CERT-In Advisory
CIAD-2008-0064
Multiple vulnerabilities in Sun Java Development Kit and Java Runtime Environment
Original Issue Date: December 11, 2008
Severity Rating: High
Systems Affected
- Java Web Start 1.x
- Java Web Start 5.x
- Java Web Start 6.x
- Sun Java JDK 1.5.x
- Sun Java JDK 1.6.x
- Sun Java JRE 1.3.x
- Sun Java JRE 1.4.x
- Sun Java JRE 1.5.x / 5.x
- Sun Java JRE 1.6.x / 6.x
- Sun Java SDK 1.3.x
- Sun Java SDK 1.4.x
Overview
Multiple vulnerabilities have been reported in Sun Java Development Kit, Java Web Start and Java Runtime Environment which can be exploited by remote attackers to bypass certain security restrictions, disclose system and potentially sensitive information, unauthorized system access and cause Denial of Service conditions and compromise a vulnerable system.
Description
1. Java Web Start File Inclusion via System Properties Override Vulnerability
(
CVE-2008-2086
)
Java Web Start (JWS) applications are launched through specially formatted XML files hosted on web sites with a "jnlp" file extension. This issue is caused due to an error when properties are interpreted specified in jnlp files. A remote attacker could exploit this vulnerability by specially crafted JNLP files to modify system properties like java.home, java.ext.dirs and user.home. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.
JRE version 1.6.0_05 on Windows is not vulnerable.
2. Sun Java JRE JAX -WS and JAXB Packages Privilege Escalation Vulnerability
(
CVE-2008-5347
)
This issue is caused due to multiple errors in the JAX -WS and JAXB JRE packages, which could allow remote attackers to gain privileges via vectors related to access to inner classes in the JAX -WS and JAXB packages. An attacker could exploit this vulnerability by an untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.
3. Sun Java JRE Kerberos Authentication Denial of Service Vulnerability
(
CVE-2008-5348
)
This vulnerability is caused due to an error in the JRE Kerberos authentication mechanism, which could allow remote attackers to cause a denial of service (OS resource consumption) via unknown vectors.
SDK and JRE 1.3.1 is not affected by this issue.
4. Sun Java JRE RSA public keys processing Denial of Service Vulnerability
(
CVE-2008-5349
)
This vulnerability is caused due to an error when processing RSA public keys in Sun Java Runtime Environment (JRE). A remote attacker could exploit this vulnerability by specially crafted RSA public keys to consume large amounts of CPU. Successful exploitation of this vulnerability could allow remote attacker to cause denial of service(CPU consumption) conditions.
SDK and JRE 1.4.x and 1.3.x are not affected by this issue.
5. Sun Java JRE Current User's Home Directory listing Vulnerability
(
CVE-2008-5350
)
An unspecified error in Java Runtime Environment causes this vulnerability which may allows an untrusted applet or application. A remote attacker could exploit this vulnerability to list the contents of the current user's home directory by loading an untrusted applet or application.
SDK and JRE 1.3.1 are not affected by this issue.
6. Sun Java JRE UTF-8 Decoder Multiple Representations of UTF-8 Input vulnerability
(
CVE-2008-5351
)
The UTF-8 Unicode Transformation Format-8 decoder in the Java Runtime Environment JRE accepts encodings that are longer than the "shortest" form. A remote attacker could exploit this vulnerability by tricking applications using the UTF-8 decoder into accepting invalid sequences via specially crafted URIs. Successful exploitation of this vulnerability could allow remote attacker to disclose sensitive information.
7. Sun Java JRE Pack200 Decompression Integer Overflow Vulnerability
(
CVE-2008-5352
)
Pack200 is a compression method introduced by Sun in the Java Runtime Environment.
This vulnerability occurs due to improper bounds checking error when reading the Pack200 compressed Jar file during decompression. A remote attacker could exploit this vulnerability via a specially crafted Pack200 compressed JAR file to trigger a heap-based buffer overflow. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code in the context of the currently logged-on user.
JDK and JRE 1.4.2 and 1.3.1 are not affected.
8. Sun Java JRE Deserializing Calendar Objects Privileges Escalation Vulnerability
(
CVE-2008-5353
)
This vulnerability is caused due to an error in deserializing calendar objects in Java Runtime Environment (JRE). A remote attacker could exploit this vulnerability by specially crafted untrusted applet or application to escalate the privileges of the user running the untrusted applet. Successful exploitation of this vulnerability could allow remote attacker to read, write local files or execute local applications.
SDK and JRE 1.3.1 are not affected.
9. Sun Java JRE Stack-based Buffer Overflow Vulnerability
(
CVE-2008-5354
)
A boundary error exists when processing the "Main-Class" manifest entry of a JAR file causes this vulnerability in Sun Java Runtime Environment. A remote attacker could exploit this vulnerability by a specially crafted JAR file with a long Main-Class manifest entry to trigger stack-based buffer overflow condition. Successful exploitation of this vulnerability could allow remote attacker to execute an arbitrary code.
SDK and JRE 1.3.1 are not affected.
10. Sun Java JRE True Type Font Parsing Heap Overflow Vulnerability
(
CVE-2008-5356
)
A boundary checking error when processing TrueType font files causes this vulnerability in Java Runtime Environment. A remote attacker could exploit this vulnerability by specially crafted TrueType font file to trigger Heap-based buffer overflow condition. Successful exploitation of this vulnerability could allow remote attacker to execute an arbitrary code with the privileges of the current user.
SDK and JRE 1.3.x are not affected.
11. Sun Java JRE TrueType Font Parsing Integer Overflow Vulnerability
(
CVE-2008-5357
)
An Integer overflow error when processing various structures in TrueType font files causes this vulnerability in Java Runtime Environment. A remote attacker could exploit this vulnerability by specially crafted TrueType font file to trigger Heap-based buffer overflow condition. Successful exploitation of this vulnerability could allow remote attacker to execute an arbitrary code with the privileges of the current user.
SDK and JRE 1.3.x and 1.4.x are not affected.
12. Sun Java Web Start GIF Decoding Memory Corruption Vulnerability
(
CVE-2008-5358
)
Java Web Start (JWS) is a framework built by Sun that is used to run Java applications outside of the browser. This vulnerability is caused due to improper validation of several values in the GIF header when parsing the GIF file in Java Web Start. A remote attacker could exploit this vulnerability via a specially crafted splash logo to trigger the memory corruption during display of the splash screen, possibly related to splashscreen.dll. Successful exploitation of this vulnerability could allow remote attacker to execute an arbitrary code with the privileges of the current user.
SDK and JRE 5.0, 1.4.x, and 1.3.x are not affected.
13. Sun Java JRE ¿ image processing code" Buffer Overflow Vulnerability
(
CVE-2008-5359
)
This vulnerability is caused due to an unspecified error in " image processing code " in the Java AWT library when processing image models. A remote attacker could exploit this vulnerability via a specially crafted "Raster" image model used in a "ConvolveOp" operation to trigger a heap-based buffer overflow condition. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.
SDK and JRE 5.0, 1.4.x, and 1.3.x are not affected.
14. JRE Temporary Files Security Restriction Bypass Vulnerability
(
CVE-2008-5360
)
This vulnerability is caused due to an error in creating temporary files with insufficiently random names in Java Runtime Environment (JRE). A remote attacker could exploit this vulnerability via unknown vectors to write malicious JAR files and perform restricted actions like stealing cookies on the affected system.
Solution
Update to a fixed version.
JDK and JRE 6 Update 11:
http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 17:
http://java.sun.com/javase/downloads/index_jdk5.jsp
SDK and JRE 1.4.2_19:
http://java.sun.com/j2se/1.4.2/download.html
SDK and JRE 1.3.1_24
http://java.sun.com/j2se/1.3/download.html
Vendor Information
Sun Microsystems
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244986-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244989-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-245246-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246286-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244990-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244992-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246266-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246346-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246366-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246386-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246387-1
References
Sun Microsystems
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244986-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-245246-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246286-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246387-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246386-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246366-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246346-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246286-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246266-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-245246-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244992-1
Secunia
http://secunia.com/advisories/32991/
ZDI
http://www.zerodayinitiative.com/advisories/ZDI-08-080
http://www.zerodayinitiative.com/advisories/ZDI-08-081
iDefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=757
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=758
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=760
SecurityFocus
http://www.securityfocus.com/bid/32608
RedHat
http://rhn.redhat.com/errata/RHSA-2008-1018.html
http://rhn.redhat.com/errata/RHSA-2008-1025.html
Virtual Security Research
http://www.vsecurity.com/bulletins/advisories/2008/JWS-props.txt
CVE Name
CVE-2008-2086
CVE-2008-5347
CVE-2008-5348
CVE-2008-5349
CVE-2008-5350
CVE-2008-5351
CVE-2008-5352
CVE-2008-5353
CVE-2008-5354
CVE-2008-5356
CVE-2008-5357
CVE-2008-5358
CVE-2008-5359
CVE-2008-5360
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|