manager version 3.x

Via RHSA-2012:1537 https://rhn.redhat.com/errata/RHSA-2012-1537.html

Comment 58 errata-xmlrpc 2013-04-22 21:27:08 UTC
This issue has been addressed in following products:

  JBoss Web Framework Kit 2.2.0

Via RHSA-2013:0763 https://rhn.redhat.com/errata/RHSA-2013-0763.html


Note You need to log in before you can comment on or make changes to this bug.