CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS
Percentile
96.1%
CentOS Errata and Security Advisory CESA-2009:1615
The xerces-j2 packages provide the Apache Xerces2 Java Parser, a
high-performance XML parser. A Document Type Definition (DTD) defines the
legal syntax (and also which elements can be used) for certain types of
files, such as XML files.
A flaw was found in the way the Apache Xerces2 Java Parser processed the
SYSTEM identifier in DTDs. A remote attacker could provide a
specially-crafted XML file, which once parsed by an application using the
Apache Xerces2 Java Parser, would lead to a denial of service (application
hang due to excessive CPU use). (CVE-2009-2625)
Users should upgrade to these updated packages, which contain a backported
patch to correct this issue. Applications using the Apache Xerces2 Java
Parser must be restarted for this update to take effect.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-December/078530.html
https://lists.centos.org/pipermail/centos-announce/2009-December/078531.html
Affected packages:
xerces-j2
xerces-j2-demo
xerces-j2-javadoc-apis
xerces-j2-javadoc-impl
xerces-j2-javadoc-other
xerces-j2-javadoc-xni
xerces-j2-scripts
Upstream details at:
https://access.redhat.com/errata/RHSA-2009:1615