Lucene search

K
saintSAINT CorporationSAINT:96A6F6012957FA9B84069EE01FE7DF84
HistoryFeb 26, 2009 - 12:00 a.m.

Java Runtime Environment JAR manifest Main Class buffer overflow

2009-02-2600:00:00
SAINT Corporation
download.saintcorporation.com
6

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.422 Medium

EPSS

Percentile

97.2%

Added: 02/26/2009
CVE: CVE-2008-5354
BID: 32608
OSVDB: 50499

Background

Java Runtime Environment (JRE) allows end users to run Java applications.

Problem

A buffer overflow vulnerability in JRE allows command execution when a user opens a JAR archive containing a manifest file with a specially crafted Main Class entry.

Resolution

Apply the patch referenced in Sun document 244990.

References

<http://www.us-cert.gov/cas/techalerts/TA08-340A.html&gt;

Limitations

Exploit works on Java Runtime Environment 1.6 Update 10 and requires a user to open the exploit file.

Execution of this exploit requires the Digest::CRC PERL module. On Linux systems this is typically found in a package named such as libdigest-crc-perl or perl-Digest-CRC.

Platforms

Windows 2000
Windows XP

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.422 Medium

EPSS

Percentile

97.2%