Category
Security
Release Phase
Resolved
Bug Id
6870754
ProductSun GlassFish Enterprise Server v2.1
Sun Java System Application Server
Date of Resolved Release10-Dec-2009
A Security Vulnerability in the Java Runtime Environment (JRE) Bundled With Sun GlassFish Enterprise Server v2.1 / Sun Java System Application Server 8.x While Parsing XML Data May Cause a Denial of Service (DoS)
1. Impact
A vulnerability in the
Java Runtime Environment (JRE) shipped with Sun GlassFish Enterprise
Server v2.1 and Sun Java System Application Server 8.x related to parsing of XML data may allow a remote client to
create a Denial of Service (DoS) to the GlassFish or Application Server.
This issue is referenced in the following document:
CVE-2009-2625 at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
Sun acknowledges with thanks, Jukka Taimisto, Tero Rontti and Rauli
Kaksonen from the CROSS project at Codenomicon Ltd, and CERT-FI for
bringing this issue to our attention.
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Sun GlassFish Enterprise Server v2.1 with HADB - Package Based
without patch 128640-13 (for customers with a valid support contract) or
141709-02 (for customers without a valid support contract)
- Sun GlassFish Enterprise Server v2.1 with HADB without patch
128643-13 (for customers with a valid support contract) or 141700-02 (for
customers without a valid support contract)
- Sun Java System Application Server 8.0 Enterprise Edition
- Sun Java System Application Server 8.1 without patch 119166-39
(Enterprise Edition SVR4) or 119169-32 (Enterprise Edition file based)
- Sun Java System Application Server 8.2 without patch 124672-13
(Enterprise Edition SVR4) or 124675-12 (Enterprise Edition file based)
x86 Platform
- Sun GlassFish Enterprise Server v2.1 with HADB - Package Based
without patch 128641-13 (for customers with a valid support contract) or
141710-02 (for customers without a valid support contract)
- Sun GlassFish Enterprise Server v2.1 with HADB without patch
128644-13 (for customers with a valid support contract) or 141701-02 (for
customers without a valid support contract)
- Sun Java System Application Server 8.0 Enterprise Edition
- Sun Java System Application Server 8.1 without patch 119167-39
(Enterprise Edition SVR4) or 119170-32 (Enterprise Edition file based)
- Sun Java System Application Server 8.2 without patch 124673-13
(Enterprise Edition SVR4) or 124676-12 (Enterprise Edition file based)
Linux
- Sun GlassFish Enterprise Server v2.1 with HADB - Package Based
without patch 128642-13 (for customers with a valid support contract) or
141711-02 (for customers without a valid support contract)
- Sun GlassFish Enterprise Server v2.1 with HADB without patch
128645-13 (for customers with a valid support contract) or 141702-02 (for
customers without a valid support contract)
- Sun Java System Application Server 8.0 Enterprise Edition
- Sun Java System Application Server 8.1 without patch 119168-39
(Enterprise Edition Package Based) or 119171-32 (Enterprise Edition
file based)
- Sun Java System Application Server 8.2 without patch 124674-13
(Enterprise Edition Package Based) or 124677-12 (Enterprise Edition
file based)
Windows
- Sun GlassFish Enterprise Server v2.1 with HADB without patch
128646-13 (for customers with a valid support contract) or 141703-02 (for
customers without a valid support contract)
- Sun Java System Application Server 8.0 Enterprise Edition
- Sun Java System Application Server 8.1 without patch 122848-24
(Enterprise Edition Package based) or 119172-32 (Enterprise Edition
file based)
- Sun Java System Application Server 8.2 without patch 124684-14
(Enterprise Edition Package based) or 124678-12 (Enterprise Edition
file based)
Notes: 1. Sun GlassFish Enterprise
Server v2.1 was formerly referred to as Sun Java System Application
Server 9.1UR2 patch 6
2. Application Server Platform Edition and GlassFish without HADB are not impacted by this issue.
To determine the version of Sun GlassFish Enterprise Server or Sun Java Application Server on a
system, the following command can be run:
$ <AS-install>/bin/asadmin version
(Where <AS-install> is the installation directory of the
Application Server or GlassFish).
3. Symptoms
There are no predictable symptoms that would indicate the described
issue has been exploited.
4. Workaround
There is no workaround for this issue. Please see the Resolution
section below.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
- Sun GlassFish Enterprise Server v2.1 with HADB -
Package Based with patch 128640-13 or later (for customers with a valid
support contract) or 141709-02 or later (for customers without a valid
support contract)
- Sun GlassFish Enterprise Server v2.1 with HADB with
patch 128643-13 or later (for customers with a valid support contract) or
141700-02 or later (for customers without a valid support contract)
- Sun Java System Application Server 8.1 with patch
119166-39 or later (Enterprise Edition package based) or 119169-32 or
later (Enterprise Edition file based)
- Sun Java System Application Server 8.2 with patch
124672-13 or later (Enterprise Edition package based) or 124675-12 or
later (Enterprise Edition file based)
x86 Platform
- Sun GlassFish Enterprise Server v2.1 with HADB -
Package Based with patch 128641-13 or later (for customers with a valid
support contract) or 141710-02 or later (for customers without a valid
support contract)
- Sun GlassFish Enterprise Server v2.1 with HADB with
patch 128644-13 or later (for customers with a valid support contract) or
141701-02 or later (for customers without a valid support contract)
- Sun Java System Application Server 8.1 with patch
119167-39 or later (Enterprise Edition package based) or 119170-32 or
later (Enterprise Edition file based)
- Sun Java System Application Server 8.2 with patch
124673-13 or later (Enterprise Edition package based) or 124676-12 or
later (Enterprise Edition file based)
Linux
- Sun GlassFish Enterprise Server v2.1 with HADB -
Package Based with patch 128642-13 or later (for customers with a valid
support contract) or 141711-02 or later (for customers without a valid
support contract)
- Sun GlassFish Enterprise Server v2.1 with HADB with
patch 128645-13 or later (for customers with a valid support contract) or
141702-02 or later (for customers without a valid support contract)
- Sun Java System Application Server 8.1 with patch
119168-39 or later (Enterprise Edition package based) or 119171-32 or
later (Enterprise Edition file based)
- Sun Java System Application Server 8.2 with patch
124674-13 or later (Enterprise Edition package based) or 124677-12 or
later (Enterprise Edition file based)
Windows
- Sun GlassFish Enterprise Server v2.1 with HADB with
patch 128646-13 or later (for customers with a valid support contract) or
141703-02 or later (for customers without a valid support contract)
- Sun Java System Application Server 8.1 with patch
122848-24 or later (Enterprise Edition package based) or 119172-32 or
later (Enterprise Edition file based)
- Sun Java System Application Server 8.2 with patch
124684-14 or later (Enterprise Edition package based) or 124678-12 or
later (Enterprise Edition file based)
Note: Systems running
Application Server 8.0 should be upgraded to a later version followed
by installation of the resolution patches above.
For more information on
Security Sun Alerts, see 1009886.1.
This Sun Alert
notification is being provided to you on
an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This
Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert
notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2009 Sun
Microsystems,
Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
References
128642-13
128645-13
128641-13
128644-13
128640-13
128643-13
128646-13
122848-24
119172-32
119168-39
119171-32
119167-39
119170-32
119166-39
119169-32
141700-02
141701-02
141702-02
141703-02
141709-02
141710-02
141711-02
124677-12
124678-12
124684-14
124674-13
124673-13
124676-12
124675-12
124672-13
AttachmentsThis solution has no attachment