CERT-In Advisory
CIAD-2009-0053
Multiple Vulnerabilities in Sun Java Development Kit and Java Runtime Environment
Original Issue Date: November 16, 2009
Severity Rating: High
Systems Affected
- Sun Java JDK 1.5.x
- Sun Java JDK 1.6.x
- Sun Java JRE 1.3.x
- Sun Java JRE 1.4.x
- Sun Java JRE 1.5.x / 5.x
- Sun Java JRE 1.6.x / 6.x
- Sun Java SDK 1.3.x
- Sun Java SDK 1.4.x
Overview
Multiple vulnerabilities have been reported in Sun Java Development Kit, Java Web Start and Java Runtime Environment which can be exploited by remote attackers to bypass certain security restrictions, disclose potentially sensitive information, execute an arbitrary code and cause Denial of Service conditions or compromise a vulnerable system.
Description
1. JRE Directory traversal Vulnerability
(
CVE-2009-3728
)
This vulnerability is caused due to Directory traversal error in the 'ICC_Profile.getInstance()' method in Java Runtime Environment (JRE) in Sun Java SE 5.0 and OpenJDK the JAX -WS and JAXB JRE packages. A remote attacker could exploit this vulnerability via a .. (dot dot) in a pathname to determine the existence of local International Color Consortium (ICC) profile files.
2. Sun Java SE TrueType font parsing Denial of Service Vulnerability
(
CVE-2009-3729
)
This vulnerability is caused due to unspecified error in the TrueType font parsing functionality in Sun Java SE 5.0. A remote attacker could exploit this vulnerability via a certain test suite to cause Denial of Service condition.
3. JRE Java Update mechanism Vulnerability on non-English versions
(
CVE-2009-3864
)
This vulnerability is caused due to Java Update mechanism failing to retrieve available new JRE versions when a non-English version of Windows is used in Java Runtime Environment(JRE) in Sun Java SE in JDK. A remote attacker could exploit this vulnerability to leverage vulnerabilities in older releases of this software.
Note: SDK and JRE 1.4.2 and 1.3.1 are not affected by this issue.
4. JRE Deployment Toolkit Arbitrary Code Execution Vulnerability
(
CVE-2009-3865
)
This vulnerability is caused due to an error in the Java Runtime Environment Deployment Toolkit on Windows. A remote attacker could exploit this vulnerability via a specially crafted web page to execute an arbitrary code.
Note: JDK and JRE 5.0, and SDK and JRE 1.4.2 and 1.3.1 are not affected by this issue.
5. Sun Java Web Start Arbitrary Code Execution Vulnerability
(
CVE-2009-3866
)
This vulnerability is caused due to an error in the implementation of security model permissions during the removal of installer extensions in the Java Web Start Installer. A remote attacker could exploit this vulnerability by modifying an existing installer extension JNLP file to run a malicious Java Web Start application as trusted and execute an arbitrary code.
Note: JDK and JRE 5.0, and SDK and JRE 1.4.2 and 1.3.1 are not affected by this issue.
6. Sun Java 'HsbParser.getSoundBank ' Stack Buffer Overflow Vulnerability
(
CVE-2009-3867
)
This vulnerability is caused due to improper bounds checking on user supplied data in the parsing of long file: URL arguments to the "HsbParser.getSoundBank()" function in Sun Java. A remote attacker could exploit this vulnerability via an overly long "file://" URL argument to trigger a stack-based buffer overflow error. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.
7. Multiple JRE Image File Processing Privilege Escalation Vulnerabilities
(
CVE-2009-3868
)
These vulnerabilities are caused due to improper parsing of color profiles, unspecified errors in the JPEG JFIF Decoder and JPEG Image Writer in the in Sun Java Runtime Environment. A remote attacker could exploit these vulnerabilities via a crafted image file to trigger Integer overflow error. Successful exploitation of this vulnerability could allow a remote attacker to gain elevated privileges.
8. Sun Java Runtime AWT 'setDifflCM' Stack Overflow Vulnerability
(
CVE-2009-3869
)
This vulnerability is caused due to improper bounds checking on one of the parameters supplied as arguments to the "setDiffICM()" AWT library function in Java Runtime Environment. A remote attacker could exploit this vulnerability via a crafted argument to trigger a stack-based buffer overflow error. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.
9. Sun Java Runtime AWT "setBytePixels()' Heap Overflow Vulnerability
(
CVE-2009-3871
)
This vulnerability is caused due to improper bounds checking on the parameters supplied as arguments to the "setBytePixels()" AWT library function in Java Runtime Environment. A remote attacker could exploit this vulnerability via a crafted argument to trigger a Heap-based buffer overflow error. Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary code.
10. Sun Java Runtime Environment JPEGImageReader Heap Overflow Vulnerability
(
CVE-2009-3874
)
This vulnerability is caused due to an integer overflow error when processing the dimensions of a JPEG subsample in the JPEGImageReader in Java Runtime Environment. A remote attacker could exploit this vulnerability via large subsample dimensions in a JPEG file to trigger a heap-based buffer overflow error to execute an arbitrary code.
11. JRE HMAC Digest Authentication Bypass Vulnerability
(
CVE-2009-3875
)
This vulnerability is caused due to an error when verifying HMAC digests in 'MessageDigest.isEqual()' function in Java Runtime Environment. A remote attacker could exploit this vulnerability via spoofed HMAC-based digital signatures that is incorrectly accepted as valid by a Java application to bypass authentication.
12. JRE Decoding DER Encoded Data and Parsing HTTP Headers Denial of Service (DoS) Vulnerability
(
CVE-2009-3876
CVE-2009-3877
)
This vulnerability is caused due to errors when decoding DER encoded data and parsing HTTP headers in Java Runtime Environment. A remote attacker could exploit this vulnerability via specially crafted DER encoded data to cause the JRE on the server to run out of memory to cause denial of service conditions.
13. JRE Abstract Window Toolkit (AWT) Information Disclosure Vulnerability
(
CVE-2009-3880
)
This vulnerability is caused due to improper restrictions on the objects, which are sent to loggers in Abstract Window Toolkit (AWT) in Java Runtime Environment. A remote attacker could exploit this vulnerability via different vectors related to the implementation of Component, KeyboardFocusManager, and DefaultKeyboardFocusManager to disclose potentially sensitive information.
14. Sun Java resurrected ClassLoader Privilege Escalation Vulnerability
(
CVE-2009-3881
)
This vulnerability is caused due to an unspecified errors in preventing the existence of children of a resurrected ClassLoader in Sun Java SE and OpenJDK. A remote attacker could exploit this vulnerability via unknown vectors to gain elevated privileges.
15. Sun Java Multiple Information Disclosure Vulnerabilities
(
CVE-2009-3882
CVE-2009-3883
CVE-2009-3884
)
These vulnerabilities are caused due to unspecified errors in the Swing and 'TimeZone.getTimeZone()' method implementations in Sun Java SE and OpenJDK. A remote attacker could exploit these vulnerabilities via different vectors to disclose potentially sensitive information.
16. Sun Java BMP files with UNC ICC links parsing Denial of Service Vulnerability
(
CVE-2009-3885
)
This vulnerability is caused due to unspecified errors in parsing BMP files with UNC ICC links in Sun Java. A remote attacker could exploit this vulnerability via a specially crafted BMP file containing a link to a UNC share pathname for an International Color Consortium (ICC) profile file to cause Denial of Service conditions.
Solution
Upgrade to Sun JDK and JRE 6 Update 17 or later :
http://java.sun.com/javase/downloads/index.jsp
Upgrade to Sun JDK and JRE 5.0 Update 22 or later :
http://java.sun.com/javase/downloads/index_jdk5.jsp
Upgrade to Sun SDK and JRE 1.4.2_24 or later :
http://java.sun.com/j2se/1.4.2/download.html
Upgrade to Sun SDK and JRE 1.3.1_27 or later :
http://java.sun.com/j2se/1.3/download.html
Java SE for Business :
http://www.sun.com/software/javaseforbusiness/getit_download.jsp
Vendor Information
Sun Microsystems
http://java.sun.com/javase/6/webnotes/6u17.html
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269868-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269869-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1
References
Sun Microsystems
http://java.sun.com/javase/6/webnotes/6u17.html
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269868-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269869-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270476-1
Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=530098
https://bugzilla.redhat.com/show_bug.cgi?id=532904
https://bugzilla.redhat.com/show_bug.cgi?id=530297
https://bugzilla.redhat.com/show_bug.cgi?id=530296
https://bugzilla.redhat.com/show_bug.cgi?id=530173
https://bugzilla.redhat.com/show_bug.cgi?id=530175
https://bugzilla.redhat.com/show_bug.cgi?id=530300
https://bugzilla.redhat.com/show_bug.cgi?id=530114
https://bugzilla.redhat.com/show_bug.cgi?id=532914
US-CERT
http://www.us-cert.gov/cas/bulletins/SB09-313.html
VUPEN
http://www.vupen.com/english/advisories/2009/3131
Secunia
http://secunia.com/advisories/37231/1/
ZDI
http://www.zerodayinitiative.com/advisories/ZDI-09-076/
http://www.zerodayinitiative.com/advisories/ZDI-09-077/
http://www.zerodayinitiative.com/advisories/ZDI-09-079/
http://www.zerodayinitiative.com/advisories/ZDI-09-078/
http://www.zerodayinitiative.com/advisories/ZDI-09-080/
SecurityTracker
http://securitytracker.com/id?1023132
SecurityFocus
http://www.securityfocus.com/bid/36881
Juniper Net
https://www.juniper.net/security/auto/vulnerabilities/vuln36881.html
CVE Name
CVE-2009-3728
CVE-2009-3729
CVE-2009-3864
CVE-2009-3865
CVE-2009-3866
CVE-2009-3867
CVE-2009-3868
CVE-2009-3869
CVE-2009-3871
CVE-2009-3872
CVE-2009-3873
CVE-2009-3874
CVE-2009-3875
CVE-2009-3876
CVE-2009-3877
CVE-2009-3880
CVE-2009-3881
CVE-2009-3882
CVE-2009-3883
CVE-2009-3884
CWE Name
CWE-22
CWE-94
CWE-264
CWE-119
CWE-310
CWE-200
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|