----------------------------------------------------------------------

Did you know that a change in our assessment rating, exploit code
availability, or if an updated patch is released by the vendor, is
not part of this mailing-list?

Click here to learn more:
http://secunia.com/advisories/business_solutions/

----------------------------------------------------------------------

TITLE:
Sun Java JDK / JRE Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA32991

VERIFY ADVISORY:
http://secunia.com/advisories/32991/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Exposure of system information, Exposure of
sensitive information, DoS, System access

WHERE:
>From remote

SOFTWARE:
Sun Java SDK 1.4.x
http://secunia.com/advisories/product/1661/
Sun Java SDK 1.3.x
http://secunia.com/advisories/product/1660/
Sun Java JRE 1.6.x / 6.x
http://secunia.com/advisories/product/12878/
Sun Java JRE 1.5.x / 5.x
http://secunia.com/advisories/product/4228/
Sun Java JRE 1.4.x
http://secunia.com/advisories/product/784/
Sun Java JRE 1.3.x
http://secunia.com/advisories/product/87/
Sun Java JDK 1.6.x
http://secunia.com/advisories/product/14273/
Sun Java JDK 1.5.x
http://secunia.com/advisories/product/4621/
Java Web Start 1.x
http://secunia.com/advisories/product/1005/
Java Web Start 6.x
http://secunia.com/advisories/product/15779/
Java Web Start 5.x
http://secunia.com/advisories/product/18035/

DESCRIPTION:
Some vulnerabilities have been reported in Sun Java, which can be
exploited by malicious people to bypass certain security
restrictions, disclose sensitive information, cause a DoS (Denial of
service), or compromise a vulnerable system.

1) Java Runtime Environment (JRE) creates temporary files with
insufficiently random names. This can be exploited to write arbitrary
JAR files and perform restricted actions on the affected system.

2) Multiple errors in the JRE image processing implementation can be
exploited to cause buffer overflows.

3) Multiple errors in the JRE when processing GIF images can be
exploited to cause buffer overflows.

4) Multiple errors in the JRE when processing fonts can be exploited
to cause buffer overflows.

5) An error in the JRE can be exploited to establish network
connections to arbitrary hosts.

6) An error when launching Java Web Start applications can be
exploited by an untrusted application to e.g. read, write, or execute
local files with the privileges of the user running the application.

7) An error can be exploited by an untrusted Java Web Start
application to obtain the current username and the location of the
Java Web Start cache.

8) An error in Java Web Start can be exploited to perform restricted
actions (e.g. modify system properties).

9) An error in Java Web Start and Java Plug-in can be exploited to
hijack HTTP sessions.

10) An error in the JRE applet class loading functionality can be
exploited to read arbitrary files and establish network connections
to arbitrary hosts.

11) An error in the Java Web Start BasicService can be exploited to
open arbitrary local files in the user's browser.

12) The problem is that the "Java Update" mechanism does not check
the digital signature of the downloaded update package. This be
exploited to execute arbitrary code via e.g. a MitM
(Man-in-the-Middle) or DNS spoofing attack.

13) A boundary error can be exploited by an untrusted Java
application that is launched through the command line to cause a
buffer overflow.

14) An error when deserializing calendar objects can be exploited by
an untrusted Java applet to e.g. read, write, or execute local
files.

15) An error in the JRE when unpacking applets can be exploited to
cause a buffer overflow.

16) The UTF-8 decoder accepts encodings longer than the "shortest"
form. This can potentially be exploited to trick applications using
the decoder into accepting invalid sequences and e.g. disclose
sensitive information via specially crafted URIs.

17) An error in the JRE can be exploited to list the contents of the
user's home directory.

18) An error when processing RSA public keys can be exploited to
consume large amounts of CPU.

19) An error in the JRE Kerberos authentication mechanism can be
exploited to potentially exhaust operating system resources.

20) Multiple errors in the JAX-WS and JAXB JRE packages can be
exploited by an untrusted Java applet to e.g. read, write, or execute
local files.

21) An error when processing ZIP files can be exploited to disclose
arbitrary memory locations from the host process.

22) An error can be exploited by malicious code loaded from the local
filesystem to gain network access to the local host.

Please see the vendor advisories for details on affected products and
versions.

SOLUTION:
Update to a fixed version.

JDK and JRE 6 Update 11:
http://java.sun.com/javase/downloads/index.jsp

JDK and JRE 5.0 Update 17:
http://java.sun.com/javase/downloads/index_jdk5.jsp

SDK and JRE 1.4.2_19:
http://java.sun.com/j2se/1.4.2/download.html

SDK and JRE 1.3.1_24 (for customers with Solaris 8 and Vintage
Support Offering support contracts):
http://java.sun.com/j2se/1.3/download.html

PROVIDED AND/OR DISCOVERED BY:
The vendor credits:
2) An anonymous researcher working with ZDI
3) iDefense
4) Sebastian Apelt working with iDefense
5, 6, 7) Peter Csepely working with ZDI
8) Virtual Security Research
9) Billy Rios of Microsoft and Nate Mcfeters of Ernst and Young
10) Peter Csepely working with ZDI and John Heasman of NGSSoftware
12) Francisco Amato
13) Stefan Middendorf from Cirosec
14) Sami Koivu
15) "regenrecht" working with iDefense
17) Henri Torgemane and Sami Koivu
19) Jan Grant of Bristol University
20) Adam Gowdiak
21) University of Oulu

ORIGINAL ADVISORY:
Sun:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244986-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244989-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244990-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244992-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-245246-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246266-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246286-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246346-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246366-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246386-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-246387-1

Virtual Security Research:
http://www.vsecurity.com/bulletins/advisories/2008/JWS-props.txt

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/advisories/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories
http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

----------------------------------------------------------------------