CVE-2009-1190 - Vulnerability Details

Algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method in Sun Java Development Kit (JDK) before 1.6, when used with spring.jar in SpringSource Spring Framework 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 and dm Server 1.0.0 through 1.0.2, allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups, a related issue to CVE-2004-2540.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Springsource	Dm Server Spring Framework
Sun	Jdk

Configuration 1 [-]

AND

OR	cpe:2.3:a:sun:jdk::update_22::::::*
	cpe:2.3:a:sun:jdk:1.1.0:::::::*
	cpe:2.3:a:sun:jdk:1.1.6:::::::*
	cpe:2.3:a:sun:jdk:1.1.6:update7::::::
	cpe:2.3:a:sun:jdk:1.1.7b:::::::*
	cpe:2.3:a:sun:jdk:1.1.7b:update5::::::
	cpe:2.3:a:sun:jdk:1.1.8:update10::::::
	cpe:2.3:a:sun:jdk:1.1.8:update13::::::
	cpe:2.3:a:sun:jdk:1.1.8:update14::::::
	cpe:2.3:a:sun:jdk:1.1.8:update2::::::
	cpe:2.3:a:sun:jdk:1.1.8:update7::::::
	cpe:2.3:a:sun:jdk:1.1.8:update8::::::
	cpe:2.3:a:sun:jdk:1.2.0:::::::*
	cpe:2.3:a:sun:jdk:1.2.1:::::::*
	cpe:2.3:a:sun:jdk:1.2.1:update3::::::
	cpe:2.3:a:sun:jdk:1.2.2:update4::::::
	cpe:2.3:a:sun:jdk:1.2.2:update5::::::
	cpe:2.3:a:sun:jdk:1.3.0:::::::*
	cpe:2.3:a:sun:jdk:1.3.0_01:::::::*
	cpe:2.3:a:sun:jdk:1.3.0_02:::::::*
	cpe:2.3:a:sun:jdk:1.3.0_03:::::::*
	cpe:2.3:a:sun:jdk:1.3.0_04:::::::*
	cpe:2.3:a:sun:jdk:1.3.0_05:::::::*
	cpe:2.3:a:sun:jdk:1.3.1:::::::*
	cpe:2.3:a:sun:jdk:1.3.1:update19::::::
	cpe:2.3:a:sun:jdk:1.3.1:update20::::::
	cpe:2.3:a:sun:jdk:1.3.1_01:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_01a:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_02:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_03:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_04:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_05:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_06:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_07:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_08:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_09:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_10:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_11:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_12:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_13:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_14:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_15:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_16:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_17:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_18:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_19:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_20:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_21:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_22:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_23:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_24:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_25:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_26:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_27:::::::*
	cpe:2.3:a:sun:jdk:1.3.1_28:::::::*
	cpe:2.3:a:sun:jdk:1.4.0:::::::*
	cpe:2.3:a:sun:jdk:1.4.0_01:::::::*
	cpe:2.3:a:sun:jdk:1.4.0_02:::::::*
	cpe:2.3:a:sun:jdk:1.4.0_03:::::::*
	cpe:2.3:a:sun:jdk:1.4.0_04:::::::*
	cpe:2.3:a:sun:jdk:1.4.1:::::::*
	cpe:2.3:a:sun:jdk:1.4.1_01:::::::*
	cpe:2.3:a:sun:jdk:1.4.1_02:::::::*
	cpe:2.3:a:sun:jdk:1.4.1_03:::::::*
cpe:2.3:a:sun:jdk:1.4.1_04:::::::*
cpe:2.3:a:sun:jdk:1.4.1_05:::::::*
cpe:2.3:a:sun:jdk:1.4.1_06:::::::*
cpe:2.3:a:sun:jdk:1.4.1_07:::::::*
cpe:2.3:a:sun:jdk:1.4.2:::::::*
cpe:2.3:a:sun:jdk:1.4.2_1:::::::*
cpe:2.3:a:sun:jdk:1.4.2_2:::::::*
cpe:2.3:a:sun:jdk:1.4.2_3:::::::*
cpe:2.3:a:sun:jdk:1.4.2_4:::::::*
cpe:2.3:a:sun:jdk:1.4.2_5:::::::*
cpe:2.3:a:sun:jdk:1.4.2_6:::::::*
cpe:2.3:a:sun:jdk:1.4.2_7:::::::*
cpe:2.3:a:sun:jdk:1.4.2_8:::::::*
cpe:2.3:a:sun:jdk:1.4.2_9:::::::*
cpe:2.3:a:sun:jdk:1.4.2_10:::::::*
cpe:2.3:a:sun:jdk:1.4.2_11:::::::*
cpe:2.3:a:sun:jdk:1.4.2_12:::::::*
cpe:2.3:a:sun:jdk:1.4.2_13:::::::*
cpe:2.3:a:sun:jdk:1.4.2_14:::::::*
cpe:2.3:a:sun:jdk:1.4.2_15:::::::*
cpe:2.3:a:sun:jdk:1.4.2_16:::::::*
cpe:2.3:a:sun:jdk:1.4.2_17:::::::*
cpe:2.3:a:sun:jdk:1.4.2_18:::::::*
cpe:2.3:a:sun:jdk:1.4.2_19:::::::*
cpe:2.3:a:sun:jdk:1.5.0:::::::*
cpe:2.3:a:sun:jdk:1.5.0:update_1::::::
cpe:2.3:a:sun:jdk:1.5.0:update_10::::::
cpe:2.3:a:sun:jdk:1.5.0:update_11::::::
cpe:2.3:a:sun:jdk:1.5.0:update_12::::::
cpe:2.3:a:sun:jdk:1.5.0:update_13::::::
cpe:2.3:a:sun:jdk:1.5.0:update_14::::::
cpe:2.3:a:sun:jdk:1.5.0:update_15::::::
cpe:2.3:a:sun:jdk:1.5.0:update_16::::::
cpe:2.3:a:sun:jdk:1.5.0:update_17::::::
cpe:2.3:a:sun:jdk:1.5.0:update_18::::::
cpe:2.3:a:sun:jdk:1.5.0:update_19::::::
cpe:2.3:a:sun:jdk:1.5.0:update_2::::::
cpe:2.3:a:sun:jdk:1.5.0:update_20::::::
cpe:2.3:a:sun:jdk:1.5.0:update_21::::::
cpe:2.3:a:sun:jdk:1.5.0:update_3::::::
cpe:2.3:a:sun:jdk:1.5.0:update_4::::::
cpe:2.3:a:sun:jdk:1.5.0:update_5::::::
cpe:2.3:a:sun:jdk:1.5.0:update_6::::::
cpe:2.3:a:sun:jdk:1.5.0:update_7::::::
cpe:2.3:a:sun:jdk:1.5.0:update_8::::::
cpe:2.3:a:sun:jdk:1.5.0:update_9::::::
cpe:2.3:a:sun:jdk:1.5.0:update1::::::
cpe:2.3:a:sun:jdk:1.5.0:update10::::::
cpe:2.3:a:sun:jdk:1.5.0:update11::::::
cpe:2.3:a:sun:jdk:1.5.0:update11_b03::::::
cpe:2.3:a:sun:jdk:1.5.0:update12::::::
cpe:2.3:a:sun:jdk:1.5.0:update13::::::
cpe:2.3:a:sun:jdk:1.5.0:update14::::::
cpe:2.3:a:sun:jdk:1.5.0:update15::::::
cpe:2.3:a:sun:jdk:1.5.0:update16::::::
cpe:2.3:a:sun:jdk:1.5.0:update17::::::
cpe:2.3:a:sun:jdk:1.5.0:update18::::::
cpe:2.3:a:sun:jdk:1.5.0:update19::::::
cpe:2.3:a:sun:jdk:1.5.0:update2::::::
cpe:2.3:a:sun:jdk:1.5.0:update20::::::
cpe:2.3:a:sun:jdk:1.5.0:update21::::::
cpe:2.3:a:sun:jdk:1.5.0:update22::::::
cpe:2.3:a:sun:jdk:1.5.0:update23::::::
cpe:2.3:a:sun:jdk:1.5.0:update24::::::
cpe:2.3:a:sun:jdk:1.5.0:update25::::::
cpe:2.3:a:sun:jdk:1.5.0:update3::::::
cpe:2.3:a:sun:jdk:1.5.0:update4::::::
cpe:2.3:a:sun:jdk:1.5.0:update5::::::
cpe:2.3:a:sun:jdk:1.5.0:update6::::::
cpe:2.3:a:sun:jdk:1.5.0:update7::::::
cpe:2.3:a:sun:jdk:1.5.0:update7_b03::::::
cpe:2.3:a:sun:jdk:1.5.0:update8::::::
cpe:2.3:a:sun:jdk:1.5.0:update9::::::
cpe:2.3:a:sun:jdk:1.5.0_03::solaris:::::
cpe:2.3:a:sun:jdk:1.5.0_03::windows:::::

OR	cpe:2.3:a:springsource:dm_server:1.0.0:::::::*
	cpe:2.3:a:springsource:dm_server:1.0.1:::::::*
	cpe:2.3:a:springsource:dm_server:1.0.2:::::::*
	cpe:2.3:a:springsource:spring_framework:1.1.0:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0:m1::::::
	cpe:2.3:a:springsource:spring_framework:2.0:m2::::::
	cpe:2.3:a:springsource:spring_framework:2.0:m3::::::
	cpe:2.3:a:springsource:spring_framework:2.0:m4::::::
	cpe:2.3:a:springsource:spring_framework:2.0:m5::::::
	cpe:2.3:a:springsource:spring_framework:2.0:rc1::::::
	cpe:2.3:a:springsource:spring_framework:2.0:rc2::::::
	cpe:2.3:a:springsource:spring_framework:2.0:rc3::::::
	cpe:2.3:a:springsource:spring_framework:2.0:rc4::::::
	cpe:2.3:a:springsource:spring_framework:2.0.1:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0.2:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0.3:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0.4:::::::*
	cpe:2.3:a:springsource:spring_framework:2.0.5:::::::*
	cpe:2.3:a:springsource:spring_framework:2.1:m1::::::
	cpe:2.3:a:springsource:spring_framework:2.1:m2::::::
	cpe:2.3:a:springsource:spring_framework:2.1:m3::::::
	cpe:2.3:a:springsource:spring_framework:2.1:m4::::::
	cpe:2.3:a:springsource:spring_framework:2.5.0:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.0:rc1::::::
	cpe:2.3:a:springsource:spring_framework:2.5.0:rc2::::::
	cpe:2.3:a:springsource:spring_framework:2.5.1:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.2:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.3:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.4:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.5:::::::*
	cpe:2.3:a:springsource:spring_framework:2.5.6:::::::*
	cpe:2.3:a:springsource:spring_framework:3.0.0:m1::::::
	cpe:2.3:a:springsource:spring_framework:3.0.0:m2::::::

No data.

References

Link	Providers
http://secunia.com/advisories/34892
http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
http://www.securityfocus.com/archive/1/502926/100/0/threaded
http://www.springsource.com/securityadvisory
https://bugzilla.redhat.com/show_bug.cgi?id=497161
https://exchange.xforce.ibmcloud.com/vulnerabilities/50083
https://nvd.nist.gov/vuln/detail/CVE-2009-1190
https://www.cve.org/CVERecord?id=CVE-2009-1190

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-04-27T22:00:00

Updated: 2024-08-07T05:04:49.369Z

Reserved: 2009-03-31T00:00:00

Link: CVE-2009-1190

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-04-27T22:30:00.267

Modified: 2024-11-21T01:01:52.667

Link: CVE-2009-1190

Redhat

Severity : Moderate

Publid Date: 2009-04-22T00:00:00Z

Links: CVE-2009-1190 - Bugzilla

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object