CVE-2009-1190

Name of the Vulnerable Software and Affected Versions Sun Java Development Kit (JDK) versions prior to 1.6 SpringSource Spring Framework versions 1.1.0 through 2.5.6 and 3.0.0.M1 through 3.0.0.M2 dm Server versions 1.0.0 through 1.0.2

Description The issue allows remote attackers to cause a denial of service (CPU consumption) via serializable data with a long regex string containing multiple optional groups. This is related to an algorithmic complexity vulnerability in the java.util.regex.Pattern.compile method.

Recommendations For Sun Java Development Kit (JDK) versions prior to 1.6, update to version 1.6 or later. For SpringSource Spring Framework versions 1.1.0 through 2.5.6, update to a version outside of this range. For SpringSource Spring Framework versions 3.0.0.M1 through 3.0.0.M2, update to a version outside of this range. For dm Server versions 1.0.0 through 1.0.2, update to a version outside of this range. As a temporary workaround, consider restricting the use of the java.util.regex.Pattern.compile method to minimize the risk of exploitation.