CVE-2009-2625: Medium severity Oracle JDK vulnerability
Published Jul 21, 2009
·Updated
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Affected Software
133 affected componentsFixes available
redhat/java<1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el3
1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el3
redhat/java<1.5.0-sun-0:1.5.0.20-1jpp.1.el4
1.5.0-sun-0:1.5.0.20-1jpp.1.el4
redhat/java<1.6.0-sun-1:1.6.0.15-1jpp.1.el4
1.6.0-sun-1:1.6.0.15-1jpp.1.el4
redhat/java<1.5.0-ibm-1:1.5.0.10-1jpp.4.el4
1.5.0-ibm-1:1.5.0.10-1jpp.4.el4
redhat/java<1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el4
1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el4
redhat/java<1.6.0-ibm-1:1.6.0.6-1jpp.3.el4
1.6.0-ibm-1:1.6.0.6-1jpp.3.el4
redhat/glassfish-javamail<0:1.4.2-0jpp.ep1.5.el4
0:1.4.2-0jpp.ep1.5.el4
redhat/glassfish-jsf<0:1.2_13-2.1.ep1.el4
0:1.2_13-2.1.ep1.el4
redhat/hibernate3<1:3.2.4-1.SP1_CP09.0jpp.ep1.1.el4
1:3.2.4-1.SP1_CP09.0jpp.ep1.1.el4
redhat/hibernate3-annotations<0:3.3.1-1.11.GA_CP02.ep1.el4
0:3.3.1-1.11.GA_CP02.ep1.el4
redhat/hibernate3-entitymanager<0:3.3.2-2.5.GA_CP01.ep1.el4
0:3.3.2-2.5.GA_CP01.ep1.el4
redhat/jacorb<0:2.3.0-1jpp.ep1.9.el4
0:2.3.0-1jpp.ep1.9.el4
redhat/jakarta-commons-logging-jboss<0:1.1-9.ep1.el4
0:1.1-9.ep1.el4
redhat/jboss-aop<0:1.5.5-3.CP04.2.ep1.el4
0:1.5.5-3.CP04.2.ep1.el4
redhat/jbossas<0:4.2.0-5.GA_CP08.5.ep1.el4
0:4.2.0-5.GA_CP08.5.ep1.el4
redhat/jboss-common<0:1.2.1-0jpp.ep1.3.el4
0:1.2.1-0jpp.ep1.3.el4
redhat/jboss-remoting<0:2.2.3-3.SP1.ep1.el4
0:2.2.3-3.SP1.ep1.el4
redhat/jboss-seam<0:1.2.1-1.ep1.22.el4
0:1.2.1-1.ep1.22.el4
redhat/jbossts<1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el4
1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el4
redhat/jbossweb<0:2.0.0-6.CP12.0jpp.ep1.2.el4
0:2.0.0-6.CP12.0jpp.ep1.2.el4
redhat/jcommon<0:1.0.16-1.1.ep1.el4
0:1.0.16-1.1.ep1.el4
redhat/jfreechart<0:1.0.13-2.3.1.ep1.el4
0:1.0.13-2.3.1.ep1.el4
redhat/jgroups<1:2.4.7-1.ep1.el4
1:2.4.7-1.ep1.el4
redhat/quartz<0:1.5.2-1jpp.patch01.ep1.4.el4
0:1.5.2-1jpp.patch01.ep1.4.el4
redhat/rh-eap-docs<0:4.2.0-6.GA_CP08.ep1.3.el4
0:4.2.0-6.GA_CP08.ep1.3.el4
redhat/xerces-j2<0:2.7.1-9jpp.4.patch_02.1.ep1.el4
0:2.7.1-9jpp.4.patch_02.1.ep1.el4
redhat/xml-security<0:1.3.0-1.3.patch01.ep1.2.el4
0:1.3.0-1.3.patch01.ep1.2.el4
redhat/glassfish-jsf<0:1.2_13-2.1.ep1.el5
0:1.2_13-2.1.ep1.el5
redhat/hibernate3<1:3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
1:3.2.4-1.SP1_CP09.0jpp.ep1.2.4.el5
redhat/hibernate3-annotations<0:3.3.1-1.11GA_CP02.ep1.el5
0:3.3.1-1.11GA_CP02.ep1.el5
redhat/hibernate3-entitymanager<0:3.3.2-2.5.1.ep1.el5
0:3.3.2-2.5.1.ep1.el5
redhat/jacorb<0:2.3.0-1jpp.ep1.9.1.el5
0:2.3.0-1jpp.ep1.9.1.el5
redhat/jboss-aop<0:1.5.5-3.CP04.2.ep1.el5
0:1.5.5-3.CP04.2.ep1.el5
redhat/jbossas<0:4.2.0-5.GA_CP08.5.2.ep1.el5
0:4.2.0-5.GA_CP08.5.2.ep1.el5
redhat/jboss-common<0:1.2.1-0jpp.ep1.3.el5.1
0:1.2.1-0jpp.ep1.3.el5.1
redhat/jboss-remoting<0:2.2.3-3.SP1.ep1.el5
0:2.2.3-3.SP1.ep1.el5
redhat/jboss-seam<0:1.2.1-1.ep1.14.el5
0:1.2.1-1.ep1.14.el5
redhat/jbossts<1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
1:4.2.3-1.SP5_CP08.1jpp.ep1.1.el5
redhat/jbossweb<0:2.0.0-6.CP12.0jpp.ep1.2.el5
0:2.0.0-6.CP12.0jpp.ep1.2.el5
redhat/jcommon<0:1.0.16-1.1.ep1.el5
0:1.0.16-1.1.ep1.el5
redhat/jfreechart<0:1.0.13-2.3.1.ep1.el5
0:1.0.13-2.3.1.ep1.el5
redhat/jgroups<1:2.4.7-1.ep1.el5
1:2.4.7-1.ep1.el5
redhat/quartz<0:1.5.2-1jpp.patch01.ep1.4.1.el5
0:1.5.2-1jpp.patch01.ep1.4.1.el5
redhat/rh-eap-docs<0:4.2.0-6.GA_CP08.ep1.3.el5
0:4.2.0-6.GA_CP08.ep1.3.el5
redhat/xml-security<0:1.3.0-1.3.patch01.ep1.2.1.el5
0:1.3.0-1.3.patch01.ep1.2.1.el5
redhat/java<1.6.0-openjdk-1:1.6.0.0-1.2.b09.el5
1.6.0-openjdk-1:1.6.0.0-1.2.b09.el5
redhat/xerces-j2<0:2.7.1-7jpp.2.el5_4.2
0:2.7.1-7jpp.2.el5_4.2
redhat/xerces-j2<0:2.7.1-12.6.el6_0
0:2.7.1-12.6.el6_0
redhat/glassfish-jaxb<0:2.1.4-1.12.patch03.ep1.el4
0:2.1.4-1.12.patch03.ep1.el4
redhat/jbossas<0:4.3.0-6.GA_CP07.4.ep1.el4
0:4.3.0-6.GA_CP07.4.ep1.el4
redhat/jboss-messaging<0:1.4.0-3.SP3_CP09.4.ep1.el4
0:1.4.0-3.SP3_CP09.4.ep1.el4
redhat/jboss-seam<0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.18.el4
0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.18.el4
redhat/jboss-seam2<0:2.0.2.FP-1.ep1.21.el4
0:2.0.2.FP-1.ep1.21.el4
redhat/jbossws<0:2.0.1-4.SP2_CP07.2.ep1.el4
0:2.0.1-4.SP2_CP07.2.ep1.el4
redhat/jbossws-common<0:1.0.0-2.GA_CP05.1.ep1.el4
0:1.0.0-2.GA_CP05.1.ep1.el4
redhat/jbossws-framework<0:2.0.1-1.GA_CP05.1.ep1.el4
0:2.0.1-1.GA_CP05.1.ep1.el4
redhat/rh-eap-docs<0:4.3.0-6.GA_CP07.ep1.3.el4
0:4.3.0-6.GA_CP07.ep1.3.el4
redhat/glassfish-jaxb<0:2.1.4-1.12.patch03.1.ep1.el5
0:2.1.4-1.12.patch03.1.ep1.el5
redhat/jbossas<0:4.3.0-6.GA_CP07.4.2.ep1.el5
0:4.3.0-6.GA_CP07.4.2.ep1.el5
redhat/jboss-messaging<0:1.4.0-3.SP3_CP09.4.ep1.el5
0:1.4.0-3.SP3_CP09.4.ep1.el5
redhat/jboss-seam<0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
0:1.2.1-3.JBPAPP_4_3_0_GA.ep1.12.el5.1
redhat/jboss-seam2<0:2.0.2.FP-1.ep1.18.el5
0:2.0.2.FP-1.ep1.18.el5
redhat/jbossws<0:2.0.1-4.SP2_CP07.2.1.ep1.el5
0:2.0.1-4.SP2_CP07.2.1.ep1.el5
redhat/jbossws-common<0:1.0.0-2.GA_CP05.1.ep1.el5
0:1.0.0-2.GA_CP05.1.ep1.el5
redhat/jbossws-framework<0:2.0.1-1.GA_CP05.1.ep1.el5
0:2.0.1-1.GA_CP05.1.ep1.el5
redhat/rh-eap-docs<0:4.3.0-6.GA_CP07.ep1.3.el5
0:4.3.0-6.GA_CP07.ep1.3.el5
redhat/java<1.5.0-sun-0:1.5.0.22-1jpp.1.el4
1.5.0-sun-0:1.5.0.22-1jpp.1.el4
redhat/java<1.6.0-ibm-1:1.6.0.7-1jpp.3.el4
1.6.0-ibm-1:1.6.0.7-1jpp.3.el4
redhat/java<1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el4_8
1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el4_8
redhat/java<1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el5_3
1.4.2-ibm-0:1.4.2.13.2.sap-1jpp.4.el5_3
redhat/jasperreports-server-pro<0:4.7.1-2.el6e
0:4.7.1-2.el6e
redhat/java<1.5.0-sun-0:1.5.0.20-1jpp.1.el5
1.5.0-sun-0:1.5.0.20-1jpp.1.el5
redhat/java<1.6.0-sun-1:1.6.0.15-1jpp.1.el5
1.6.0-sun-1:1.6.0.15-1jpp.1.el5
redhat/java<1.5.0-ibm-1:1.5.0.10-1jpp.4.el5
1.5.0-ibm-1:1.5.0.10-1jpp.4.el5
redhat/java<1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el5
1.4.2-ibm-0:1.4.2.13.1-1jpp.1.el5
redhat/java<1.6.0-ibm-1:1.6.0.6-1jpp.3.el5
1.6.0-ibm-1:1.6.0.6-1jpp.3.el5
Oracle JDK=1.5.0
Oracle JDK=1.5.0-update1
Oracle JDK=1.5.0-update10
Oracle JDK=1.5.0-update11
Oracle JDK=1.5.0-update12
Oracle JDK=1.5.0-update13
Oracle JDK=1.5.0-update14
Oracle JDK=1.5.0-update15
Oracle JDK=1.5.0-update16
Oracle JDK=1.5.0-update17
Oracle JDK=1.5.0-update18
Oracle JDK=1.5.0-update19
Oracle JDK=1.5.0-update2
Oracle JDK=1.5.0-update3
Oracle JDK=1.5.0-update4
Oracle JDK=1.5.0-update5
Oracle JDK=1.5.0-update6
Oracle JDK=1.5.0-update7
Oracle JDK=1.5.0-update8
Oracle JDK=1.5.0-update9
Oracle JDK=1.6.0
Oracle JDK=1.6.0-update1
Oracle JDK=1.6.0-update10
Oracle JDK=1.6.0-update11
Oracle JDK=1.6.0-update12
Oracle JDK=1.6.0-update13
Oracle JDK=1.6.0-update14
Oracle JDK=1.6.0-update2
Oracle JDK=1.6.0-update3
Oracle JDK=1.6.0-update4
Oracle JDK=1.6.0-update5
Oracle JDK=1.6.0-update6
Oracle JDK=1.6.0-update7
Fedoraproject Fedora=10
Fedoraproject Fedora=11
openSUSE openSUSE=11.0
openSUSE openSUSE=11.1
openSUSE openSUSE=11.2
SUSE Linux Enterprise Server=9
SUSE Linux Enterprise Server=10-sp2
SUSE Linux Enterprise Server=10-sp3
SUSE Linux Enterprise Server=11
Debian Debian Linux=4.0
Debian Debian Linux=5.0
Canonical Ubuntu Linux=6.06
Canonical Ubuntu Linux=8.04
Canonical Ubuntu Linux=8.10
Canonical Ubuntu Linux=9.04
Canonical Ubuntu Linux=9.10
Oracle Primavera P6 Enterprise Project Portfolio Management=6.1
Oracle Primavera P6 Enterprise Project Portfolio Management=6.2.1
Oracle Primavera P6 Enterprise Project Portfolio Management=7.0
Oracle Primavera Web Services=6.2.1
Oracle Primavera Web Services=7.0
Oracle Primavera Web Services=7.0-sp1
Apache Xerces2 Java=2.9.1
IBM InfoSphere Data Architect<=9.2.1
Remediation
Patch Available
Event History
Jul 21, 2009
Data Sourced
via Red Hat·11:05 AM
DescriptionSeverityAffected Software
Aug 5, 2009
CVE Published
via Red Hat·12:00 AM
Aug 6, 2009
CVE Published
via MITRE·03:00 PM
Data Sourced
via MITRE·03:00 PM
Description
Mar 4, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Parent advisories
This vulnerability appears in the following advisories.
Frequently Asked Questions
1
What is the severity of CVE-2009-2625?
CVE-2009-2625 is classified as a denial of service vulnerability, which can critically impact the availability of affected applications.
2
How do I fix CVE-2009-2625?
To fix CVE-2009-2625, upgrade the affected Java Runtime Environment to the latest version provided by your vendor.
3
Which products are affected by CVE-2009-2625?
CVE-2009-2625 affects Java Runtime Environment versions, including specific builds from IBM and Red Hat that use Apache Xerces.
4
Can CVE-2009-2625 be exploited remotely?
Yes, CVE-2009-2625 can be exploited remotely using specially-crafted XML input that triggers an infinite loop.
5
What impact does CVE-2009-2625 have on my system?
CVE-2009-2625 can cause applications to hang, leading to potential denial of service and disrupting normal operations.