Multiple vulnerabilities have been reported in Sun Java, which can be exploited by malicious, local users to disclose potentially sensitive information and by malicious people to disclose potentially sensitive information, manipulate certain data, conduct DNS cache poisoning attacks, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) An error in the "doubleValue()" method in FloatingDecimal.java when converting "2.2250738585072012e-308" from a string type to a double precision binary floating point can be exploited to cause an infinite loop.

2) An input validation error in the "findClass()" method of the sun.plugin2.applet.Applet2ClassLoader class when handling URLs supplied by an implicitly trusted applet may allow execution of arbitrary code.

3) A sign-extension error in jsound.dll when parsing soundbank streams can be exploited to corrupt heap memory via a specially crafted sound file.

4) An error in the "XGetSamplePtrFromSnd()" function within jsound.dll when extracting samples from a soundbank stream can be exploited to corrupt heap memory via a specially crafted sound file.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

5) An error in the Java Web Start loader when parsing a JNLP file containing an extension can be exploited to define explicit security permissions of a Java component and execute arbitrary code outside of the JRE sandbox.

6) An error in the Swing component when handling clipboard interactions in an applet can be exploited to write a "TransferableProxy" object to the system clipboard and force a paste action.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

7) An error in the Deployment component may allow execution of arbitrary code in a client deployment via e.g untrusted applets.

8) An error in the HotSpot component may allow execution of arbitrary code in a client deployment via e.g untrusted applets.

9) An error in the Sound component may allow execution of arbitrary code in a client and server deployment via e.g untrusted applets or data sent to APIs through a web service.

10) An error in the Deployment component may allow execution of arbitrary code in a client deployment via e.g untrusted applets.

11) An error in the Install component may allow execution of arbitrary code in a client deployment using the Java Update mechanism.

This vulnerability affects Windows based platforms only.

12) An error in the Deployment component when handling NTLM authentication in response to "WWW-Authenticate" requests from the Internet zone can be exploited to disclose NTLM authentication hashes.

13) An error in the JAXP component can be exploited to cause a DoS in a server deployment via e.g. data sent to APIs through a web service.

14) An error in the 2D component can be exploited to disclose certain data in a client deployment via e.g. untrusted applets.

15) An error in the Deployment component can be exploited to disclose certain data in a client deployment via e.g. untrusted applets.

16) An error in the Deployment component can be exploited to disclose certain data in a client deployment via e.g. untrusted applets.

17) An error in the JDBC component can be exploited to disclose and manipulate certain data in a client deployment via e.g. untrusted applets.

18) An error in the Launcher component can be exploited to disclose and manipulate certain data in a client deployment when a user runs a standalone application.

19) The java.net.Socket API does not properly limit the number of concurrent UDP sockets, which can be exploited to conduct DNS cache poisoning attacks by exhausting available sockets by e.g. tricking a user into visiting a website containing malicious applets.

20) An error in the XML Digital Signature component can be exploited to cause a DoS in a server deployment via e.g. data sent to APIs through a web service.

21) An error in the Security component can be exploited by local users to disclose certain Java DB accessible data.

For more information:
SA42948

Solution
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by
1) Konstantin Preiber.
2) Frederic Hoguin.
4) binaryproof.
5) Peter Csepely.
6, 12) Sami Koivu via ZDI.
19) Roee Hay and Yair Amit, IBM Rational Application Security Research Group

It is currently unclear who reported the remaining vulnerabilities as the Oracle Critical Patch Update for February 2011 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Oracle:
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html

Konstantin Preiber:
http://www.exploringbinary.com/why-volatile-fixes-the-2-2250738585072011e-308-bug/comment-page-1/#comment-4645

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-082/
http://www.zerodayinitiative.com/advisories/ZDI-11-083/
http://www.zerodayinitiative.com/advisories/ZDI-11-084/
http://www.zerodayinitiative.com/advisories/ZDI-11-085/
http://www.zerodayinitiative.com/advisories/ZDI-11-086/

IBM:
http://blog.watchfire.com/files/dnsp_port_exhaustion.pdf
http://roeehay.blogspot.com/2011/10/dns-poisoning-via-port-exhaustion.html

Other references
Further details available to Secunia VIM customers

Technical Analysis
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers