|
|
>> Sun Java Multiple Code Execution and Security Bypass Vulnerabilities
|
Multiple vulnerabilities have been identified in Sun Java, which could be exploited by attackers or malicious users to bypass security restrictions, disclose sensitive information, cause a denial of service, or take complete control of an affected system.
The first issue is caused due to JRE creating temporary files with insufficiently random names, which could allow malicious users to cause malicious JAR files to be loaded as untrusted applets and Java Web Start applications to access and provide services from localhost and hence steal cookies.
The second vulnerability is caused by buffer overflow errors in JRE when processing fonts or GIF images, which could allow attackers to execute arbitrary code via an untrusted applet or Java Web Start application.
The third issue is caused by an unspecified error in Java Runtime Environment (JRE), which may allow an untrusted Java Web Start application to make network connections to hosts other than the host that the application is downloaded from.
The fourth vulnerability is caused by an error in JRE when launching Java Web Start applications, which may allow an untrusted Java Web Start application to escalate privileges.
The fifth issue is caused by an unspecified error in JRE, which could allow certain trusted operations to be performed, such as modifying system properties.
The sixth vulnerability is caused by an unspecified error in JRE, which could allow an untrusted Java Web Start application to determine the location of the Java Web Start cache and the username of the user running the Java Web Start application.
The seventh issue is caused by an unspecified error in Java Web Start and Java Plug-in, which may allow hidden code on a host to make network connections to that host and to hijack HTTP sessions using cookies stored in the browser.
The eighth vulnerability is caused by an error with applet classloading in JRE, which may allow an untrusted applet to read arbitrary files on a system that the applet runs on and make network connections to hosts other than the host it was loaded from.
The ninth issue is caused by an error in the Java Web Start BasicService, which could allow untrusted applications that are downloaded from another system to request local files to be displayed by the browser of the user running the untrusted application.
The tenth vulnerability is caused by an error in the JRE Java Update mechanism that does not check the digital signature of the JRE that it downloads, which may allow a malicious file to be downloaded and installed if the DNS information that the JRE uses when checking for updates is compromised.
The eleventh issue is caused by an unspecified buffer overflow error in Java Runtime Environment (JRE), which may allow an untrusted Java application that is launched through the command line to escalate privileges.
The twelfth vulnerability is caused by an error in JRE related to deserializing calendar objects, which may allow an untrusted applet or application to escalate privileges.
The thirteenth issue is caused by a buffer overflow vulnerability in JRE when unpacking applets and Java Web Start applications using the "unpack200" JAR unpacking utility, which may allow an untrusted applet or application to escalate privileges.
The fourteenth weakness is caused due to the UTF-8 (Unicode Transformation Format-8) decoder in JRE accepting encodings that are longer than the "shortest" form, which may be leveraged to exploit systems running software that relies on the JRE UTF-8 decoder to reject non-shortest form sequences.
The fifteenth issue is caused by an unspecified error in JRE, which may allow an untrusted applet or application to list the contents of the home directory of the user running the applet or application.
The sixteenth vulnerability is caused by an error in the way JRE handles certain RSA public keys, which may cause the JRE to consume an excessive amount of CPU resources, leading to a denial of service condition.
The seventeenth issue is caused by an error in JRE when authenticating users through Kerberos, which may lead to an excessive consumption of operating system resources.
The eighteenth vulnerability is caused by errors in the JAX-WS and JAXB packages in JRE where internal classes can be accessed, which may allow an untrusted applet or application to escalate privileges.
The nineteenth issue is caused by an error in JRE when parsing zip files, which may allow an untrusted applet or application to read arbitrary memory locations in the process that the applet or application is running in.
The twentieth vulnerability is caused by an error in JRE, which could allow code loaded from the local filesystem to access localhost and steal cookies or hijack sessions (for domains that map a name to the localhost).
Affected Products
Sun JDK and JRE 6 Update 10 and prior
Sun JDK and JRE 5.0 Update 16 and prior
Sun SDK and JRE 1.4.2_18 and prior
Sun SDK and JRE 1.3.1_23 and prior
Solution
Upgrade to Sun JDK and JRE 6 Update 11 or later :
http://java.sun.com/javase/downloads/index.jsp
Upgrade to Sun JDK and JRE 5.0 Update 17 or later :
http://java.sun.com/javase/downloads/index_jdk5.jsp
Upgrade to Sun SDK and JRE 1.4.2_19 or later :
http://java.sun.com/j2se/1.4.2/download.html
Upgrade to Sun SDK and JRE 1.3.1_24 or later :
http://java.sun.com/j2se/1.3/download.html
Java SE for Business :
http://www.sun.com/software/javaseforbusiness/getit_download.jsp
References
http://www.vupen.com/english/advisories/2008/3339
http://blogs.sun.com/security/entry/advance_notification_of_security_updates3
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244986-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244989-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244990-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244992-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-245246-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246266-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246286-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246366-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246386-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246387-1
http://www.vsecurity.com/bulletins/advisories/2008/JWS-props.txt
http://www.ximido.de/research/advisories/SM_Java-BO_200811.txt
Credits
Vulnerabilities reported by the vendor, Zero Day Initiative, Sebastian Apelt, iDefense, Peter Csepely, Virtual Security Research (VSR), Billy Rios (Microsoft), Nate Mcfeters (Ernst and Young), John Heasman (NGSSoftware), Francisco Amato, Stefan Middendorf (Cirosec), Sami Koivu, regenrecht, Henri Torgemane, Sami Koivu, Jan Grant (Bristol University), Adam Gowdiak, and University of Oulu.
ChangeLog
2008-12-04 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
