Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-225: Sun Java Runtime Environment XML Parsing Denial of Service Vulnerability

[CVE-2009-2625]

September 4, 2009 14:00 GMT
PROBLEM: Sun Java Runtime Environment (JRE) is prone to a denial-of-service vulnerability.
PLATFORM: JDK and JRE 6 Update 14 and prior JDK and JRE 5.0 Update 19 and prior
ABSTRACT: Sun Java Runtime Environment (JRE) allows remote attackers to cause a denial of service via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-225.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/35958/info
Security Tracker
http://securitytracker.com/alerts/2009/Aug/1022680.html

  CVE: CVE-2009-2625
IMPACT ASSESSMENT: This risk is low. Attackers may exploit this issue to cause denial-of-service conditions in applications that use the vulnerable environment. 
[***** Start CVE-2009-2625 *****]
Discussion:
Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

A remote user can create specially crafted XML to trigger a flaw in JRE in the parsing of XML data to cause unspecified denial of service conditions.

Solution:
The vendor has issued a fix for Windows, Solaris, and Linux:

* JDK and JRE 6 Update 15 or later
* JDK and JRE 5.0 Update 20 or later

Java SE releases are available at:

JDK and JRE 6 Update 15:

http://java.sun.com/javase/downloads/index.jsp

JRE 6 Update 15:

http://java.com/

through the Java Update tool for Microsoft Windows users.

JDK 6 Update 15 for Solaris is available in the following patches:

* Java SE 6 Update 15 (as delivered in patch 125136-16)
* Java SE 6 Update 15 (as delivered in patch 125137-16 (64bit))
* Java SE 6_x86 Update 15 (as delivered in patch 125138-16)
* Java SE 6_x86 Update 15 (as delivered in patch 125139-16 (64bit))

JDK and JRE 5.0 Update 20:

http://java.sun.com/javase/downloads/index_jdk5.jsp

JDK 5.0 Update 20 for Solaris is available in the following patches:

* J2SE 5.0 Update 18 (as delivered in patch 118666-21)
* J2SE 5.0 Update 18 (as delivered in patch 118667-21 (64bit))
* J2SE 5.0_x86 Update 18 (as delivered in patch 118668-21)
* J2SE 5.0_x86 Update 18 (as delivered in patch 118669-21 (64bit))

Java SE for Business releases are available at:

http://www.sun.com/software/javaseforbusiness/ getit_download.jsp

Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see:

http://www.java.com/en/download/help/5 000010800.xml
[***** End CVE-2009-2625 *****]
DOE-CIRC wishes to acknowledge the contributions of Jukka Taimisto, Tero Rontti and Rauli Kaksonen from the CROSS project at Codenomicon Ltd, and CERT-FI for the information contained in this bulletin.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788