Giters

joshnewton31080 / JAVA_DEMO

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2009-2625 (Medium) detected in xercesImpl-2.8.0.jar

mend-for-github-com opened this issue · comments

commented

CVE-2009-2625 - Medium Severity Vulnerability

Vulnerable Library - xercesImpl-2.8.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Library home page: http://xerces.apache.org/xerces2-j

Path to dependency file: JAVA_DEMO/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar,JAVA_DEMO/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/xercesImpl-2.8.0.jar

Dependency Hierarchy:

  • xercesImpl-2.8.0.jar (Vulnerable Library)

Found in HEAD commit: 31e9f6b0e188589908d52f26b2e82abbe719e296

Found in base branch: main

Vulnerability Details

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Publish Date: 2009-08-06

URL: CVE-2009-2625

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: N/A
    • Attack Complexity: N/A
    • Privileges Required: N/A
    • User Interaction: N/A
    • Scope: N/A
  • Impact Metrics:
    • Confidentiality Impact: N/A
    • Integrity Impact: N/A
    • Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id?1022680

Release Date: 2017-12-31

Fix Resolution: The vendor has issued a fix for Windows, Solaris, and Linux:

  • JDK and JRE 6 Update 15 or later
  • JDK and JRE 5.0 Update 20 or later

Java SE releases are available at:

JDK and JRE 6 Update 15:

http://java.sun.com/javase/downloads/index.jsp

JRE 6 Update 15:

http://java.com/

through the Java Update tool for Microsoft Windows users.

JDK 6 Update 15 for Solaris is available in the following patches:

  • Java SE 6 Update 15 (as delivered in patch 125136-16)
  • Java SE 6 Update 15 (as delivered in patch 125137-16 (64bit))
  • Java SE 6_x86 Update 15 (as delivered in patch 125138-16)
  • Java SE 6_x86 Update 15 (as delivered in patch 125139-16 (64bit))

JDK and JRE 5.0 Update 20:

http://java.sun.com/javase/downloads/index_jdk5.jsp

JDK 5.0 Update 20 for Solaris is available in the following patches:

  • J2SE 5.0 Update 18 (as delivered in patch 118666-21)
  • J2SE 5.0 Update 18 (as delivered in patch 118667-21 (64bit))
  • J2SE 5.0_x86 Update 18 (as delivered in patch 118668-21)
  • J2SE 5.0_x86 Update 18 (as delivered in patch 118669-21 (64bit))

Java SE for Business releases are available at:

http://www.sun.com/software/javaseforbusiness/getit_download.jsp

Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see:

http://www.java.com/en/download/help/5000010800.xml

The vendor's advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1