Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

Oracle Java SE Multiple Vulnerabilities

-

Description


Multiple vulnerabilities have been reported in Oracle Java SE, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) A type confusion error when handling the "surfaceData" object can be exploited to cause a heap-based buffer overflow.

2) A signedness error when processing the "readMabCurveData" tag descriptor within ICC color profiles can be exploited to incorrectly allocate memory and cause memory corruption.

3) An error when processing the IDEF opcode (0x89) during True Type font parsing can be exploited to cause a heap-based buffer overflow via a specially crafted font file.

4) Certain input passed via JNLP files is not properly sanitised before being used by Java Web Start and can be exploited to inject and execute arbitrary commands.

5) An error in the JavaFX component can be exploited to install an Oracle signed JAR file and invoke certain methods of a trusted class with arbitrary arguments.

6) An error in the Install component may allow execution of arbitrary code in a client deployment via the update mechanism.

This may be related to:
SA47134

7) An error in the handling of AtomicReferenceArray due to its use of the Unsafe class to store references within the array may result in type safety violation and allow to escape the JRE sandbox.

8) An error in the I18n component can be exploited to disclose and manipulate certain data and to cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

9) An error in the Serialization component can be exploited to disclose and manipulate certain data and to cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

10) An error in the AWT component can be exploited to disclose certain data and cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

11) An error in the Sound component can be exploited to disclose certain data and cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

12) An error in the Lightweight HTTP Server can be exploited to cause a DoS.

For more information:
SA47819

13) An off-by-one error in the "countCENHeaders()" function (zip_util.c of the java.util.zip) when processing archive files can be exploited to cause a recursive loop and crash JVM via a specially crafted ZIP file.

14) An error in the CORBA component can be exploited to manipulate certain data in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

15) An input sanitisation error in the Java Web Start component when handling certain parameters within JNLP files can be exploited to inject arbitrary command line arguments via e.g. a specially crafted "java-vm-args" parameter.

NOTE: This vulnerability may be related to vulnerability #4.

16) An error in the use of reflection when a class within the NEWT library was used as the main-class in a JNLP file can be exploited to call the main method of other trusted classes with arbitrary arguments.

17) An error in the Java GlueGen library can be exploited by a specially crafted Java applet to load arbitrary DLL files into the JRE process by calling "openLibraryGlobal".

18) An error in the Java OpenGL (JOGL) library can be exploited by a specially crafted Java applet to load arbitrary DLL files into the JRE process by calling "LoadLibraryA".

19) An error in the Java OpenAL (JOAL) library can be exploited by a specially crafted Java applet to call "dispatch_alDeleteBuffers1" with a user-controlled integer value being used as a function pointer.


Solution:
Apply patches (please see the vendor's advisory for more information).

Provided and/or discovered by:
1) An anonymous person via iDefense.
2) Alin Rad Pop (binaryproof) via ZDI.
3) Peter Vreugdenhil, TippingPoint DVLabs.
4) TELUS Security Labs.
5, 15-19) Chris Ries via ZDI.
7) Jeroen Frijters.
13) Timo Warns, PRESENSE Technologies via PRE-CERT.
15) An anonymous person via ZDI.

It is currently unclear who reported the remaining vulnerabilities as the Oracle Java SE Critical Patch Update for February 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

TELUS:
http://telussecuritylabs.com/threats/show/TSL20120214-01

PRE-CERT:
http://www.pre-cert.de/advisories/PRE-SA-2012-01.txt

iDefense:
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=970

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-032/
http://www.zerodayinitiative.com/advisories/ZDI-12-037/
http://www.zerodayinitiative.com/advisories/ZDI-12-038/
http://www.zerodayinitiative.com/advisories/ZDI-12-039/
http://www.zerodayinitiative.com/advisories/ZDI-12-045/
http://www.zerodayinitiative.com/advisories/ZDI-12-060/
http://www.zerodayinitiative.com/advisories/ZDI-12-081/
http://www.zerodayinitiative.com/advisories/ZDI-12-082/
http://www.zerodayinitiative.com/advisories/ZDI-12-083/

TippingPoint DVLabs:
http://dvlabs.tippingpoint.com/advisory/TPTI-12-01

Jeroen Frijters:
http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Oracle Java SE Multiple Vulnerabilities

User Message
loungehaddock RE: Oracle Java SE Multiple Vulnerabilities
Member 16th Feb, 2012 11:02
Score: 0
Posts: 2
User Since: 16th Feb 2012
System Score: N/A
Location: UK
Last edited on 16th Feb, 2012 11:02
JRE 6.31 crashes the Opera web browser 11.61 in Windows.

There seems to be no way of letting oracle.com know about this so impenetrable is its defences.
Was this reply relevant?
+2
-2
ddmarshall RE: Oracle Java SE Multiple Vulnerabilities
Dedicated Contributor 16th Feb, 2012 11:18
Score: 1172
Posts: 940
User Since: 8th Nov 2008
System Score: 100%
Location: UK
It's probably easier to tell Opera
http://www.opera.com/support/

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+3
-0
taffy078 RE: Oracle Java SE Multiple Vulnerabilities
Contributor 17th Feb, 2012 16:05
Score: 403
Posts: 1,275
User Since: 26th Feb 2009
System Score: 100%
Location: UK
Hi lounge haddock - we're not supposed to post here. Please take a peek at

http://secunia.com/community/forum/thread/show/121...

I hope that resolves your problem.

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+0
-0

uknorthtiffany

RE: Oracle Java SE Multiple Vulnerabilities
[+]
This reply has been deleted

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability