Sun Java JDK / JRE Multiple Vulnerabilities

Secunia ID	SA34451
CVE-ID	CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, CVE-2009-1107
Release Date	26 Mar 2009
Last Change	03 Apr 2009
Criticality	Highly Critical Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure. Such vulnerabilities can exist in services like FTP, HTTP, and SMTP or in client systems like email programs or browsers.
Solution Status	Vendor Patch
Software	Sun Java JDK 1.5.x Sun Java JDK 1.6.x Sun Java JRE 1.3.x Sun Java JRE 1.4.x Sun Java JRE 1.5.x / 5.x Sun Java JRE 1.6.x / 6.x Sun Java SDK 1.3.x Sun Java SDK 1.4.x
Where	From remote "From remote" describes other vulnerabilities where the attack vector doesn't require access to the system or a local network. This category covers services that are acceptable to expose to the Internet (e.g. HTTP, HTTPS, SMTP). It also covers client applications used on the Internet and certain vulnerabilities where it is reasonable to assume that a security conscious user can be tricked into performing certain actions.
Impact	DoS (Denial of Service) This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system. System access This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user. Security Bypass This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application. The actual impact varies significantly depending on the design and purpose of the affected application.
Description	Some vulnerabilities have been reported in Sun Java, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a user's system. 1) An error while initialising LDAP connections can be exploited to render the LDAP service unresponsive. 2) An error in the JRE LDAP client implementation can be exploited to load and execute arbitrary code via specially crafted data received from a malicious LDAP server. 3) An integer overflow error in JRE when unpacking applets and in Java Web Start applications using the "unpack200" JAR unpacking utility can be exploited to potentially execute arbitrary code. This is related to vulnerability #15 in: SA32991 4) An error in JRE when unpacking applets and in Java Web Start applications using the "unpack200" JAR unpacking utility can be exploited to cause a buffer overflow and potentially execute arbitrary code. 5) Two errors when storing and processing temporary font files can be exploited by an untrusted applet or a Java Web Start application to consume an overly large amount of disk space. This is related to: SA20132 6) An error in the Java Plug-in when deserializing applets can be exploited to e.g. read, write, or execute local files. 7) The Java Plug-in allows JavaScript code loaded from the local system to connect to arbitrary local ports. This can be exploited in combination with cross-site scripting attacks to access normally restricted local ports. 8) The Java Plug-in allows applets to run in earlier versions of JRE if approved by the user. This can be exploited to trick a user into loading a malicious applet into an old and potentially vulnerable JRE version. 9) An error in the Java Plug-in when processing crossdomain.xml files can be exploited by an untrusted applet to connect to arbitrary domains providing a crossdomain.xml file. 10) An error in the Java Plug-in can be exploited by a signed applet to alter the contents of the security dialog and trick a user into trusting the applet. 11) An error in the JRE virtual machine when generating code can be exploited to e.g. read, write, or execute local files. NOTE: This vulnerability only affects JDK and JRE 6 Update 12 and earlier for the Solaris SPARC platform. 12) An integer overflow error in JRE when processing PNG splash screen images can be exploited by an untrusted Java Web Start application to cause a buffer overflow and potentially execute arbitrary code. 13) An error in JRE when processing GIF splash screen images can be exploited by an untrusted Java Web Start application to cause a buffer overflow and potentially execute arbitrary code. 14) An error in JRE when processing GIF images can be exploited by an untrusted applet or an untrusted Java Web Start application to cause a buffer overflow and potentially execute arbitrary code. 15) A signedness error in JRE when processing Type1 fonts can be exploited to cause corrupt heap memory and potentially execute arbitrary code. 16) An unspecified error in the JRE HTTP server implementation can be exploited to render a JAX-WS service endpoint unresponsive. Please see the vendor advisories for details on affected products and versions.
Solution	Update to a fixed version. JDK and JRE 6 Update 13: http://java.sun.com/javase/downloads/index.jsp JDK and JRE 5.0 Update 18: http://java.sun.com/javase/downloads/index_jdk5.jsp Java SE for Business SDK and JRE 1.4.2_20: http://www.sun.com/software/javaseforbusiness/getit_download.jsp SDK and JRE 1.3.1_25 (for customers with Solaris 8 and Vintage Support Offering support contracts): http://java.sun.com/j2se/1.3/download.html NOTE: Java SE SDK and JRE 1.4.2 have reached Sun End of Service Life (EOSL). Upgrade to the latest Java SE release or migrate to Java SE for Business.
Reported by	1, 2, 6, 7, 8, 11, 16) Reported by the vendor. 3, 12, 13, 14) regenrecht, reported via iDefense 4) Chris Evans 5) The vendor credits Marc Schoenefeld. 9) The vendor credits Gregory Fleischer. 10) The vendor credits Michael Scheirl. 15) Sean Larsson, iDefense
Original Advisory	Sun: http://sunsolve.sun.com/search/document.do?assetkey=1-66-254569-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-254570-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-254608-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-254611-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-254610-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-254571-1 http://sunsolve.sun.com/search/document.do?assetkey=1-66-254609-1 iDefense: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=781 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=780 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=779 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=778 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=777 Chris Evans: http://scary.beasts.org/security/CESA-2009-005.html