CVE-2009-2625

2009-08-0600:00:00

ubuntu.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.077 Low

EPSS

Percentile

94.1%

JSON

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime
Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0
before Update 20, and in other products, allows remote attackers to cause a
denial of service (infinite loop and application hang) via malformed XML
input, as demonstrated by the Codenomicon XML fuzzing framework.

Notes

Author	Note
jdstrand	this originally come out as a bug in expat (#1990430). CVE-2009-3720 was later assigned to this identical issue, since this issue was worded as a Java vulnerability. Our USN references this CVE and CVE-2009-3720 will be ignored.

OSVersionArchitecturePackageVersionFilename
ubuntu6.06noarchexpat< 1.95.8-3ubuntu0.1UNKNOWN
ubuntu8.04noarchexpat< 2.0.1-0ubuntu1.1UNKNOWN
ubuntu8.10noarchexpat< 2.0.1-4ubuntu0.8.10.1UNKNOWN
ubuntu9.04noarchexpat< 2.0.1-4ubuntu0.9.04.1UNKNOWN
ubuntu9.10noarchexpat< 2.0.1-4ubuntu1.1UNKNOWN
ubuntu10.04noarchexpat< 2.0.1-7ubuntu1UNKNOWN
ubuntu10.10noarchexpat< 2.0.1-7ubuntu1UNKNOWN
ubuntu8.04noarchopenjdk-6< 6b18-1.8.2-4ubuntu1~8.04.1UNKNOWN
ubuntu8.10noarchopenjdk-6< 6b12-0ubuntu6.5UNKNOWN
ubuntu9.04noarchopenjdk-6< 6b14-1.4.1-0ubuntu11UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	6.06	noarch	expat	< 1.95.8-3ubuntu0.1	UNKNOWN
ubuntu	8.04	noarch	expat	< 2.0.1-0ubuntu1.1	UNKNOWN
ubuntu	8.10	noarch	expat	< 2.0.1-4ubuntu0.8.10.1	UNKNOWN
ubuntu	9.04	noarch	expat	< 2.0.1-4ubuntu0.9.04.1	UNKNOWN
ubuntu	9.10	noarch	expat	< 2.0.1-4ubuntu1.1	UNKNOWN
ubuntu	10.04	noarch	expat	< 2.0.1-7ubuntu1	UNKNOWN
ubuntu	10.10	noarch	expat	< 2.0.1-7ubuntu1	UNKNOWN
ubuntu	8.04	noarch	openjdk-6	< 6b18-1.8.2-4ubuntu1~8.04.1	UNKNOWN
ubuntu	8.10	noarch	openjdk-6	< 6b12-0ubuntu6.5	UNKNOWN
ubuntu	9.04	noarch	openjdk-6	< 6b14-1.4.1-0ubuntu11	UNKNOWN