The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Xerces2 Java, Java JRE/JDK, OpenJDK: memory corruption via XML

Synthesis of the vulnerability 

An attacker can create XML data containing a malicious byte which corrupts the memory, in order to create a denial of service or to execute code in Apache Xerces2 Java, Java JRE/JDK or OpenJDK.
Impacted products: Xerces Java, Debian, HP-UX, Mandriva Linux, Java OpenJDK, openSUSE, Oracle GlassFish Server, Java Oracle, RHEL, JBoss EAP by Red Hat, Slackware, Sun AS, SLES.
Severity of this bulletin: 3/4.
Creation date: 10/08/2009.
Revision date: 09/12/2009.
Références of this threat: 272209, 6870754, BID-35958, CVE-2009-2625, DSA-1984-1, FICORA #245608, HPSBUX02476, MDVSA-2011:108, RHSA-2009:1199-01, RHSA-2009:1200-01, RHSA-2009:1201-01, RHSA-2009:1505-01, RHSA-2009:1582-01, RHSA-2009:1615-01, RHSA-2011:0858-01, RHSA-2012:0725-01, RHSA-2012:1232-01, RHSA-2012:1537-01, RHSA-2013:0763-01, SSA:2011-041-02, SSRT090250, SUSE-SR:2009:014, SUSE-SR:2009:016, SUSE-SR:2009:017, SUSE-SR:2010:011, SUSE-SR:2010:013, SUSE-SR:2010:014, SUSE-SR:2010:015, VIGILANCE-VUL-8925.

Description of the vulnerability 

The Apache Xerces2 Java, Java JRE/JDK and OpenJDK products manage XML data. They share the same vulnerability.

An attacker can create XML data containing a malicious byte which corrupts the memory, in order to create a denial of service or to execute code in these products.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity bulletin impacts software or systems such as Xerces Java, Debian, HP-UX, Mandriva Linux, Java OpenJDK, openSUSE, Oracle GlassFish Server, Java Oracle, RHEL, JBoss EAP by Red Hat, Slackware, Sun AS, SLES.

Our Vigil@nce team determined that the severity of this cybersecurity weakness is important.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this computer vulnerability bulletin.

Solutions for this threat 

Java JRE/JDK: version 6 Update 15.
Version 6 Update 15 is corrected:
  http://java.sun.com/javase/downloads/index.jsp
  http://java.com/
Under Windows, the Java Update tool can be used for updating.
Older versions have to be uninstalled.
Patches for Solaris :
  Java SE 6: patch 125136-16
  Java SE 6 64bit: patch 125137-16
  Java SE 6_x86: patch 125138-16
  Java SE 6_x86 64bit: patch 125139-16

Java JRE/JDK: version 5.0 Update 20.
Version 5.0 Update 20 is corrected:
  http://java.sun.com/javase/downloads/index_jdk5.jsp
Older versions have to be uninstalled.

Debian: new libxerces2-java packages.
New packages are available:
  http://security.debian.org/pool/updates/main/libx/libxerces2-java/libxerces2-java_2.8.1-1+etch1_*.deb
  http://security.debian.org/pool/updates/main/libx/libxerces2-java/libxerces2-java_2.9.1-2+lenny1_*.deb

HP-UX: patch for JDK, SDK and JRE.
A patch is available:
  JDK and JRE v6.0.05
  JDK and JRE v5.0.17
  SDK and JRE v1.4.2.23

JBoss Enterprise Portal Platform: version 5.2.2.
The version 5.2.2 is corrected:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions

JBoss Operations Network: version 3.1.0.
The version 3.1.0 is corrected:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=3.1.0

JBoss Web Framework Kit: version 2.2.0.
The version 2.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions

Mandriva: new xerces-j2 packages.
New packages are available:
  xerces-j2-2.9.0-9.1mdv2009.0
  xerces-j2-2.9.0-12.1mdv2010.2
  xerces-j2-2.9.0-9.1mdvmes5.2

RHEL 4E, 5S: new java-1.5.0-sun packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras:
  java-1.5.0-sun-1.5.0.20-1jpp.1.el4
Red Hat Enterprise Linux version 5 Supplementary:
  java-1.5.0-sun-1.5.0.20-1jpp.1.el5

RHEL 4E, 5S: new java-1.6.0-ibm packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras:
   java-1.6.0-ibm-1.6.0.6-1jpp.3.el4
Red Hat Enterprise Linux version 5 Supplementary:
  java-1.6.0-ibm-1.6.0.6-1jpp.3.el5

RHEL 4E, 5S: new java-1.6.0-sun packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras:
  java-1.6.0-sun-1.6.0.15-1jpp.1.el4
Red Hat Enterprise Linux version 5 Supplementary:
  java-1.6.0-sun-1.6.0.15-1jpp.1.el5

RHEL 5: new java-1.6.0-openjdk packages.
New packages are available:
Red Hat Enterprise Linux version 5:
  java-1.6.0-openjdk-1.6.0.0-1.2.b09.el5

RHEL 5: new xerces-j2 packages.
New packages are available:
  xerces-j2-2.7.1-7jpp.2.el5_4.2

RHEL 6.0: new xerces-j2 packages.
New packages are available:
  xerces-j2-2.7.1-12.6.el6_0

RHEL 6: new jasperreports-server-pro packages.
New packages are available:
  jasperreports-server-pro-4.7.1-2

RHEL: new java packages.
New packages are available:
Red Hat Enterprise Linux AS 3 Extras, Desktop 3 Extras, ES 3 Extras, WS 3 Extras:
  java-1.4.2-ibm-1.4.2.13.1-1jpp.1.el3.*.rpm
Red Hat Enterprise Linux AS 4 Extras, Desktop 4 Extras, ES 4 Extras, WS 4 Extras:
  java-1.4.2-ibm-1.4.2.13.1-1jpp.1.el4.*.rpm
Red Hat Enterprise Linux Supplementary 5, Desktop Supplementary 5:
  java-1.4.2-ibm-1.4.2.13.1-1jpp.1.el5.*.rpm

Slackware: new expat packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-11.0/patches/packages/expat-1.95.8-i486-2_slack11.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/expat-2.0.1-i486-2_slack12.0.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/expat-2.0.1-i486-2_slack12.1.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/expat-2.0.1-i486-2_slack12.2.tgz
ftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/expat-2.0.1-i486-2_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/expat-2.0.1-x86_64-2_slack13.0.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/expat-2.0.1-i486-2_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/expat-2.0.1-x86_64-2_slack13.1.txz

Sun GlassFish, Java AS: patch for XML.
A patch is available in information sources.

SUSE: new packages (01/09/2009).
New packages are available.

SUSE: new packages (02/08/2010).
New packages are available, as indicated in information sources.

SUSE: new packages (10/05/2010).
New packages are available, as indicated in information sources.

SUSE: new packages (13/10/2009).
New packages are available.

SUSE: new packages (14/06/2010).
New packages are available, as indicated in information sources.

SUSE: new packages (18/08/2010).
New packages are available, as indicated in information sources.

SUSE: new packages (26/10/2009).
New packages are available, as indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity announces. The Vigil@nce vulnerability database contains several thousand vulnerabilities.