CVE-2009-2625

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:N/I:N/A:P
certccCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 63%
VendorProductVersion
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.5.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
oraclejdk
1.6.0
opensuseopensuse
11.0
opensuseopensuse
11.1
opensuseopensuse
11.2
debiandebian_linux
4.0
debiandebian_linux
5.0
canonicalubuntu_linux
6.06
canonicalubuntu_linux
8.04
canonicalubuntu_linux
8.10
canonicalubuntu_linux
9.04
canonicalubuntu_linux
9.10
oracleprimavera_p6_enterprise_project_portfolio_management
6.1
oracleprimavera_p6_enterprise_project_portfolio_management
6.2.1
oracleprimavera_p6_enterprise_project_portfolio_management
7.0
oracleprimavera_web_services
6.2.1
oracleprimavera_web_services
7.0
oracleprimavera_web_services
7.0:sp1
apachexerces2_java
2.9.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libxerces2-java
bullseye
2.12.1-1
fixed
etch
no-dsa
sid
2.12.2-1
fixed
trixie
2.12.2-1
fixed
bookworm
2.12.2-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
expat
maverick
Fixed 2.0.1-7ubuntu1
released
lucid
Fixed 2.0.1-7ubuntu1
released
karmic
Fixed 2.0.1-4ubuntu1.1
released
jaunty
Fixed 2.0.1-4ubuntu0.9.04.1
released
intrepid
Fixed 2.0.1-4ubuntu0.8.10.1
released
hardy
Fixed 2.0.1-0ubuntu1.1
released
dapper
Fixed 1.95.8-3ubuntu0.1
released
openjdk-6
maverick
not-affected
lucid
not-affected
karmic
not-affected
jaunty
Fixed 6b14-1.4.1-0ubuntu11
released
intrepid
Fixed 6b12-0ubuntu6.5
released
hardy
Fixed 6b18-1.8.2-4ubuntu1~8.04.1
released
dapper
dne
sun-java5
maverick
dne
lucid
dne
karmic
dne
jaunty
ignored
intrepid
ignored
hardy
not-affected
gutsy
ignored
dapper
ignored
sun-java6
maverick
not-affected
lucid
Fixed 6-15-1
released
karmic
Fixed 6-15-1
released
jaunty
Fixed 6.20dlj-0ubuntu1.9.04
released
intrepid
ignored
hardy
Fixed 6.20dlj-0ubuntu1.8.04
released
dapper
dne
References
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://rhn.redhat.com/errata/RHSA-2012-1232.html
http://rhn.redhat.com/errata/RHSA-2012-1537.html
http://secunia.com/advisories/36162
http://secunia.com/advisories/36176
http://secunia.com/advisories/36180
http://secunia.com/advisories/36199
http://secunia.com/advisories/37300
http://secunia.com/advisories/37460
http://secunia.com/advisories/37671
http://secunia.com/advisories/37754
http://secunia.com/advisories/38231
http://secunia.com/advisories/38342
http://secunia.com/advisories/43300
http://secunia.com/advisories/50549
http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=h
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
http://www.codenomicon.com/labs/xml/
http://www.debian.org/security/2010/dsa-1984
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://www.mandriva.com/security/advisories?name=MDVSA-2011:108
http://www.networkworld.com/columnists/2009/080509-xml-flaw.html
http://www.openwall.com/lists/oss-security/2009/09/06/1
http://www.openwall.com/lists/oss-security/2009/10/22/9
http://www.openwall.com/lists/oss-security/2009/10/23/6
http://www.openwall.com/lists/oss-security/2009/10/26/3
http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://www.redhat.com/support/errata/RHSA-2009-1615.html
http://www.redhat.com/support/errata/RHSA-2011-0858.html
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/bid/35958
http://www.securitytracker.com/id?1022680
http://www.ubuntu.com/usn/USN-890-1
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
http://www.us-cert.gov/cas/techalerts/TA10-012A.html
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/2543
http://www.vupen.com/english/advisories/2009/3316
http://www.vupen.com/english/advisories/2011/0359
https://bugzilla.redhat.com/show_bug.cgi?id=512921
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356
https://rhn.redhat.com/errata/RHSA-2009-1199.html
https://rhn.redhat.com/errata/RHSA-2009-1200.html
https://rhn.redhat.com/errata/RHSA-2009-1201.html
https://rhn.redhat.com/errata/RHSA-2009-1636.html
https://rhn.redhat.com/errata/RHSA-2009-1637.html
https://rhn.redhat.com/errata/RHSA-2009-1649.html
https://rhn.redhat.com/errata/RHSA-2009-1650.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html
http://lists.apple.com/archives/security-announce/2009/Sep/msg00000.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
http://marc.info/?l=bugtraq&m=125787273209737&w=2
http://rhn.redhat.com/errata/RHSA-2012-1232.html
http://rhn.redhat.com/errata/RHSA-2012-1537.html
http://secunia.com/advisories/36162
http://secunia.com/advisories/36176
http://secunia.com/advisories/36180
http://secunia.com/advisories/36199
http://secunia.com/advisories/37300
http://secunia.com/advisories/37460
http://secunia.com/advisories/37671
http://secunia.com/advisories/37754
http://secunia.com/advisories/38231
http://secunia.com/advisories/38342
http://secunia.com/advisories/43300
http://secunia.com/advisories/50549
http://slackware.com/security/viewer.php?l=slackware-security&y=2011&m=slackware-security.486026
http://sunsolve.sun.com/search/document.do?assetkey=1-21-125136-16-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-272209-1
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1021506.1-1
http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=572055&r2=787352&pathrev=787353&diff_format=h
http://www.cert.fi/en/reports/2009/vulnerability2009085.html
http://www.codenomicon.com/labs/xml/
http://www.debian.org/security/2010/dsa-1984
http://www.mandriva.com/security/advisories?name=MDVSA-2009:209
http://www.mandriva.com/security/advisories?name=MDVSA-2011:108
http://www.networkworld.com/columnists/2009/080509-xml-flaw.html
http://www.openwall.com/lists/oss-security/2009/09/06/1
http://www.openwall.com/lists/oss-security/2009/10/22/9
http://www.openwall.com/lists/oss-security/2009/10/23/6
http://www.openwall.com/lists/oss-security/2009/10/26/3
http://www.oracle.com/technetwork/topics/security/cpujan2010-084891.html
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://www.redhat.com/support/errata/RHSA-2009-1615.html
http://www.redhat.com/support/errata/RHSA-2011-0858.html
http://www.securityfocus.com/archive/1/507985/100/0/threaded
http://www.securityfocus.com/bid/35958
http://www.securitytracker.com/id?1022680
http://www.ubuntu.com/usn/USN-890-1
http://www.us-cert.gov/cas/techalerts/TA09-294A.html
http://www.us-cert.gov/cas/techalerts/TA10-012A.html
http://www.vmware.com/security/advisories/VMSA-2009-0016.html
http://www.vupen.com/english/advisories/2009/2543
http://www.vupen.com/english/advisories/2009/3316
http://www.vupen.com/english/advisories/2011/0359
https://bugzilla.redhat.com/show_bug.cgi?id=512921
https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8520
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9356
https://rhn.redhat.com/errata/RHSA-2009-1199.html
https://rhn.redhat.com/errata/RHSA-2009-1200.html
https://rhn.redhat.com/errata/RHSA-2009-1201.html
https://rhn.redhat.com/errata/RHSA-2009-1636.html
https://rhn.redhat.com/errata/RHSA-2009-1637.html
https://rhn.redhat.com/errata/RHSA-2009-1649.html
https://rhn.redhat.com/errata/RHSA-2009-1650.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00310.html
https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00325.html