Corsaire Security Advisory: Sun J2RE DoS issue

2008-01-08T00:00:00
ID SECURITYVULNS:DOC:18822
Type securityvulns
Reporter Securityvulns
Modified 2008-01-08T00:00:00

Description

-- Corsaire Security Advisory --

Title: Sun J2RE DoS issue Date: 05.09.06 Application: Sun JRE 5.0 prior to update 14 Environment: Sun JRE Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution Reference: c060905-002

-- Scope --

The aim of this document is to clearly define an issue that exists with the Sun JRE product [1] that will allow an attacker to cause the JRE and Internet Explorer to fail, possibly losing unsaved work etc.

-- History --

Discovered: 05.09.06 (Martin O'Neal) Vendor notified: 09.11.06 Additional analysis: (Kevin O'Reilly) Document released: 08.01.08

-- Overview --

Sun JRE is described [1] as "the Java APIs, Java Virtual Machine (HotSpot VM), and other components necessary to run applets and applications written in the Java programming language".

The software provides a virtualisation layer that allows java applications to be run across platforms and operating systems. These java applications can be delivered to the JVM via a number of mechanisms, and are commonly downloaded from a web server or less commonly, can be embedded within HTML content.

-- Analysis --

The RFC2397 [2] standard allows for the encoding of java applets within a URI, allowing it to be embedded in an HTML document.

If an applet is encoded into the data parameter of an object tag with an undefined "name" attribute, and is then passed to Internet Explorer, then when the application is unencoded and passed in turn to the JVM it causes a null pointer exception to occur in jpiexp32.dll.

-- Recommendations --

Upgrade to a version of the Sun JRE product that does not exhibit this issue (such as Sun JRE 6.0 or JRE 5.0 update 14), and uninstall all effected versions. This is important, as it is possible for an attacker to specify which local VM will be used to run an applet (and so select a vulnerable version).

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2007-0012 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardises names for security problems.

-- References --

[1] http://java.sun.com/javase/ [2] http://www.ietf.org/rfc/rfc2397

This bug is tracked by Sun as 6511363.

-- Revision --

a. Initial release.

-- Distribution --

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information.

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Corsaire accepts no responsibility for any damage caused by the use or misuse of this information.

-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997 in Guildford, Surrey, UK. Corsaire bring innovation, integrity and analytical rigour to every job, which means fast and dramatic security performance improvements. Our services centre on the delivery of information security planning, assessment, implementation, management and vulnerability research.

A free guide to selecting a security assessment supplier is available at http://www.penetration-testing.com

Copyright 2006 Corsaire Limited. All rights reserved.