English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Oracle Java SE Multiple Vulnerabilities


Secunia ID

SA46512

CVE-ID

CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561

Release Date

19 Oct 2011

Last Change

24 Jul 2013

Criticality

Highly Critical

Solution Status

Vendor Patch

Software

Oracle Java JDK 1.5.x / 5.x
Oracle Java JDK 1.6.x / 6.x
Oracle Java JDK 1.7.x / 7.x
Oracle Java JRE 1.5.x / 5.x
Oracle Java JRE 1.6.x / 6.x
Oracle Java JRE 1.7.x / 7.x
Oracle Java SDK 1.4.x / 4.x
Sun Java JRE 1.4.x / 4.x

Where

From remote

Impact
DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Hijacking

This covers vulnerabilities where a user session or a communication channel can be taken over by other users or remote attackers.

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.

Spoofing

This covers various vulnerabilities where it is possible for malicious users or people to impersonate other users or systems.

Description

Multiple vulnerabilities have been reported in Oracle Java SE, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to disclose potentially sensitive information, hijack a user's session, conduct DNS cache poisoning attacks, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) A design error in the Secure Sockets Layer 3.0 (SSL) and Transport Layer Security 1.0 (TLS) protocols can be exploited to disclose potentially sensitive information via e.g. a Man-in-the-Middle (MitM) attack.

2) An error in the Deployment component may allow execution of arbitrary code in a client deployment via e.g untrusted applets.

This vulnerability affects Windows based platforms only.

3) A type checking error in the Deserialization component when handling IIOP deserialization may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

4) An input sanitisation error in the Scripting component when handling Rhino Javascript errors may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

5) A signedness error in jsound.dll when a function receives notifications of control-change events encountered in MIDI streams can be exploited to corrupt heap memory.

6) An error in the Deployment component can be exploited to disclose and manipulate certain data in a client deployment via e.g. untrusted applets.

7) An error in the Networking component can be exploited to disclose certain data in a client deployment via e.g. untrusted applets.

8) An error in the AWT component may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

9) An error in the Swing component may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

10) An error in the AWT component may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

11) An error in the 2D component may allow execution of arbitrary code in a client and server deployment via e.g untrusted applets or data sent to APIs through a web service.

12) The java.net.Socket API does not properly limit the number of concurrent UDP sockets, which can be exploited to conduct DNS cache poisoning attacks by exhausting available sockets by e.g. tricking a user into visiting a website containing malicious applets.

This may be related to vulnerability #19 in:
SA43262

13) An error in the JAXWS component can be exploited to disclose certain data in a server deployment via e.g. data sent to APIs through a web service.

14) An error in the Java Runtime Environment component may allow execution of arbitrary code in a client deployment via e.g. untrusted applets.

15) An error in the Java Runtime Environment component can be exploited to manipulate certain data and cause a DoS in a client deployment via e.g. untrusted applets.

16) An error in the RMI component can be exploited to disclose and manipulate certain data and to cause a DoS in a RMI server deployment.

17) An error in the RMI component can be exploited to disclose and manipulate certain data and to cause a DoS in a RMI server deployment.

18) An error in the HotSpot component can be exploited to disclose certain data in a client deployment via e.g. untrusted applets.

19) An error in the JSSE component can be exploited to disclose and manipulate certain data in a client deployment via e.g. untrusted applets.

20) An error in the Deployment component can be exploited to disclose certain data in a client deployment via e.g. untrusted applets.

Solution

Apply updates (please see the vendor's advisory for details).

Reported by

3) Sami Koivu via ZDI.
4) Michael Schierl via ZDI.
5) axtaxt via ZDI.
12) Roee Hay and Yair Amit, IBM Rational Application Security Research Group.

It is currently unclear who reported the remaining vulnerabilities as the Oracle Java SE Critical Patch Update for October 2011 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory

Oracle:
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html

IBM:
http://blog.watchfire.com/files/dnsp_port_exhaustion.pdf
http://roeehay.blogspot.com/2011/10/dns-poisoning-via-port-exhaustion.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-305/
http://www.zerodayinitiative.com/advisories/ZDI-11-306/
http://www.zerodayinitiative.com/advisories/ZDI-11-307/