Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

Sun Java JDK / JRE Multiple Vulnerabilities

-

Release Date:  2010-03-31    Last Update:  2010-04-21    Views:  76,687

Secunia Advisory SA37255

Where:

From remote

Impact:

Unknown, Security Bypass, Manipulation of data, Exposure of system information, Exposure of sensitive information, DoS, System access

Solution Status:

Vendor Patch

CVE Reference(s):

Description


Multiple vulnerabilities have been reported in Sun Java, where some have an unknown impact and others can be exploited by malicious people to bypass certain security restrictions, manipulate certain data, disclose potentially sensitive information, cause a DoS (Denial of Service), or compromise a vulnerable system.

1) An error in the implementation of the "HeadspaceSoundbank" class can be exploited to cause a stack-based buffer overflow via a crafted Soundbank file with an overly long name.

2) An error in the implementation of the "HeadspaceSoundbank" class can be exploited to cause a heap-based buffer overflow via a crafted Soundbank file with an overly long record.

3) An input validation error in the processing of image files can be exploited to cause a heap-based buffer overflow, e.g. if a user visits a web page containing a specially crafted java applet.

Successful exploitation of these vulnerabilities allows execution of arbitrary code.

4) An error in the validation of signed Java applets can be exploited to modify the contents of a signed applet without breaking the signature. This can be exploited to execute arbitrary code outside the traditional Java sandbox if a user trusting the company signing the applet is tricked into executing it.

5) An error in the Unpack200 component when processing data can be exploited to cause a buffer overflow.

6) Two errors in the AWT library when parsing data passed to a specific function can be exploited to corrupt memory.

7) Unspecified vulnerabilities exist in the ImageIO, Java 2D, Java Runtime Environment, Java Web Start, Java Plug-in, Sound, and HotSpot Server components.

8) An error in the JSSE component while handling TLS session re-negotiations can be exploited to manipulate certain data.

For more information:
SA37291

9) Two unspecified errors in the Java Runtime Environment can be exploited to disclose unspecified information.

10) An unspecified error in the Java Web Start, Java Plug-in component can be exploited to cause a DoS.

11) An error in the deserialization of RMIConnectionImpl objects can be exploited to call privileged Java functions and execute arbitrary code.

12) An integer overflow error in the com.sun.media.sound library can be exploited to cause a heap-based buffer overflow and execute arbitrary code.

13) An error when creating a MixerSequencer from a MIDI stream can be exploited to write a NULL byte to an arbitrary address and execute arbitrary code.

14) An integer overflow error when processing JPEG image dimensions can be exploited to corrupt memory and execute arbitrary code.

15) An error in the implementation of the mutable InetAddress subclass can be exploited to bypass Applet SecurityManager restrictions and connect to an arbitrary network address.

16) An error when enforcing restrictions for executed methods can be exploited to call privileged methods and execute arbitrary code via an object extending a trusted class.

17) An error in the JPEGImageDecoderImpl interface can be exploited to cause a heap-based buffer overflow and execute arbitrary code.

18) An error in the JPEGImageEncoderImpl interface can be exploited to cause a heap-based buffer overflow via a specially crafted "num_components" field in a "comp_info" structure and execute arbitrary code.

19) An array indexing error when handling MixerSequencer objects can be exploited to execute arbitrary code when playing a MIDI file.

20) An error in the "readMabCurveData()" function provided by the CMM module can be exploited to cause a stack-based buffer overflow and potentially execute arbitrary code.


Solution:
Update to a fixed version.

Further details available to Secunia VIM customers

Provided and/or discovered by:
1, 2) Dyon Balding, Secunia Research.
3) regenrecht, reported via iDefense.
4) Brian Bjerre Graversen, Signaturgruppen.
5) Sebastien Renaud, Vupen Security.
6, 7) Alexandre Pelletier, Vupen Security.
11, 15, 16) Sami Koivu, reported via ZDI
12, 13, 19) Peter Vreugdenhil, reported via ZDI
14, 17, 18) regenrecht, reported via ZDI
20) Stephen Fewer of Harmony Security, reported via ZDI

The vendor also credits:
* Steve Dispensa , PhoneFactor
* Stephen Fewer, iDefense
* Marsh Ray, PhoneFactor
* Regenrecht, iDefense
* Marc Schoenefeld, Red Hat

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2009-49/
http://secunia.com/secunia_research/2009-50/

Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=865

US-CERT VU#507652:
http://www.kb.cert.org/vuls/id/507652

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-051/
http://www.zerodayinitiative.com/advisories/ZDI-10-052/
http://www.zerodayinitiative.com/advisories/ZDI-10-053/
http://www.zerodayinitiative.com/advisories/ZDI-10-054/
http://www.zerodayinitiative.com/advisories/ZDI-10-055/
http://www.zerodayinitiative.com/advisories/ZDI-10-056/
http://www.zerodayinitiative.com/advisories/ZDI-10-057/
http://www.zerodayinitiative.com/advisories/ZDI-10-059/
http://www.zerodayinitiative.com/advisories/ZDI-10-060/
http://www.zerodayinitiative.com/advisories/ZDI-10-061/

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Sun Java JDK / JRE Multiple Vulnerabilities

User Message
clst RE: Sun Java JDK / JRE Multiple Vulnerabilities
Member 25th May, 2010 23:32
Score: 3
Posts: 1
User Since: 9th Apr 2009
System Score: N/A
Location: N/A
Last edited on 25th May, 2010 23:32
Also affects the version of JRE included with the latest AMD RaidXpert
Was this reply relevant?
+3
-0

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability