CVE-2009-2625 — libxerces2-java - denial of service

Description

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

How to fix CVE-2009-2625

To remediate CVE-2009-2625, upgrade the affected package to a fixed version below.

Debian/libxerces2-java—upgrade to 2.9.1-4.1 or later
Debian/libxerces2-java—upgrade to 2.8.1-1+etch1 or later
—upgrade to 2.10.0 or later

Is CVE-2009-2625 being exploited?

Low — EPSS is 1.6%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 2.9.1-4.1
from 0, < 2.8.1-1+etch1
from 0, < 2.10.0

References (67)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2009-2625
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2009-2625
WEBlists.apple.com/archives/security-announce/2009/Sep/msg00000.html
WEBlists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html