Lucene search

K

John LeitchZDI-14-038

HistoryApr 03, 2014 - 12:00 a.m.

Oracle Java TrueType LookupCount Buffer Overflow Remote Code Execution Vulnerability

2014-04-0300:00:00

John Leitch

www.zerodayinitiative.com

12

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.433 Medium

EPSS

Percentile

97.3%

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of TrueType fonts. The issue lies in the handling of TTF files with an overly large LookupCount. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the process.

References

www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.433 Medium

EPSS

Percentile

97.3%

Related for ZDI-14-038

veracode13 checkpoint_advisories1 ubuntucve1 prion1 cve1 zdi1 ibm10 redhat10 nessus37 openvas36 ubuntu3 amazon2 oraclelinux3 mageia1 centos3 suse5 aix1 f52 securityvulns1 oracle1 gentoo1