English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Oracle Java SE Multiple Vulnerabilities


Secunia ID

SA48009

CVE-ID

CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0504, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507, CVE-2012-0508

Release Date

15 Feb 2012

Last Change

08 Jun 2012

Criticality

Highly Critical

Solution Status

Vendor Patch

Software

Oracle Java JDK 1.7.x / 7.x
Oracle Java JRE 1.7.x / 7.x
Oracle JavaFX 1.x
Oracle JavaFX 2.x
Sun Java JDK 1.5.x
Sun Java JDK 1.6.x / 6.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x
Sun Java SDK 1.4.x

Where

From remote

Impact
DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.

Description

Multiple vulnerabilities have been reported in Oracle Java SE, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) A type confusion error when handling the "surfaceData" object can be exploited to cause a heap-based buffer overflow.

2) A signedness error when processing the "readMabCurveData" tag descriptor within ICC color profiles can be exploited to incorrectly allocate memory and cause memory corruption.

3) An error when processing the IDEF opcode (0x89) during True Type font parsing can be exploited to cause a heap-based buffer overflow via a specially crafted font file.

4) Certain input passed via JNLP files is not properly sanitised before being used by Java Web Start and can be exploited to inject and execute arbitrary commands.

5) An error in the JavaFX component can be exploited to install an Oracle signed JAR file and invoke certain methods of a trusted class with arbitrary arguments.

6) An error in the Install component may allow execution of arbitrary code in a client deployment via the update mechanism.

This may be related to:
SA47134

7) An error in the handling of AtomicReferenceArray due to its use of the Unsafe class to store references within the array may result in type safety violation and allow to escape the JRE sandbox.

8) An error in the I18n component can be exploited to disclose and manipulate certain data and to cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

9) An error in the Serialization component can be exploited to disclose and manipulate certain data and to cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

10) An error in the AWT component can be exploited to disclose certain data and cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

11) An error in the Sound component can be exploited to disclose certain data and cause a DoS in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

12) An error in the Lightweight HTTP Server can be exploited to cause a DoS.

For more information:
SA47819

13) An off-by-one error in the "countCENHeaders()" function (zip_util.c of the java.util.zip) when processing archive files can be exploited to cause a recursive loop and crash JVM via a specially crafted ZIP file.

14) An error in the CORBA component can be exploited to manipulate certain data in a client deployment via e.g. untrusted Web Start applications or untrusted applets.

15) An input sanitisation error in the Java Web Start component when handling certain parameters within JNLP files can be exploited to inject arbitrary command line arguments via e.g. a specially crafted "java-vm-args" parameter.

NOTE: This vulnerability may be related to vulnerability #4.

16) An error in the use of reflection when a class within the NEWT library was used as the main-class in a JNLP file can be exploited to call the main method of other trusted classes with arbitrary arguments.

17) An error in the Java GlueGen library can be exploited by a specially crafted Java applet to load arbitrary DLL files into the JRE process by calling "openLibraryGlobal".

18) An error in the Java OpenGL (JOGL) library can be exploited by a specially crafted Java applet to load arbitrary DLL files into the JRE process by calling "LoadLibraryA".

19) An error in the Java OpenAL (JOAL) library can be exploited by a specially crafted Java applet to call "dispatch_alDeleteBuffers1" with a user-controlled integer value being used as a function pointer.

Solution

Apply patches (please see the vendor's advisory for more information).

Reported by

1) An anonymous person via iDefense.
2) Alin Rad Pop (binaryproof) via ZDI.
3) Peter Vreugdenhil, TippingPoint DVLabs.
4) TELUS Security Labs.
5, 15-19) Chris Ries via ZDI.
7) Jeroen Frijters.
13) Timo Warns, PRESENSE Technologies via PRE-CERT.
15) An anonymous person via ZDI.

It is currently unclear who reported the remaining vulnerabilities as the Oracle Java SE Critical Patch Update for February 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory

Oracle:
http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html

TELUS:
http://telussecuritylabs.com/threats/show/TSL20120214-01

PRE-CERT:
http://www.pre-cert.de/advisories/PRE-SA-2012-01.txt

iDefense:
http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=970

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-032/
http://www.zerodayinitiative.com/advisories/ZDI-12-037/
http://www.zerodayinitiative.com/advisories/ZDI-12-038/
http://www.zerodayinitiative.com/advisories/ZDI-12-039/
http://www.zerodayinitiative.com/advisories/ZDI-12-045/
http://www.zerodayinitiative.com/advisories/ZDI-12-060/
http://www.zerodayinitiative.com/advisories/ZDI-12-081/
http://www.zerodayinitiative.com/advisories/ZDI-12-082/
http://www.zerodayinitiative.com/advisories/ZDI-12-083/

TippingPoint DVLabs:
http://dvlabs.tippingpoint.com/advisory/TPTI-12-01

Jeroen Frijters:
http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3