XML parsing denial of service vulnerability in Sun Java Runtime Environment

Affected Versions:

Sun JDK 6

Sun JDK 5.0

Sun JRE 6

Sun JRE 5.0

Vulnerability description:

Bugtraq id: 35958

CVE (CAN) ID: CVE-2009-2625

The Java Runtime Environment (JRE) of the Solaris system provides a reliable runtime environment for JAVA applications.

When parsing XML elements containing unexpected byte values and recursive parentheses, JRE may cause the program to access the memory out of bounds or get stuck in an endless loop. Attackers can exploit this vulnerability by enticing users to open special files or submitting malicious XML content to the server, resulting in DOS.

<* Reference http://secunia.com/advisories/36159/

Http://www.cert.fi/en/reports/2009/vulnerability2009085.html

Https://www.redhat.com/support/errata/RHSA-2009-1201.html

Https://www.redhat.com/support/errata/RHSA-2009-1200.html

Https://www.redhat.com/support/errata/RHSA-2009-1199.html

Http://sunsolve.sun.com/search/printfriendly.do? Assetkey = 1-66-263489-1 *>

SEBUG Security suggestions:

Vendor patch:

RedHat

For this reason, RedHat has released a Security Bulletin (RHSA-2009: 1199-01) and patch:

RHSA-2009: 1199-01: Critical: java-1.5.0-sun security update

Link: https://www.redhat.com/support/errata/RHSA-2009-1199.html

Sun

Sun has released a Security Bulletin (Sun-Alert-263489) and corresponding patches for this purpose:

Sun-Alert-263489: A Security Vulnerability in the Java Runtime Environment (JRE) With Parsing XML Data May Allow a RemoteClient to Create a Denial of Service (DoS) Condition

Link: http://sunsolve.sun.com/search/printfriendly.do? Assetkey = 1 to 66-263489-1

Patch download:

Jsp> http://java.sun.com/javase/downloads/index.jsp

Http://java.sun.com/javase/downloads/index_jdk5.jsp