Sun Java JDK / JRE / SDK Multiple Vulnerabilities

SA41791

CVE-2009-3555, CVE-2010-1321, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574

13 Oct 2010

08 Nov 2010

Highly Critical

Vendor Patch

Sun Java JDK 1.5.x
Sun Java JDK 1.6.x / 6.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x
Sun Java SDK 1.4.x

From remote

DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.

Security Bypass

This covers vulnerabilities or security issues where malicious users or people can bypass certain security mechanisms of the application.

The actual impact varies significantly depending on the design and purpose of the affected application.

Multiple vulnerabilities have been reported in Sun Java, which can be exploited by malicious users to cause a DoS (Denial of Service) and by malicious people to disclose potentially sensitive information, manipulate certain data, bypass certain security restrictions, and compromise a vulnerable system.

1) An error in the 2D component may allow execution of arbitrary code.

2) An error in the 2D component may allow execution of arbitrary code.

3) An integer overflow error in the "JPEGImageWriter.writeImage()" function when processing JPEG image dimensions of a subsample can be exploited to corrupt memory.

Successful exploitation may allow execution of arbitrary code.

4) An integer overflow error in the color profile parser when processing the ICC Profile Device Information Tag structure fails to properly allocate memory.

Successful exploitation may allow execution of arbitrary code.

5) An error in the 2D component may allow execution of arbitrary code.

6) An integer overflow error in the color profile parser when processing the ICC Profile Unicode Description Tag structure fails to properly allocate memory.

Successful exploitation may allow execution of arbitrary code.

7) An error in the CORBA component may allow execution of arbitrary code.

8) An error in the com.sun.jnlp.BasicServiceImpl class when retrieving a security policy can be exploited to remove sandbox restrictions.

Successful exploitation allows execution of arbitrary code.

9) An input validation error when parsing JNLP content tags when creating shortcut files from draggable applets can be exploited to create files with arbitrary Scriptable Shell Objects.

Successful exploitation may allow execution of arbitrary code but requires tricking a user into creating a shortcut to the applet.

10) An error in the JRE component may allow execution of arbitrary code.

11) An error in the Java Web Start component may allow execution of arbitrary code.

12) A boundary error in the New Java Plugin (JP2IEXP.dll) when copying the "docbase" applet parameter can be exploited to cause a stack-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

13) A signedness error in the "HeadspaceSoundbank.nGetName()" function when parsing BANK records can be exploited to cause a buffer overflow using memcpy() via a specially crafted SoundBank file.

Successful exploitation may allow execution of arbitrary code.

14) An error in the Sound component may allow execution of arbitrary code.

15) An error in the Swing component may allow execution of arbitrary code.

16) An error in the ActiveX plugin fails to properly initialize a window handle and may allow execution of arbitrary code.

17) An error in the Java Web Start component may allow execution of arbitrary code.

18) An error in the Deployment Toolkit component may allow execution of arbitrary code.

19) An error in the CORBA component can be exploited to disclose and manipulate certain data.

20) An error in the JSSE TLS/SSL component can be exploited to manipulate certain data.

For more information:
SA37291

21) A NULL-pointer dereference error in Kerberos GSS-API can be exploited to cause a DoS.

For more information:
SA39762

22) An error in the Networking component can be exploited to disclose and manipulate certain data.

23) An error in the Swing component can be exploited to disclose and manipulate certain data.

24) An error in the "addRequestProperty()" method can be exploited to inject new HTTP requests via the "Transfer-Encoding" header and bypass the Same Origin Policy (SOP).

25) An error in the Java Runtime Environment can be exploited by an untrusted applet to bypass the same origin policy and e.g. access cookies of other domains.

26) An error in the Networking component when handling multiple applets can be exploited to conduct DNS spoofing attacks and open arbitrary TCP ports on the local host.

27) An error in the JNDI component can be exploited to disclose certain data.

28) An error in the implementation of the "hashCode()" method within the Networking component can be exploited to disclose an IP address of the local network interface.

29) An error in the Packages.javax.naming package when performing DNS resolution can be exploited to disclose the IP address of a DNS server via error messages.

Apply updates.

JDK and JRE 6 Update 21 and earlier for Windows, Solaris, and Linux:
Update to version 6 Update 22.
http://www.oracle.com/technetwork/java/javase/downloads/index.html

JDK 5.0 Update 25 and earlier for Solaris:
Apply updates (please see the vendor's advisory for details).

SDK 1.4.2_27 and earlier for Solaris:
Apply updates (please see the vendor's advisory for details).

JDK and JRE 5.0 Update 25 and earlier for Windows, Solaris and Linux:
Apply updates (please see the vendor's advisory for details).

SDK and JRE 1.4.2_27 and earlier for Windows, Solaris and Linux:
Apply updates (please see the vendor's advisory for details).

3) An anonymous person, reported via ZDI.
4,6) Intevydis, reported via ZDI.
8) Matthias Kaiser, reported via ZDI.
12) Independently discovered by Stephen Fewer of Harmony Security, via ZDI and SkyLined, Google Inc.
16) Stephen Fewer of Harmony Security, reported via ZDI.
13) An anonymous person, reported via ZDI.
16) An anonymous person, reported via ZDI.
25) Roberto Suggi Liverani, Security-Assessment.com.
9,24-26,28,29) Stefano Di Paola, Minded Security.

The vendor also credits SkyLined, Google Inc.

It is currently unclear who reported the remaining vulnerabilities as the Oracle Critical Patch Update for October 2010 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Oracle:
http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-10-202/
http://www.zerodayinitiative.com/advisories/ZDI-10-203/
http://www.zerodayinitiative.com/advisories/ZDI-10-204/
http://www.zerodayinitiative.com/advisories/ZDI-10-205/
http://www.zerodayinitiative.com/advisories/ZDI-10-206/
http://www.zerodayinitiative.com/advisories/ZDI-10-207/
http://www.zerodayinitiative.com/advisories/ZDI-10-208/

SkyLined:
http://code.google.com/p/skylined/issues/detail?id=18
http://code.google.com/p/skylined/issues/detail?id=23

Security-Assessment.com:
http://www.security-assessment.com/files/advisories/Oracle_JRE_java_net_urlconnection_SOP_Bypass.pdf

Minded Security:
http://blog.mindedsecurity.com/2010/10/java-jnlp-applet-user-assisted.html
http://blog.mindedsecurity.com/2010/10/dns-rebinding-on-java-applets.html
http://blog.mindedsecurity.com/2010/10/java-applet-same-ip-host-access.html
http://blog.mindedsecurity.com/2010/10/http-request-splitting-and-header-abuse.html
http://blog.mindedsecurity.com/2010/10/get-internal-network-information-with.html