Sun Java JDK / JRE Multiple Vulnerabilities

Secunia ID	SA32991
CVE-ID	CVE-2008-2086, CVE-2008-5347, CVE-2008-5348, CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5352, CVE-2008-5353, CVE-2008-5354, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358, CVE-2008-5359, CVE-2008-5360, CVE-2008-5339, CVE-2008-5342, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2008-5340, CVE-2008-5341, CVE-2008-5343, CVE-2008-5355
Release Date	04 Dec 2008
Last Change	12 Dec 2008
Criticality	Highly Critical Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure. Such vulnerabilities can exist in services like FTP, HTTP, and SMTP or in client systems like email programs or browsers.
Solution Status	Vendor Patch
Software	Java Web Start 1.x Java Web Start 5.x Java Web Start 6.x Sun Java JDK 1.5.x Sun Java JDK 1.6.x Sun Java JRE 1.3.x Sun Java JRE 1.4.x Sun Java JRE 1.5.x / 5.x Sun Java JRE 1.6.x / 6.x Sun Java SDK 1.3.x Sun Java SDK 1.4.x
Where	From remote "From remote" describes other vulnerabilities where the attack vector doesn't require access to the system or a local network. This category covers services that are acceptable to expose to the Internet (e.g. HTTP, HTTPS, SMTP). It also covers client applications used on the Internet and certain vulnerabilities where it is reasonable to assume that a security conscious user can be tricked into performing certain actions.
Impact	DoS (Denial of Service) This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system. System access This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. Exposure of sensitive information Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote. Exposure of system information Vulnerabilities where excessive information about the system (e.g. version numbers, running services, installation paths, and similar) are exposed and can be revealed from remote and in some cases locally. Security Bypass This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application. The actual impact varies significantly depending on the design and purpose of the affected application.
Description	Some vulnerabilities have been reported in Sun Java, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, cause a DoS (Denial of service), or compromise a vulnerable system. 1) Java Runtime Environment (JRE) creates temporary files with insufficiently random names. This can be exploited to write arbitrary JAR files and perform restricted actions on the affected system. 2) An error exists in the Java AWT library when processing image models. This can be exploited to cause a heap-based buffer overflow via a specially crafted "Raster" image model used in a "ConvolveOp" operation. 3) An error in Java Web Start when processing certain GIF header values can be exploited to cause a memory corruption via a specially crafted splash logo. 4) An integer overflow error in the processing of TrueType fonts can be exploited to cause a heap-based buffer overflow. 5) An error in the JRE can be exploited to establish network connections to arbitrary hosts. 6) An error when launching Java Web Start applications can be exploited by an untrusted application to e.g. read, write, or execute local files with the privileges of the user running the application. 7) An error can be exploited by an untrusted Java Web Start application to obtain the current username and the location of the Java Web Start cache. 8) An error in Java Web Start can be exploited to modify system properties (e.g. java.home, java.ext.dirs, and user.home) via specially crafted JNLP files. 9) An error in Java Web Start and Java Plug-in can be exploited to hijack HTTP sessions. 10) An error in the JRE applet class loading functionality can be exploited to read arbitrary files and establish network connections to arbitrary hosts. 11) An error in the Java Web Start BasicService can be exploited to open arbitrary local files in the user's browser. 12) The problem is that the "Java Update" mechanism does not check the digital signature of the downloaded update package. This be exploited to execute arbitrary code via e.g. a MitM (Man-in-the-Middle) or DNS spoofing attack. 13) A boundary error exists when processing the "Main-Class" manifest entry of a JAR file. This can be exploited to cause a stack-based buffer overflow via a specially crafted JAR file. 14) An error when deserializing calendar objects can be exploited by an untrusted Java applet to e.g. read, write, or execute local files. 15) An integer overflow error in JRE can be exploited to cause a heap-based buffer overflow via a specially crafted Pack200 compressed JAR file. 16) The UTF-8 decoder accepts encodings longer than the "shortest" form. This can potentially be exploited to trick applications using the decoder into accepting invalid sequences and e.g. disclose sensitive information via specially crafted URIs. 17) An error in the JRE can be exploited to list the contents of the user's home directory. 18) An error when processing RSA public keys can be exploited to consume large amounts of CPU. 19) An error in the JRE Kerberos authentication mechanism can be exploited to potentially exhaust operating system resources. 20) Multiple errors in the JAX-WS and JAXB JRE packages can be exploited by an untrusted Java applet to e.g. read, write, or execute local files. 21) An error when processing ZIP files can be exploited to disclose arbitrary memory locations from the host process. 22) An error can be exploited by malicious code loaded from the local filesystem to gain network access to the local host. 23) A boundary error in the processing of TrueType fonts can be exploited to cause a heap-based buffer overflow. Please see the vendor advisories for details on affected products and versions.
Solution	Update to a fixed version. JDK and JRE 6 Update 11: http://java.sun.com/javase/downloads/index.jsp JDK and JRE 5.0 Update 17: http://java.sun.com/javase/downloads/index_jdk5.jsp SDK and JRE 1.4.2_19: http://java.sun.com/j2se/1.4.2/download.html SDK and JRE 1.3.1_24 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/j2se/1.3/download.html
Reported by	2) An anonymous researcher working with ZDI 3, 15) "regenrecht" working with iDefense. 4) Sebastian Apelt working with iDefense 5, 6, 7) Peter Csepely working with ZDI 8) Virtual Security Research 9) The vendor credits Billy Rios of Microsoft and Nate Mcfeters of Ernst and Young. 10) The vendor credits Peter Csepely working with ZDI and John Heasman of NGSSoftware. 12) The vendor credits Francisco Amato. 13) Stefan Middendorf 14) The vendor credits Sami Koivu. 17) The vendor credits Henri Torgemane and Sami Koivu. 19) The vendor credits Jan Grant of Bristol University. 20) The vendor credits Adam Gowdiak. 21) The vendor credits University of Oulu. 23) Sean Larsson, iDefense Labs
Original Advisory	Sun: http://sunsolve.sun.com/search/document.do?assetkey=1-66-244986-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-244989-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-244990-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-244992-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-245246-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-246266-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-246286-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-246346-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-246366-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-246386-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-246387-1 Virtual Security Research: http://www.vsecurity.com/bulletins/advisories/2008/JWS-props.txt Stefan Middendorf: http://www.ximido.de/research/advisories/SM_Java-BO_200811.txt ZDI: http://www.zerodayinitiative.com/advisories/ZDI-08-080 http://www.zerodayinitiative.com/advisories/ZDI-08-081 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=757 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=758 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=759 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=760