ID: 3731
Date: 08/12/2008
Title: 3731 - Sun Java Updates for Multiple Vulnerabilities
Platform level affected:Net Application - Client
Hardware components affected:Intel PC
Specific operating systems components affected: 32-bit Windows
Net-enabled software: Other
Security software:Other
Other software: Run-time Environment
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Sun
Applications affected:Java
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Active
Potential Damage: Remote execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: US-CERT
Reliability of source: Trusted
Source URL: http://www.us-cert.gov/cas/techalerts/TA08-340A.html
Abstract: Sun has released alerts to address multiple vulnerabilities affecting the Sun Java Runtime Environment. The most severe of these vulnerabilities could allow a remote attacker to execute arbitrary code.
National Cyber Alert System
Technical Cyber Security Alert TA08-340A
Sun Java Updates for Multiple Vulnerabilities
Original release date: December 05, 2008
Last revised: --
Source: US-CERT
Systems Affected
Sun Java Runtime Environment versions
* JDK and JRE 6 Update 10 and earlier
* JDK and JRE 5.0 Update 16 and earlier
* SDK and JRE 1.4.2_18 and earlier
* SDK and JRE 1.3.1_23 and earlier
Overview
Sun has released alerts to address multiple vulnerabilities
affecting the Sun Java Runtime Environment. The most severe of
these vulnerabilities could allow a remote attacker to execute
arbitrary code.
I. Description
The Sun Java Runtime Environment (JRE) allows users to run Java
applications in a browser or as standalone programs. Sun has
released updates to the Java Runtime Environment software to
address multiple vulnerabilities.
Sun released the following alerts to address these issues:
* 244986 : The Java Runtime Environment Creates Temporary Files
That Have "Guessable" File Names
* 244987 : Java Runtime Environment (JRE) Buffer Overflow
Vulnerabilities in Processing Image Files and Fonts May Allow
Applets or Java Web Start Applications to Elevate Their Privileges
* 244988 : Multiple Security Vulnerabilities in Java Web Start
and Java Plug-in May Allow Privilege Escalation
* 244989 : The Java Runtime Environment (JRE) "Java Update"
Mechanism Does Not Check the Digital Signature of the JRE that it
Downloads
* 244990 : A Buffer Overflow Vulnerability in the Java Runtime
Environment (JRE) May Allow Privileges to be Escalated
* 244991 : A Security Vulnerability in the Java Runtime
Environment (JRE) Related to Deserializing Calendar Objects May
Allow Privileges to be Escalated
* 245246 : The Java Runtime Environment UTF-8 Decoder May Allow
Multiple Representations of UTF-8 Input
* 246266 : Security Vulnerability in Java Runtime Environment May
Allow Applets to List the Contents of the Current User's Home
Directory
* 246286 : Security Vulnerability in the Java Runtime Environment
With Processing RSA Public Keys
* 246346 : A Security Vulnerability in Java Runtime Environment
(JRE) With Authenticating Users Through Kerberos May Lead to a
Denial of Service (DoS)
* 246366 : Security Vulnerabilities in the Java Runtime
Environment (JRE) JAX-WS and JAXB Packages may Allow Privileges to
be Escalated
* 246386 : A Security Vulnerability in Java Runtime Environment
(JRE) With Parsing of Zip Files May Allow Reading of Arbitrary
Memory Locations
* 246387 : A Security Vulnerability in the Java Runtime
Environment may Allow Code Loaded From the Local Filesystem to
Access LocalHost
II. Impact
The impacts of these vulnerabilities vary. The most severe of these
vulnerabilities allows a remote attacker to execute arbitrary code.
III. Solution
Apply an update from Sun
These issues are addressed in the following versions of the Sun
Java Runtime Environment:
* JDK and JRE 6 Update 11
* JDK and JRE 5.0 Update 17
* SDK and JRE 1.4.2_19
* SDK and JRE 1.3.1_24
If you install the latest version of Java, older versions may
remain installed on your computer. If you do not need these older
versions, you can remove them by following Sun's instructions.
Disable Java
Disable Java in your web browser, as described in the Securing Your
Web Browser document. While this does not fix the underlying
vulnerabilities, it does block a common attack vector.
IV. References
* Sun Alert 244986 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-244986-1>
* Sun Alert 244987 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1>
* Sun Alert 244988 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1>
* Sun Alert 244989 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-244989-1>
* Sun Alert 244990 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-244990-1>
* Sun Alert 244991 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1>
* Sun Alert 245246 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-245246-1>
* Sun Alert 246266 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-246266-1>
* Sun Alert 246286 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-246286-1>
* Sun Alert 246346 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-246346-1>
* Sun Alert 246366 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-246366-1>
* Sun Alert 246386 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-246386-1>
* Sun Alert 246387 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-246387-1>
* Java SE Technologies at a Glance -
<http://java.sun.com/javase/technologies/>
* Java SE Security -
<http://java.sun.com/javase/technologies/security/index.jsp>
* Can I remove older versions of the JRE after installing a newer
version? -
<http://www.java.com/en/download/faq/5000070400.xml>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-340A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-340A Feedback VU#544435" in
the subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
December 05, 2008: Initial release
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Mon, 08 Dec 2008 14:30:00 GMT
Domain affected: Technical