CERT-In Advisory CIAD-2010-25
Multiple vulnerabilities in Oracle Java Development Kit and Java Runtime Environment
Original issue date:
March 31, 2010
Severity Rating: High
Systems Affected
- Sun Java JDK 1.5.x
- Sun Java JDK 1.6.x
- Sun Java JRE 1.4.x
- Sun Java JRE 1.5.x / 5.x
- Sun Java JRE 1.6.x / 6.x
- Sun Java SDK 1.4.x
Overview
Multiple vulnerabilities have been reported in Oracle Java Development Kit and Java Runtime Environment, which can be exploited by remote attackers to bypass certain security restrictions, manipulate certain data, disclose potentially sensitive information, execute an arbitrary code and cause Denial of Service conditions or compromise a vulnerable system.
Description
1. SSL and TLS protocols renegotiation vulnerability
(CVE-2009-3555)
The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP.
This vulnerability is caused due to an error in the functionality of associating renegotiation handshakes with an existing connection in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) Protocols in Network Security Services (NSS) libraries bundled with Sun Java Enterprise System Suite. A remote attacker could exploit this vulnerability by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL.
Successful exploitation of this vulnerability could allow a remote attacker to conduct man-in-the-middle attacks.
Workarounds
In Sun Java System Web Server, a client certificate can be obtained during the initial connection handshake. This mode can be configured by setting the client-auth element to 'required' in server.xml, as in the following :
<http-listener>
<ssl>
<client-auth>required</client-auth>
</ssl>
</http-listener>
Note: This issue affects only the Sun Java System Web Server 6.1, 7.0 , Sun Java System Web Proxy Server 4.0, Sun Java System Application Server Enterprise Edition 8.2, Sun GlassFish Enterprise Server v2.1, Sun Java System Directory Server 5.2, Sun Java System Directory Server Enterprise Edition 6.0 to 6.4
2. Oracle Java SE and Java for Business Remote Vulnerabilities
(CVE-2010-0082 , CVE-2010-0085 , CVE-2010-0087 , CVE-2010-0088 , CVE-2010-0092 , CVE-2010-0093 ,
CVE-2010-0094 , CVE-2010-0095 , CVE-2010-0837 , CVE-2010-0838 , CVE-2010-0839 , CVE-2010-0840 ,
CVE-2010-0841 , CVE-2010-0842 , CVE-2010-0843 , CVE-2010-0844 , CVE-2010-0845 , CVE-2010-0846 ,
CVE-2010-0847 , CVE-2010-0848 , CVE-2010-0849 , CVE-2010-0850)
These vulnerabilities are caused due to an unspecified errors in the HotSpot Server, Java Runtime Environment, ImageIO, Java 2D, Java Web Start, Java Plug-in, Pack200 and Sound components in Oracle Java SE and Java for Business. A remote attacker could exploit these vulnerabilities via unknown vectors to affect confidentiality, integrity, and availability.
3. Oracle Java SE and Java for Business Remote Java Web Start Vulnerability (CVE-2010-0089)
This vulnerability is caused due to an unspecified error in Java Web Start, Java Plug-in components in Oracle Java SE and Java for Business. A remote attacker could exploit this vulnerability via unknown vectors to affects availability.
4. Oracle Java SE and Java for Business Remote Java Runtime Environment Vulnerabilities
(CVE-2010-0084 , CVE-2010-0091)
These vulnerabilities are caused due to an unspecified errors in the Java Runtime Environment in Oracle Java SE and Java for Business. A remote attacker could exploit these vulnerabilities via unknown vectors to affect confidentiality.
5. Oracle Java SE and Java for Business Remote Java Web Start Vulnerability (CVE-2010-0090)
This vulnerability is caused due to an unspecified error in Java Web Start, Java Plug-in components in Oracle Java SE and Java for Business. A remote attacker could exploit this vulnerability via unknown vectors to affects integrity and availability.
Solution
Upgrade to Sun Java JDK and JRE 6 Update 19, JDK and JRE 5.0 Update 24, and JRE and SDK version 1.4.2_26 http://www.oracle.com/technology/deploy/security/critical-patch
-updates/javacpumar2010.html
Vendor Information
Oracle
http://www.oracle.com/technology/deploy/security/critical-
patch-updates/javacpumar2010.html
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-274990-1
References
Oracle
http://www.oracle.com/technology/deploy/security/critical-patch
-updates/javacpumar2010.html
http://sunsolve.sun.com/search/document.do?assetkey=
1-66-274990-1
Secunia
http://secunia.com/advisories/37255
iDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=865
US-CERT
http://www.kb.cert.org/vuls/id/120541
Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=533125
SecurityTracker
http://securitytracker.com/alerts/2010/Jan/1023428.html
http://securitytracker.com/alerts/2010/Mar/1023774.html
SecurityFocus
http://www.securityfocus.com/bid/39085
http://www.securityfocus.com/bid/36935
http://www.securityfocus.com/bid/39095/
VUPEN
http://www.vupen.com/english/advisories/2010/0747
CVE Name
CVE-2009-3555
CVE-2010-0082
CVE-2010-0084
CVE-2010-0085
CVE-2010-0087
CVE-2010-0088
CVE-2010-0089
CVE-2010-0090
CVE-2010-0091
CVE-2010-0092
CVE-2010-0093
CVE-2010-0094
CVE-2010-0095
CVE-2010-0837
CVE-2010-0838
CVE-2010-0839
CVE-2010-0840
CVE-2010-0841
CVE-2010-0842
CVE-2010-0843
CVE-2010-0844
CVE-2010-0845
CVE-2010-0846
CVE-2010-0847
CVE-2010-0848
CVE-2010-0849
CVE-2010-0850
CVE Name
CWE-310 Disclaimer The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
