kjkoster
10-01-2009, 19:50
Dear All,
At the end of 2008 Sun has released version 1.6.0_11 of the JDK. This version fixes a whole slew of security issues. Here's a list of fixes that I collected from the various security feeds and blogs. Some of these we have discussed before.
Please note that not all versions of Java are vulnerable to the list below. If you see a vulnerability that may apply to your environment, please read the CVE announcement carefully. Also, not all vulnerabilities are equally severe. As always, do your own research.
Also, some vulnerabilities are marked as "Unspecified vulnerability". Very annoying if you are trying to see if you are vulnerable or not. I presume they do that to protect the unpatched. These are likely to be updated in the future. Digging into Sun's bug database can reveal more detail.
CVE-2008-2086: Java Web Start File Inclusion vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2086)
CVE-2008-2938: (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2938) Note that you already know this one as a Tomcat vulnerability, but it extends into the JDK as well. That is why Sun released a patch.
CVE-2008-3109: Unspecified vulnerability in scripting language support. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3109)
CVE-2008-3110: Unspecified vulnerability in scripting language support. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3110)
CVE-2008-3105: Unspecified vulnerability in the JAX-WS client and service. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3105)
CVE-2008-3106: Unspecified vulnerability allows remote attackers to access URLs via unknown vectors involving processing of XML data by an untrusted application or applet. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3106)
CVE-2008-5339: Unspecified vulnerability, allows untrusted JWS applications to perform network connections to unauthorized hosts via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5339)
CVE-2008-5341: Unspecified vulnerability, allows untrusted JWS applications to obtain the pathname of the JWS cache and the application username via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5341)
CVE-2008-5342: Unspecified vulnerability in the BasicService for Java Web Start (JWS). Allows untrusted downloaded applications to cause local files to be displayed in the browser of the user of the untrusted application via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5342)
CVE-2008-5343: Java Web Start (JWS). Allows remote attackers to make unauthorized network connections and hijack HTTP sessions via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR" (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5343). Nice name, and a testament to the lengths people will go to, to get into a system. Wow, I'd love to learn what makes you think of making a file both a JAR file and a GIF image. Here is some discussion of GIFAR files (http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/).
CVE-2008-5344: Unspecified vulnerability in Java Web Start. Allows untrusted applets to read arbitrary files and make unauthorized network connections via unknown vectors related to applet classloading. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5344)
CVE-2008-5345: Unspecified vulnerability in Java Runtime Environment. Allows code that is loaded from a local filesystem to read arbitrary files and make unauthorized connections to localhost via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5345)
CVE-2008-5346: Unspecified vulnerability in Java Runtime Environment version 5.0 Update 16 and earlier. Allows untrusted applets and applications to read arbitrary memory via a crafted ZIP file. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5346)
CVE-2008-5347: Multiple unspecified vulnerabilities in Java Runtime Environment. Allows untrusted applets and applications to gain privileges via vectors related to access to inner classes in the (1) JAX-WS and (2) JAXB packages. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5347)
CVE-2008-5348: Unspecified vulnerability in Java Runtime Environment. Allows remote attackers to cause a denial of service (OS resource consumption) via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5348)
CVE-2008-5348: Unspecified vulnerability in Java Runtime Environment. Allows remote attackers to cause a denial of service (CPU consumption) via a crafted RSA public key. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5348)
CVE-2008-5350: Unspecified vulnerability in Java Runtime Environment. Allows untrusted applications and applets to list the contents of the operating user's directory via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5350)
CVE-2008-5351: Java Runtime Environment accepts UTF-8 encodings that are not the "shortest" form, which makes it easier for attackers to bypass protection mechanisms for other applications that rely on shortest-form UTF-8 encodings. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5351)
CVE-2008-5352: Integer overflow in the JAR unpacking utility (unpack200) in the unpack library (unpack.dll). Allows untrusted applications and applets to gain privileges via a Pack200 compressed JAR file that triggers a heap-based buffer overflow. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5352)
CVE-2008-5353: Unspecified vulnerability. Allows untrusted applets and applications to gain privileges via unknown vectors related to "deserializing calendar objects." (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5353)
CVE-2008-5354: Stack-based buffer overflow. Allows locally-launched and possibly remote untrusted Java applications to execute arbitrary code via a JAR file with a long Main-Class manifest entry. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5354)
CVE-2008-5355: The "Java Update" feature does not verify the signature of the JRE that is downloaded, which allows remote attackers to execute arbitrary code via DNS man-in-the-middle attacks. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5355)
CVE-2008-5356: Heap-based buffer overflow might allow remote attackers to execute arbitrary code via a crafted TrueType font file. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5356)
CVE-2008-5357: Integer overflow might allow remote attackers to execute arbitrary code via a crafted TrueType font file, which triggers a heap-based buffer overflow. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5357)
CVE-2008-5358: Java Runtime Environment might allow remote attackers to execute arbitrary code via a crafted GIF file that triggers memory corruption during display of the splash screen, possibly related to splashscreen.dll. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5358)
CVE-2008-5359: Buffer overflow might allow remote attackers to execute arbitrary code via unknown vectors related to "image processing code." (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5359)
CVE-2008-5360: Java Runtime Environment creates temporary files with predictable file names, which allows attackers to write malicious JAR files via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5360)
ZDI-08-080: (No CVE id) The specific flaw occurs within the Java AWT library. If a custom image model is used for the source 'Raster' during a conversion through a 'ConvolveOp' operation, the imaging library will calculate the size of the destination raster for the conversion incorrectly leading to a heap-based overflow. This can result in arbitrary code execution under the context of the current user.. (http://www.zerodayinitiative.com/advisories/ZDI-08-080/)
ZDI-08-081: (No CVE id) These vulnerabilities allow remote attackers to bypass sandbox restrictions on vulnerable installations of Sun Java Web Start. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. (http://www.zerodayinitiative.com/advisories/ZDI-08-081/)
That's quite a list. If you ever wanted to scare anyone out of using Java, just point them to this page. :-)
Unfortunately FreeBSD users trail behind this release cycle a little. The FreeBSD ports are still at JDK 1.6.0_03 and 1.5.0_14.
Kees Jan
PS. Goodness. Compiling a list like this is b.o.r.i.n.g.
At the end of 2008 Sun has released version 1.6.0_11 of the JDK. This version fixes a whole slew of security issues. Here's a list of fixes that I collected from the various security feeds and blogs. Some of these we have discussed before.
Please note that not all versions of Java are vulnerable to the list below. If you see a vulnerability that may apply to your environment, please read the CVE announcement carefully. Also, not all vulnerabilities are equally severe. As always, do your own research.
Also, some vulnerabilities are marked as "Unspecified vulnerability". Very annoying if you are trying to see if you are vulnerable or not. I presume they do that to protect the unpatched. These are likely to be updated in the future. Digging into Sun's bug database can reveal more detail.
CVE-2008-2086: Java Web Start File Inclusion vulnerability (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2086)
CVE-2008-2938: (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2938) Note that you already know this one as a Tomcat vulnerability, but it extends into the JDK as well. That is why Sun released a patch.
CVE-2008-3109: Unspecified vulnerability in scripting language support. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3109)
CVE-2008-3110: Unspecified vulnerability in scripting language support. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3110)
CVE-2008-3105: Unspecified vulnerability in the JAX-WS client and service. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3105)
CVE-2008-3106: Unspecified vulnerability allows remote attackers to access URLs via unknown vectors involving processing of XML data by an untrusted application or applet. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3106)
CVE-2008-5339: Unspecified vulnerability, allows untrusted JWS applications to perform network connections to unauthorized hosts via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5339)
CVE-2008-5341: Unspecified vulnerability, allows untrusted JWS applications to obtain the pathname of the JWS cache and the application username via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5341)
CVE-2008-5342: Unspecified vulnerability in the BasicService for Java Web Start (JWS). Allows untrusted downloaded applications to cause local files to be displayed in the browser of the user of the untrusted application via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5342)
CVE-2008-5343: Java Web Start (JWS). Allows remote attackers to make unauthorized network connections and hijack HTTP sessions via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR" (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5343). Nice name, and a testament to the lengths people will go to, to get into a system. Wow, I'd love to learn what makes you think of making a file both a JAR file and a GIF image. Here is some discussion of GIFAR files (http://xs-sniper.com/blog/2008/12/17/sun-fixes-gifars/).
CVE-2008-5344: Unspecified vulnerability in Java Web Start. Allows untrusted applets to read arbitrary files and make unauthorized network connections via unknown vectors related to applet classloading. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5344)
CVE-2008-5345: Unspecified vulnerability in Java Runtime Environment. Allows code that is loaded from a local filesystem to read arbitrary files and make unauthorized connections to localhost via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5345)
CVE-2008-5346: Unspecified vulnerability in Java Runtime Environment version 5.0 Update 16 and earlier. Allows untrusted applets and applications to read arbitrary memory via a crafted ZIP file. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5346)
CVE-2008-5347: Multiple unspecified vulnerabilities in Java Runtime Environment. Allows untrusted applets and applications to gain privileges via vectors related to access to inner classes in the (1) JAX-WS and (2) JAXB packages. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5347)
CVE-2008-5348: Unspecified vulnerability in Java Runtime Environment. Allows remote attackers to cause a denial of service (OS resource consumption) via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5348)
CVE-2008-5348: Unspecified vulnerability in Java Runtime Environment. Allows remote attackers to cause a denial of service (CPU consumption) via a crafted RSA public key. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5348)
CVE-2008-5350: Unspecified vulnerability in Java Runtime Environment. Allows untrusted applications and applets to list the contents of the operating user's directory via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5350)
CVE-2008-5351: Java Runtime Environment accepts UTF-8 encodings that are not the "shortest" form, which makes it easier for attackers to bypass protection mechanisms for other applications that rely on shortest-form UTF-8 encodings. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5351)
CVE-2008-5352: Integer overflow in the JAR unpacking utility (unpack200) in the unpack library (unpack.dll). Allows untrusted applications and applets to gain privileges via a Pack200 compressed JAR file that triggers a heap-based buffer overflow. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5352)
CVE-2008-5353: Unspecified vulnerability. Allows untrusted applets and applications to gain privileges via unknown vectors related to "deserializing calendar objects." (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5353)
CVE-2008-5354: Stack-based buffer overflow. Allows locally-launched and possibly remote untrusted Java applications to execute arbitrary code via a JAR file with a long Main-Class manifest entry. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5354)
CVE-2008-5355: The "Java Update" feature does not verify the signature of the JRE that is downloaded, which allows remote attackers to execute arbitrary code via DNS man-in-the-middle attacks. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5355)
CVE-2008-5356: Heap-based buffer overflow might allow remote attackers to execute arbitrary code via a crafted TrueType font file. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5356)
CVE-2008-5357: Integer overflow might allow remote attackers to execute arbitrary code via a crafted TrueType font file, which triggers a heap-based buffer overflow. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5357)
CVE-2008-5358: Java Runtime Environment might allow remote attackers to execute arbitrary code via a crafted GIF file that triggers memory corruption during display of the splash screen, possibly related to splashscreen.dll. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5358)
CVE-2008-5359: Buffer overflow might allow remote attackers to execute arbitrary code via unknown vectors related to "image processing code." (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5359)
CVE-2008-5360: Java Runtime Environment creates temporary files with predictable file names, which allows attackers to write malicious JAR files via unknown vectors. (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5360)
ZDI-08-080: (No CVE id) The specific flaw occurs within the Java AWT library. If a custom image model is used for the source 'Raster' during a conversion through a 'ConvolveOp' operation, the imaging library will calculate the size of the destination raster for the conversion incorrectly leading to a heap-based overflow. This can result in arbitrary code execution under the context of the current user.. (http://www.zerodayinitiative.com/advisories/ZDI-08-080/)
ZDI-08-081: (No CVE id) These vulnerabilities allow remote attackers to bypass sandbox restrictions on vulnerable installations of Sun Java Web Start. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. (http://www.zerodayinitiative.com/advisories/ZDI-08-081/)
That's quite a list. If you ever wanted to scare anyone out of using Java, just point them to this page. :-)
Unfortunately FreeBSD users trail behind this release cycle a little. The FreeBSD ports are still at JDK 1.6.0_03 and 1.5.0_14.
Kees Jan
PS. Goodness. Compiling a list like this is b.o.r.i.n.g.