Security Advisory: US-CERT Technical Cyber Security Alert TA08-340A -- Sun Java Updates for Multiple Vulnerabilities

[EN] securityvulns.ru
no-pyccku

Related information
  Sun Java JRE / JDK / Web Start multiple security vulnerabilities
  [TZO-12-2009] SUN / Oracle JVM Remote code execution
  [USN-713-1] openjdk-6 vulnerabilities
  ZDI-08-081: Sun Java Web Start and Applet Multiple Sandbox Bypass Vulnerabilities
  ZDI-08-080: Sun Java AWT Library Sandbox Violation Vulnerability

From: CERT <cert_(at)_cert.gov>
Date: 10.12.2008
Subject: US-CERT Technical Cyber Security Alert TA08-340A -- Sun Java Updates for Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                   National Cyber Alert System

             Technical Cyber Security Alert TA08-340A

Sun Java Updates for Multiple Vulnerabilities

  Original release date: December 05, 2008
  Last revised: --
  Source: US-CERT

Systems Affected

    Sun Java Runtime Environment versions

    * JDK and JRE 6 Update 10 and earlier
    * JDK and JRE 5.0 Update 16 and earlier
    * SDK and JRE 1.4.2_18 and earlier
    * SDK and JRE 1.3.1_23 and earlier

Overview

  Sun has released alerts to address multiple vulnerabilities
  affecting the Sun Java Runtime Environment. The most severe of
  these vulnerabilities could allow a remote attacker to execute
  arbitrary code.

I. Description

  The Sun Java Runtime Environment (JRE) allows users to run Java
  applications in a browser or as standalone programs. Sun has
  released updates to the Java Runtime Environment software to
  address multiple vulnerabilities.

  Sun released the following alerts to address these issues:

  * 244986 : The Java Runtime Environment Creates Temporary Files
  That Have "Guessable" File Names

  * 244987 : Java Runtime Environment (JRE) Buffer Overflow
  Vulnerabilities in Processing Image Files and Fonts May Allow
  Applets or Java Web Start Applications to Elevate Their Privileges

  * 244988 : Multiple Security Vulnerabilities in Java Web Start
  and Java Plug-in May Allow Privilege Escalation

  * 244989 : The Java Runtime Environment (JRE) "Java Update"
  Mechanism Does Not Check the Digital Signature of the JRE that it
  Downloads

  * 244990 : A Buffer Overflow Vulnerability in the Java Runtime
  Environment (JRE) May Allow Privileges to be Escalated

  * 244991 : A Security Vulnerability in the Java Runtime
  Environment (JRE) Related to Deserializing Calendar Objects May
  Allow Privileges to be Escalated

  * 245246 : The Java Runtime Environment UTF-8 Decoder May Allow
  Multiple Representations of UTF-8 Input

  * 246266 : Security Vulnerability in Java Runtime Environment May
  Allow Applets to List the Contents of the Current User's Home
  Directory

  * 246286 : Security Vulnerability in the Java Runtime Environment
  With Processing RSA Public Keys

  * 246346 : A Security Vulnerability in Java Runtime Environment
  (JRE) With Authenticating Users Through Kerberos May Lead to a
  Denial of Service (DoS)

  * 246366 : Security Vulnerabilities in the Java Runtime
  Environment (JRE) JAX-WS and JAXB Packages may Allow Privileges to
  be Escalated

  * 246386 : A Security Vulnerability in Java Runtime Environment
  (JRE) With Parsing of Zip Files May Allow Reading of Arbitrary
  Memory Locations

  * 246387 : A Security Vulnerability in the Java Runtime
  Environment may Allow Code Loaded From the Local Filesystem to
  Access LocalHost

II. Impact

  The impacts of these vulnerabilities vary. The most severe of these
  vulnerabilities allows a remote attacker to execute arbitrary code.

III. Solution

  Apply an update from Sun

  These issues are addressed in the following versions of the Sun
  Java Runtime Environment:

  * JDK and JRE 6 Update 11
  * JDK and JRE 5.0 Update 17
  * SDK and JRE 1.4.2_19
  * SDK and JRE 1.3.1_24

  If you install the latest version of Java, older versions may
  remain installed on your computer. If you do not need these older
  versions, you can remove them by following Sun's instructions.

  Disable Java

  Disable Java in your web browser, as described in the Securing Your
  Web Browser document. While this does not fix the underlying
  vulnerabilities, it does block a common attack vector.

IV. References

* Sun Alert 244986 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-244986-1>

* Sun Alert 244987 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-244987-1>

* Sun Alert 244988 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1>

* Sun Alert 244989 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-244989-1>

* Sun Alert 244990 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-244990-1>

* Sun Alert 244991 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1>

* Sun Alert 245246 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-245246-1>

* Sun Alert 246266 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-246266-1>

* Sun Alert 246286 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-246286-1>

* Sun Alert 246346 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-246346-1>

* Sun Alert 246366 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-246366-1>

* Sun Alert 246386 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-246386-1>

* Sun Alert 246387 -
  <http://sunsolve.sun.com/search/document.do?assetkey=1-66-246387-1>

* Java SE Technologies at a Glance -
  <http://java.sun.com/javase/technologies/>

* Java SE Security -
  <http://java.sun.com/javase/technologies/security/index.jsp>

* Can I remove older versions of the JRE after installing a newer
  version? -
  <http://www.java.com/en/download/faq/5000070400.xml>

* Securing Your Web Browser -
  <http://www.us-cert.gov/reading_room/securing_browser/>

____________________________________________________________________

  The most recent version of this document can be found at:

    <http://www.us-cert.gov/cas/techalerts/TA08-340A.html>
____________________________________________________________________

  Feedback can be directed to US-CERT Technical Staff. Please send
  email to <cert@cert.org> with "TA08-340A Feedback VU#544435" in
  the subject.
____________________________________________________________________

  For instructions on subscribing to or unsubscribing from this
  mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

  Produced 2008 by US-CERT, a government organization.

  Terms of use:

    <http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

December 05, 2008: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSTmWjXIHljM+H4irAQLfMAgAloMlpeNv+WLW09EaIhzZ/VlEXwJnhB09
ResaptUSMPL+gEZF91XqfO+l6e0GEdWn9jhmU5uyxGLdqBfHc292LAOq2Ip2xbfE
IRFDAai//TCRNKI49i9zJhFAhTfuUnWqRtxo56i6vgIvfEtL9Vh/lfQQakI2bZra
jMI7J28pz6RLhVWnYhn45ktRqCod7Nr4JpDCGcTX/GqpDn1IcMwUUqmobaK+Zat8
PTBxVczoMOc9npL5ytXktw6xjVDcnc1BPzMWIzutKUdCMxDc5kNqUr00hPT2LOlb
vWxWKiMl2Ziy26SzCuwblV5ThY7nzbGixG9GFuEQef3OBmDVRzYERw==
=XmO2
-----END PGP SIGNATURE-----

test server