Affected Versions:
Sun JDK 6
Sun JDK 5.0
Sun JRE 6
Sun JRE 5.0
Vulnerability description:
Bugtraq id: 35958
CVE (CAN) ID: CVE-2009-2625
The Java Runtime Environment (JRE) of the Solaris system provides a reliable runtime environment for JAVA applications.
When parsing XML elements containing unexpected byte values and recursive parentheses, JRE may cause the program to access the memory out of bounds or get stuck in an endless loop. Attackers can exploit this vulnerability by enticing users to open special files or submitting malicious XML content to the server, resulting in DOS.
<* Reference http://secunia.com/advisories/36159/
Http://www.cert.fi/en/reports/2009/vulnerability2009085.html
Https://www.redhat.com/support/errata/RHSA-2009-1201.html
Https://www.redhat.com/support/errata/RHSA-2009-1200.html
Https://www.redhat.com/support/errata/RHSA-2009-1199.html
Http://sunsolve.sun.com/search/printfriendly.do? Assetkey = 1-66-263489-1 *>
SEBUG Security suggestions:
Vendor patch:
RedHat
For this reason, RedHat has released a Security Bulletin (RHSA-2009: 1199-01) and patch:
RHSA-2009: 1199-01: Critical: java-1.5.0-sun security update
Link: https://www.redhat.com/support/errata/RHSA-2009-1199.html
Sun
Sun has released a Security Bulletin (Sun-Alert-263489) and corresponding patches for this purpose:
Sun-Alert-263489: A Security Vulnerability in the Java Runtime Environment (JRE) With Parsing XML Data May Allow a RemoteClient to Create a Denial of Service (DoS) Condition
Link: http://sunsolve.sun.com/search/printfriendly.do? Assetkey = 1 to 66-263489-1
Patch download:
Jsp> http://java.sun.com/javase/downloads/index.jsp
Http://java.sun.com/javase/downloads/index_jdk5.jsp