Oracle Java Multiple Vulnerabilities

SA49472

CVE-2012-0551, CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726

13 Jun 2012

21 Dec 2012

Highly Critical

Vendor Patch

Oracle Java JDK 1.5.x / 5.x
Oracle Java JDK 1.7.x / 7.x
Oracle Java JRE 1.7.x / 7.x
Oracle Java SDK 1.4.x / 4.x
Sun Java JDK 1.6.x / 6.x
Sun Java JRE 1.4.x / 4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x

From remote

DoS (Denial of Service)

This includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.

System access

This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.

Cross-Site Scripting

Cross-Site Scripting vulnerabilities allow a third party to manipulate the content or behaviour of a web application in a user's browser, without compromising the underlying system.

Different Cross-Site Scripting related vulnerabilities are also classified under this category, including "script insertion" and "cross-site request forgery".

Cross-Site Scripting vulnerabilities are often used against specific users of a website to steal their credentials or to conduct spoofing attacks.

Exposure of sensitive information

Vulnerabilities where documents or credentials are leaked or can be revealed either locally or from remote.

Manipulation of data

This includes vulnerabilities where a user or a remote attacker can manipulate local data on a system, but not necessarily be able to gain escalated privileges or system access.

The most frequent type of vulnerabilities with this impact are SQL-injection vulnerabilities, where a malicious user or person can manipulate SQL queries.

Multiple vulnerabilities have been reported in Oracle Java, which can be exploited by malicious, local users to disclose potentially sensitive information, manipulate certain data, and cause a DoS (Denial of Service) and by malicious people to conduct cross-site scripting attacks, disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and compromise a vulnerable system.

1) An error in the "BasicService.showDocument" Java Webstart function allows passing additional parameters to a browser, which depending on the used default browser may allow execution of arbitrary code.

2) An error when handling System Properties through JNLP files can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.

3) An error in the Deployment subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.

4) An error in the Hotspot subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.

5) An error in the Hotspot subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.

6) An error in the Swing subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.

Successful exploitation of vulnerabilities #1 through #6 may allow execution of arbitrary code.

7) An error in the CORBA subcomponent can be exploited to disclose and manipulate some data via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.

8) An error in the Libraries subcomponent can be exploited to disclose and manipulate some data via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.

9) An error in the Deployment subcomponent can be exploited via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.

For more information see vulnerability #2:
SA48798

10) An error in the CORBA subcomponent can be exploited to manipulate some data via untrusted Java Web Start applications and untrusted Java applets in a client deployment only.

11) An error in the JAXP subcomponent can be exploited to manipulate some data and cause a DoS via untrusted Java Web Start applications and untrusted Java applets or specially crafted data passed to certain APIs.

12) An error in the Security subcomponent can be exploited to cause a DoS via untrusted Java Web Start applications and untrusted Java applets or specially crafted data passed to certain APIs.

13) An error in the Networking subcomponent can be exploited by local users to manipulate some data and cause a DoS to a server deployment running on Solaris only.

14) An error in the printing functionality due to creating temporary spool files with insecure permissions can be exploited to disclose the contents of printed documents owned by other users.

The vulnerabilities are reported in the following products:
* JDK and JRE version 7 Update 4 and prior.
* JDK and JRE version 6 Update 32 and prior.
* JDK and JRE version 5.0 Update 35 and prior.
* SDK and JRE version 1.4.2_37 and prior.

Apply updates.

1, 2) Chris Ries via ZDI.
14) Andrei Costin via Secunia.

It is currently unclear who reported the rest of the vulnerabilities as the Oracle Java Critical Patch Update for June 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Oracle:
http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
http://www.oracle.com/technetwork/topics/security/javacpujun2012verbose-1515971.html

Andrei Costin:
http://andreicostin.com/index.php/brain/2012/06/15/acsa_2012_03_java_print_spooling_data_le

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-12-142/
http://archives.neohapsis.com/archives/fulldisclosure/2012-12/0206.html