Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

Sun Java JDK / JRE / SDK Multiple Vulnerabilities

-

Release Date:  2010-10-13    Last Update:  2010-11-08    Views:  45,515

Secunia Advisory SA41791

Where:

From remote

Impact:

Security Bypass, Manipulation of data, Exposure of sensitive information, DoS, System access

Solution Status:

Vendor Patch

CVE Reference(s):

Description


Multiple vulnerabilities have been reported in Sun Java, which can be exploited by malicious users to cause a DoS (Denial of Service) and by malicious people to disclose potentially sensitive information, manipulate certain data, bypass certain security restrictions, and compromise a vulnerable system.

1) An error in the 2D component may allow execution of arbitrary code.

2) An error in the 2D component may allow execution of arbitrary code.

3) An integer overflow error in the "JPEGImageWriter.writeImage()" function when processing JPEG image dimensions of a subsample can be exploited to corrupt memory.

Successful exploitation may allow execution of arbitrary code.

4) An integer overflow error in the color profile parser when processing the ICC Profile Device Information Tag structure fails to properly allocate memory.

Successful exploitation may allow execution of arbitrary code.

5) An error in the 2D component may allow execution of arbitrary code.

6) An integer overflow error in the color profile parser when processing the ICC Profile Unicode Description Tag structure fails to properly allocate memory.

Successful exploitation may allow execution of arbitrary code.

7) An error in the CORBA component may allow execution of arbitrary code.

8) An error in the com.sun.jnlp.BasicServiceImpl class when retrieving a security policy can be exploited to remove sandbox restrictions.

Successful exploitation allows execution of arbitrary code.

9) An input validation error when parsing JNLP content tags when creating shortcut files from draggable applets can be exploited to create files with arbitrary Scriptable Shell Objects.

Successful exploitation may allow execution of arbitrary code but requires tricking a user into creating a shortcut to the applet.

10) An error in the JRE component may allow execution of arbitrary code.

11) An error in the Java Web Start component may allow execution of arbitrary code.

12) A boundary error in the New Java Plugin (JP2IEXP.dll) when copying the "docbase" applet parameter can be exploited to cause a stack-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

13) A signedness error in the "HeadspaceSoundbank.nGetName()" function when parsing BANK records can be exploited to cause a buffer overflow using memcpy() via a specially crafted SoundBank file.

Successful exploitation may allow execution of arbitrary code.

14) An error in the Sound component may allow execution of arbitrary code.

15) An error in the Swing component may allow execution of arbitrary code.

16) An error in the ActiveX plugin fails to properly initialize a window handle and may allow execution of arbitrary code.

17) An error in the Java Web Start component may allow execution of arbitrary code.

18) An error in the Deployment Toolkit component may allow execution of arbitrary code.

19) An error in the CORBA component can be exploited to disclose and manipulate certain data.

20) An error in the JSSE TLS/SSL component can be exploited to manipulate certain data.

For more information:
SA37291

21) A NULL-pointer dereference error in Kerberos GSS-API can be exploited to cause a DoS.

For more information:
SA39762

22) An error in the Networking component can be exploited to disclose and manipulate certain data.

23) An error in the Swing component can be exploited to disclose and manipulate certain data.

24) An error in the "addRequestProperty()" method can be exploited to inject new HTTP requests via the "Transfer-Encoding" header and bypass the Same Origin Policy (SOP).

25) An error in the Java Runtime Environment can be exploited by an untrusted applet to bypass the same origin policy and e.g. access cookies of other domains.

26) An error in the Networking component when handling multiple applets can be exploited to conduct DNS spoofing attacks and open arbitrary TCP ports on the local host.

27) An error in the JNDI component can be exploited to disclose certain data.

28) An error in the implementation of the "hashCode()" method within the Networking component can be exploited to disclose an IP address of the local network interface.

29) An error in the Packages.javax.naming package when performing DNS resolution can be exploited to disclose the IP address of a DNS server via error messages.


Solution:
Apply updates.

Further details available to Secunia VIM customers

Provided and/or discovered by:
3) An anonymous person, reported via ZDI.
4,6) Intevydis, reported via ZDI.
8) Matthias Kaiser, reported via ZDI.
12) Independently discovered by Stephen Fewer of Harmony Security, via ZDI and SkyLined, Google Inc.
16) Stephen Fewer of Harmony Security, reported via ZDI.
13) An anonymous person, reported via ZDI.
16) An anonymous person, reported via ZDI.
25) Roberto Suggi Liverani, Security-Assessment.com.
9,24-26,28,29) Stefano Di Paola, Minded Security.

The vendor also credits SkyLined, Google Inc.

It is currently unclear who reported the remaining vulnerabilities as the Oracle Critical Patch Update for October 2010 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-202/
http://www.zerodayinitiative.com/advisories/ZDI-10-203/
http://www.zerodayinitiative.com/advisories/ZDI-10-204/
http://www.zerodayinitiative.com/advisories/ZDI-10-205/
http://www.zerodayinitiative.com/advisories/ZDI-10-206/
http://www.zerodayinitiative.com/advisories/ZDI-10-207/
http://www.zerodayinitiative.com/advisories/ZDI-10-208/

SkyLined:
http://code.google.com/p/skylined/issues/detail?id=18
http://code.google.com/p/skylined/issues/detail?id=23

Security-Assessment.com:
http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_urlconnection_SOP_Bypass.pdf

Minded Security:
http://blog.mindedsecurity.com/2010/10/java-jnlp-applet-user-assisted.html
http://blog.mindedsecurity.com/2010/10/dns-rebinding-on-java-applets.html
http://blog.mindedsecurity.com/2010/10/java-applet-same-ip-host-access.html
http://blog.mindedsecurity.com/2010/10/http-request-splitting-and-header-abuse.html
http://blog.mindedsecurity.com/2010/10/get-internal-network-information-with.html

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Sun Java JDK / JRE / SDK Multiple Vulnerabilities

User Message
[+]

lindot1

RE: Sun Java JDK / JRE / SDK Multiple Vulnerabilities
This reply has been minimised due to a negative Relevancy Score.

htmtrade

RE: Sun Java JDK / JRE / SDK Multiple Vulnerabilities
[+]
This reply has been minimised due to a negative Relevancy Score.

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability