HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2008-64
Multiple vulnerabilities in Sun Java Development Kit and Java Runtime Environment

Original issue date: December 11, 2008

Severity Rating: High

Systems Affected

  • Java Web Start 1.x
  • Java Web Start 5.x
  • Java Web Start 6.x
  • Sun Java JDK 1.5.x
  • Sun Java JDK 1.6.x
  • Sun Java JRE 1.3.x
  • Sun Java JRE 1.4.x
  • Sun Java JRE 1.5.x / 5.x
  • Sun Java JRE 1.6.x / 6.x
  • Sun Java SDK 1.3.x
  • Sun Java SDK 1.4.x

Overview

Multiple vulnerabilities have been reported in Sun Java Development Kit, Java Web Start and Java Runtime Environment which can be exploited by remote attackers to bypass certain security restrictions, disclose system and potentially sensitive information, unauthorized system access and cause Denial of Service conditions and compromise a vulnerable system.

Description

1. Java Web Start File Inclusion via System Properties     Override Vulnerability (CVE-2008-2086)

Java Web Start (JWS) applications are launched through specially formatted XML files hosted on web sites with a "jnlp" file extension. This issue is caused due to an error when properties are interpreted specified in jnlp files. A remote attacker could exploit this vulnerability by specially crafted JNLP files to modify system properties like java.home, java.ext.dirs and user.home. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.

JRE version 1.6.0_05 on Windows is not vulnerable.

2. Sun Java JRE JAX -WS and JAXB Packages Privilege     Escalation Vulnerability (CVE-2008-5347)

This issue is caused due to multiple errors in the JAX -WS and JAXB JRE packages, which could allow remote attackers to gain privileges via vectors related to access to inner classes in the JAX -WS and JAXB packages. An attacker could exploit this vulnerability by an untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

3. Sun Java JRE Kerberos Authentication Denial of Service     Vulnerability (CVE-2008-5348)

This vulnerability is caused due to an error in the JRE Kerberos authentication mechanism, which could allow remote attackers to cause a denial of service (OS resource consumption) via unknown vectors.

SDK and JRE 1.3.1 is not affected by this issue.

4. Sun Java JRE RSA public keys processing Denial of Service     Vulnerability (CVE-2008-5349)

This vulnerability is caused due to an error when processing RSA public keys in Sun Java Runtime Environment (JRE). A remote attacker could exploit this vulnerability by specially crafted RSA public keys to consume large amounts of CPU. Successful exploitation of this vulnerability could allow remote attacker to cause denial of service(CPU consumption) conditions.

SDK and JRE 1.4.x and 1.3.x are not affected by this issue.

5. Sun Java JRE Current User's Home Directory listing     Vulnerability (CVE-2008-5350)

An unspecified error in Java Runtime Environment causes this vulnerability which may allows an untrusted applet or application. A remote attacker could exploit this vulnerability to list the contents of the current user's home directory by loading an untrusted applet or application.

SDK and JRE 1.3.1 are not affected by this issue.

6. Sun Java JRE UTF-8 Decoder Multiple Representations of     UTF-8 Input vulnerability (CVE-2008-5351)

The UTF-8 (Unicode Transformation Format-8) decoder in the Java Runtime Environment (JRE) accepts encodings that are longer than the "shortest" form. A remote attacker could exploit this vulnerability by tricking applications using the UTF-8 decoder into accepting invalid sequences via specially crafted URIs. Successful exploitation of this vulnerability could allow remote attacker to disclose sensitive information.

7. Sun Java JRE Pack200 Decompression Integer Overflow     Vulnerability (CVE-2008-5352)

Pack200 is a compression method introduced by Sun in the Java Runtime Environment.
This vulnerability occurs due to improper bounds checking error when reading the Pack200 compressed Jar file during decompression. A remote attacker could exploit this vulnerability via a specially crafted Pack200 compressed JAR file to trigger a heap-based buffer overflow. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code in the context of the currently logged-on user.

JDK and JRE 1.4.2 and 1.3.1 are not affected.

8. Sun Java JRE Deserializing Calendar Objects Privileges     Escalation Vulnerability (CVE-2008-5353)

This vulnerability is caused due to an error in deserializing calendar objects in Java Runtime Environment (JRE). A remote attacker could exploit this vulnerability by specially crafted untrusted applet or application to escalate the privileges of the user running the untrusted applet. Successful exploitation of this vulnerability could allow remote attacker to read, write local files or execute local applications.

SDK and JRE 1.3.1 are not affected.

9. Sun Java JRE Stack-based Buffer Overflow Vulnerability
    (CVE-2008-5354)

A boundary error exists when processing the "Main-Class" manifest entry of a JAR file causes this vulnerability in Sun Java Runtime Environment. A remote attacker could exploit this vulnerability by a specially crafted JAR file with a long Main-Class manifest entry to trigger stack-based buffer overflow condition. Successful exploitation of this vulnerability could allow remote attacker to execute an arbitrary code.

SDK and JRE 1.3.1 are not affected.

10. Sun Java JRE True Type Font Parsing Heap Overflow       Vulnerability (CVE-2008-5356)

A boundary checking error when processing TrueType font files causes this vulnerability in Java Runtime Environment. A remote attacker could exploit this vulnerability by specially crafted TrueType font file to trigger Heap-based buffer overflow condition. Successful exploitation of this vulnerability could allow remote attacker to execute an arbitrary code with the privileges of the current user.

SDK and JRE 1.3.x are not affected.

11. Sun Java JRE TrueType Font Parsing Integer Overflow       Vulnerability (CVE-2008-5357)

An Integer overflow error when processing various structures in TrueType font files causes this vulnerability in Java Runtime Environment. A remote attacker could exploit this vulnerability by specially crafted TrueType font file to trigger Heap-based buffer overflow condition. Successful exploitation of this vulnerability could allow remote attacker to execute an arbitrary code with the privileges of the current user.

SDK and JRE 1.3.x and 1.4.x are not affected.

12. Sun Java Web Start GIF Decoding Memory Corruption       Vulnerability (CVE-2008-5358)

Java Web Start (JWS) is a framework built by Sun that is used to run Java applications outside of the browser. This vulnerability is caused due to improper validation of several values in the GIF header when parsing the GIF file in Java Web Start. A remote attacker could exploit this vulnerability via a specially crafted splash logo to trigger the memory corruption during display of the splash screen, possibly related to splashscreen.dll. Successful exploitation of this vulnerability could allow remote attacker to execute an arbitrary code with the privileges of the current user.

SDK and JRE 5.0, 1.4.x, and 1.3.x are not affected.

13. Sun Java JRE ” image processing code" Buffer Overflow       Vulnerability (CVE-2008-5359)

This vulnerability is caused due to an unspecified error in " image processing code " in the Java AWT library when processing image models. A remote attacker could exploit this vulnerability via a specially crafted "Raster" image model used in a "ConvolveOp" operation to trigger a heap-based buffer overflow condition. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.

SDK and JRE 5.0, 1.4.x, and 1.3.x are not affected.

14. JRE Temporary Files Security Restriction Bypass       Vulnerability (CVE-2008-5360)

This vulnerability is caused due to an error in creating temporary files with insufficiently random names in Java Runtime Environment (JRE). A remote attacker could exploit this vulnerability via unknown vectors to write malicious JAR files and perform restricted actions like stealing cookies on the affected system.

Solutions

Update to a fixed version.

JDK and JRE 6 Update 11:
http://java.sun.com/javase/downloads/index.jsp

JDK and JRE 5.0 Update 17:
http://java.sun.com/javase/downloads/index_jdk5.jsp

SDK and JRE 1.4.2_19:
http://java.sun.com/j2se/1.4.2/download.html

SDK and JRE 1.3.1_24
http://java.sun.com/j2se/1.3/download.html

Vendor Information

Sun Microsystems
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244986-1
 http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244987-1
 http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244988-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244989-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244990-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244991-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244992-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-245246-1
 http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246266-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246286-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246346-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246366-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246386-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246387-1

References

 Sun Microsystems
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244986-1
 http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244987-1
 http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244988-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244989-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244990-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244991-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-244992-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-245246-1
 http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246266-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246286-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246346-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246366-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246386-1
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-246387-1

Secunia
http://secunia.com/advisories/32991/

ZDI
http://www.zerodayinitiative.com/advisories/ZDI-08-080
http://www.zerodayinitiative.com/advisories/ZDI-08-081

iDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=757
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=758
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=759
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=760

SecurityFocus
http://www.securityfocus.com/bid/32608

RedHat
http://rhn.redhat.com/errata/RHSA-2008-1018.html
http://rhn.redhat.com/errata/RHSA-2008-1025.html

Virtual Security Research
http://www.vsecurity.com/bulletins/advisories/2008/JWS-props.txt


CVE Name
CVE-2008-2086
CVE-2008-5347
CVE-2008-5348
CVE-2008-5349
CVE-2008-5350
CVE-2008-5351
CVE-2008-5352
CVE-2008-5353
CVE-2008-5354
CVE-2008-5356
CVE-2008-5357
CVE-2008-5358
CVE-2008-5359
CVE-2008-5360

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003