Advisories

CERT-In Advisory CIAD-2010-0070

Multiple Vulnerabilities in Oracle Java Development Kit and Java Runtime Environment

Original Issue Date: November 15, 2010

Severity Rating: High

Systems Affected

Sun Java JDK 1.5.x
Sun Java JDK 1.6.x / 6.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x
Sun Java SDK 1.4.x

Overview

Multiple vulnerabilities have been reported in Oracle Java Development Kit and Java Runtime Environment, which can be exploited by remote attacker to bypass certain security restrictions, manipulate certain data, disclose potentially sensitive information, execute an arbitrary code and cause Denial of Service condition or potentially compromise a vulnerable system.

Description

1. Oracle Java SE and Java for Business Remote code execution Vulnerabilities ( CVE-2010-3556 CVE-2010-3562 CVE-2010-3565 CVE-2010-3566 CVE-2010-3567 CVE-2010-3571 )

These vulnerabilities are caused due to unspecified errors in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28. A remote attacker could exploit these vulnerabilities via unknown vectors to affect confidentiality, integrity, and availability.

One of these unspecified vulnerability referenced as CVE-2010-3567 is related to a calculation error in right-to-left text character counts for the ICU OpenType font rendering implementation, which triggers an out-of-bounds memory access.

Another unspecified vulnerability referenced as CVE-2010-3565 is due to the error which is an integer overflow that triggers memory corruption via large values in a subsample of a JPEG image, related to JPEGImageWriter.writeImage in the imageio API.

Another vulnerability referenced as CVE-2010-3562 is a double free error in IndexColorModel that allows remote attackers to cause a denial of service (crash) and possibly execute an arbitrary code.

2. Oracle Java SE and Java for Business Networking component Vulnerabilities ( CVE-2010-3549 CVE-2010-3541 CVE-2010-3573 CVE-2010-3574 CVE-2010-3551 CVE-2010-3560 )

These vulnerabilities are caused due to unspecified errors in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28. A remote attacker could exploit these vulnerabilities via vectors related Network component to affect confidentiality, integrity, and availability.

Vulnerability referenced as CVE-2010-3574 is caused due to improper checking for the allowHttpTrace permission in the HttpURLConnection, which allows untrusted code to perform HTTP TRACE requests.
Vulnerability referenced as CVE-2010-3573 is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.

Vulnerability referenced as CVE-2010-3549 is an HTTP request splitting vulnerability involving the handling of the chunked transfer encoding method by the HttpURLConnection class.

Vulnerability referenced as CVE-2010-3541 is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.

3. Oracle Java SE and Java for Business Java Runtime Environment Vulnerabilities ( CVE-2010-3568   CVE-2010-3569   )

Two Unspecified vulnerabilities exist in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 which allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors. One of these vulnerabilities, is due to race condition related to deserialization and another due to the defaultReadObject method of the Serialization API that could be tricked into setting a volatile field multiple times, which could allow a remote attacker to execute arbitrary code with the privileges of the user running the applet or application.

4. Vulnerabilities in CORBA component of Oracle Java SE and Java for Business ( CVE-2010-3554   CVE-2010-3561   )

Two Unspecified vulnerabilities exist in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 which allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. One of these vulnerabilities is related to the use of the privileged accept method in the ServerSocket class, which improper limitations to connect hosts, which allows remote attackers to bypass intended network access restrictions and another vulnerability is related to permissions granted to certain system objects.

5. Vulnerabilities in Deployment component of Oracle Java SE and Java for Business ( CVE-2010-3563   CVE-2010-3555   CVE-2010-3570   )

Two Unspecified vulnerabilities exist in the Deployment component in Oracle Java SE and Java for Business 6 Update 21 and one Unspecified vulnerability exists in the Deployment Toolkit component in Oracle Java SE and Java for Business 6 Update 21 which allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. Another vulnerability in deployment component is caused by abusing how Web Start retrieves security policies, an attacker can forge their own and force the removal of sandbox restrictions. Successful exploitation leads to arbitrary code execution under the context of the user running the browser.

6. Vulnerabilities in Java Web Start component of Oracle Java SE and Java for Business ( CVE-2010-3550   CVE-2010-3558   )

Two unspecified vulnerabilities exist in the Java Web Start component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 which may allow remote attackers to execute arbitrary code.

7. Vulnerability in New Java Plug-in component of Oracle Java SE and Java for Business ( CVE-2010-3552   )

An unspecified vulnerability exist in the New Java Plug-in component in Oracle Java SE and Java for Business 6 Update and 21 which allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

8.. Vulnerabilities in sound component of Oracle Java SE and Java for Business ( CVE-2010-3559   CVE-2010-3572   )

Two unspecified vulnerabilities exist in the sound component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 which may allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors. One of these vulnerabilities is due to a signedness error in the "HeadspaceSoundbank.nGetName()" function when parsing BANK records can be exploited to cause a buffer overflow using memcpy() via a specially crafted SoundBank file.

9. Vulnerability in swing component of Oracle Java SE and Java for Business ( CVE-2010-3553   CVE-2010-3557   )

Two Unspecified vulnerabilities exist in the swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 which allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. One of these vulnerabilities is related to the modification of "behavior and state of certain JDK classes" and "mutable static." The other vulnerability is related is to unsafe reflection involving the UIDefault.ProxyLazyValue class.

10. Vulnerability in JNDI component of Oracle Java SE and Java for Business ( CVE-2010-3548   )

An unspecified vulnerability in the Java Naming and Directory Interface (JNDI) component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors. Successful exploitation of this vulnerability could allow a remote attackers to determine internal IP addresses or "otherwise-protected internal network names."

11. Kerberos GSS-API NULL Pointer Dereference Vulnerability ( CVE-2010-1321   )

A vulnerability has been reported in Kerberos, which can be exploited by malicious users to cause a DoS (Denial of Service).

This vulnerability is caused due to a NULL pointer dereference error when processing certain Kerberos AP-REQ authenticators, which can be exploited to cause denial of service(DoS) condition by sending an AP-REQ authenticator with a missing checksum field.

Solution

Apply patches as mentioned in Vendor Advisory
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

Vendor Information

Oracle
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
http://blogs.oracle.com/security/2010/10/october_2010_and_java_critical.html

References

Oracle
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
http://blogs.oracle.com/security/2010/10/october_2010_and_java_critical.html

Security Tracker
http://securitytracker.com/alerts/2010/Oct/1024573.html

Zero Day Initiative
http://www.zerodayinitiative.com/advisories/ZDI-10-201/
http://www.zerodayinitiative.com/advisories/ZDI-10-202
http://www.zerodayinitiative.com/advisories/ZDI-10-203/
http://www.zerodayinitiative.com/advisories/ZDI-10-204/
http://www.zerodayinitiative.com/advisories/ZDI-10-205/
http://www.zerodayinitiative.com/advisories/ZDI-10-206/
http://www.zerodayinitiative.com/advisories/ZDI-10-207/
http://www.zerodayinitiative.com/advisories/ZDI-10-208/

Secunia
http://secunia.com/advisories/41791/

CVE Name
CVE-2010-3556
CVE-2010-3562
CVE-2010-3565
CVE-2010-3566
CVE-2010-3567
CVE-2010-3571
CVE-2010-3549
CVE-2010-3541
CVE-2010-3573
CVE-2010-3574
CVE-2010-3551
CVE-2010-3560
CVE-2010-3568
CVE-2010-3569
CVE-2010-3554
CVE-2010-3561
CVE-2010-3563
CVE-2010-3555
CVE-2010-3570
CVE-2010-3552
CVE-2010-3559
CVE-2010-3572
CVE-2010-3553
CVE-2010-3557
CVE-2010-3548
CVE-2010-1321

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India