Sun Java JRE Large Temporary File Creation Vulnerability

Secunia ID	SA20132
CVE-ID	CVE-2006-2426
Release Date	16 May 2006
Last Change	27 Mar 2009
Criticality	Not Critical Typically used for very limited privilege escalation vulnerabilities and locally exploitable Denial of Service vulnerabilities. This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g. remote disclosure of installation path of applications).
Solution Status	Vendor Patch
Software	Sun Java JDK 1.5.x Sun Java JRE 1.4.x Sun Java JRE 1.5.x / 5.x Sun Java SDK 1.4.x
Where	From remote "From remote" describes other vulnerabilities where the attack vector doesn't require access to the system or a local network. This category covers services that are acceptable to expose to the Internet (e.g. HTTP, HTTPS, SMTP). It also covers client applications used on the Internet and certain vulnerabilities where it is reasonable to assume that a security conscious user can be tricked into performing certain actions.
Impact	DoS (Denial of Service) This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.
Description	Marc Schoenefeld has discovered a vulnerability in Sun Java JRE (Java Runtime Environment), which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to missing restrictions on temporary file creation. This can be exploited by a malicious applet to create large files in the temporary folder via e.g. the "Font.createFont()" method. Successful exploitation causes a vulnerable system to run out of disk space. The vulnerability has been confirmed in JDK 5.0 Update 6 and has also been reported in SDK 1.4.2_11 on the Microsoft Windows platform.
Solution	Reportedly fixed in JDK and JRE 5.0 Update 18, SDK and JRE 1.4.2_20, and 1.3.1_25 (for customers with Solaris 8 and Vintage Support Offering support contracts).
Reported by	Marc Schoenefeld
Original Advisory	Sun: http://sunsolve.sun.com/search/document.do?assetkey=1-66-254608-1