SAINT CorporationSAINT:F995AD645FBB3DCAF943471F0A221EB9Java Runtime Environment Soundbank Resource Name Stack Buffer Overflow
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.047 Low
EPSS
Percentile
92.5%
Added: 04/22/2010
CVE: CVE-2010-0839
BID: 39070
OSVDB: 63494
Background
The Java Runtime Environment (JRE) is part of the Java Development Kit (JDK), a set of programming tools for developing Java applications. The JRE Java programming class library contains the Java Sound Application Interface (API) to provide low-level support for audio operations. The Java Sound API includes the Soundbank interface which contains a set of instruments and SoundbankResources that can be loaded from any arbitrary stream, including file and network streams.
Problem
JRE is vulnerable to a stack buffer overflow due to a sign extension error when parsing the length of a resource name in a Soundbank file. A remote unauthenticated attacker can exploit this vulnerability by enticing a user to open a malicious Java applet with a vulnerable application.
Resolution
Apply the patch for the vulnerable product.
References
<http://secunia.com/advisories/37255/>
Limitations
Exploit works on Java SE 6 Update 18 and requires the user to load the exploit page in Internet Explorer 6.
Platforms
Windows
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.047 Low
EPSS
Percentile
92.5%