The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Oracle JRE

computer vulnerability CVE-2012-2739

Java Language: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Impacted products: Java OpenJDK, Java Oracle.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 18/06/2012.
Identifiers: CVE-2012-2739, VIGILANCE-VUL-11715.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11254 describes a vulnerability which can be used to create a denial of service on several applications.

This vulnerability impacts the Java language (java.util.HashMap, Hashtable, LinkedHashMap, WeakHashMap and ConcurrentHashMap).

In order to simplify VIGILANCE-VUL-11254, which was too big, solutions for Java were moved here.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-0551 CVE-2012-1711 CVE-2012-1713

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Debian, Fedora, HP-UX, IBM IMS, Tivoli System Automation, WebSphere MQ, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, vCenter Server.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 14.
Creation date: 13/06/2012.
Identifiers: BID-53946, BID-53947, BID-53948, BID-53949, BID-53950, BID-53951, BID-53952, BID-53953, BID-53954, BID-53956, BID-53958, BID-53959, BID-53960, c03441075, CERTA-2012-AVI-331, CERTA-2012-AVI-452, CERTA-2012-AVI-607, CERTA-2012-AVI-666, CVE-2012-0551, CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726, DSA-2507-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, FEDORA-2012-9541, FEDORA-2012-9545, FEDORA-2012-9590, FEDORA-2012-9593, HPSBUX02805, IC87301, javacpujun2012, MDVSA-2012:095, openSUSE-SU-2012:0828-1, PM65379, RHSA-2012:0729-01, RHSA-2012:0730-01, RHSA-2012:0734-01, RHSA-2012:1009-01, RHSA-2012:1019-01, RHSA-2012:1238-01, RHSA-2012:1243-01, RHSA-2012:1245-01, RHSA-2012:1289-01, RHSA-2012:1332-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100919, SUSE-SU-2012:0762-1, SUSE-SU-2012:1177-1, SUSE-SU-2012:1177-2, SUSE-SU-2012:1204-1, SUSE-SU-2012:1231-1, SUSE-SU-2012:1264-1, SUSE-SU-2012:1265-1, SUSE-SU-2012:1475-1, swg21615246, swg21617572, swg21632667, swg21632668, swg21633991, swg21633992, VIGILANCE-VUL-11703, VMSA-2012-0003.1, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013.1, ZDI-12-142, ZDI-12-189.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D (BasicService.showDocument), in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53946, CVE-2012-1713, ZDI-12-142]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53959, CVE-2012-1721, ZDI-12-189]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53953, CVE-2012-1722]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53960, CVE-2012-1723]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53954, CVE-2012-1725]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53947, CVE-2012-1716]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53949, CVE-2012-1711]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; BID-53948, CVE-2012-1726]

An attacker can use a vulnerability of Deployment, in order to obtain information, or to create a denial of service. [severity:2/4; CVE-2012-0551]

An attacker can use a vulnerability of CORBA, in order to alter information. [severity:2/4; BID-53950, CVE-2012-1719]

An attacker can use a vulnerability of CVE-2012-1724, in order to create a denial of service. [severity:2/4; BID-53958, CVE-2012-1724]

An attacker can use a vulnerability of Security, in order to create a denial of service. [severity:2/4; BID-53951, CVE-2012-1718]

An attacker can use a vulnerability of Networking, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-53956, CVE-2012-1720]

An attacker can use a vulnerability of JRE, in order to obtain information. [severity:1/4; BID-53952, CVE-2012-1717]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-5035

Java Lightweight HTTP Server: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Impacted products: Debian, HP-UX, Mandriva Linux, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/02/2012.
Identifiers: BID-51236, c03254184, c03350339, CVE-2011-4838-ERROR, CVE-2011-5035, DSA-2420-1, HPSBUX02757, HPSBUX02784, MDVSA-2012:021, openSUSE-SU-2012:0309-1, RHSA-2012:0139-01, RHSA-2012:0514-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100779, SSRT100871, SUSE-SU-2012:0308-1, VIGILANCE-VUL-11381.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11254 describes a vulnerability which can be used to create a denial of service on several applications.

This vulnerability impacts Java Lightweight HTTP Server .

In order to simplify VIGILANCE-VUL-11254, which was too big, solutions for Java were moved here.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-3563 CVE-2011-3571 CVE-2011-5035

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Debian, Fedora, HPE NNMi, HP-UX, Tivoli System Automation, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VMware vSphere.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 14.
Creation date: 15/02/2012.
Identifiers: BID-52009, BID-52010, BID-52011, BID-52012, BID-52013, BID-52014, BID-52015, BID-52016, BID-52017, BID-52018, BID-52019, BID-52020, BID-52161, c03254184, c03266681, c03316985, c03350339, c03358587, c03405642, CERTA-2012-AVI-085, CERTA-2012-AVI-286, CERTA-2012-AVI-395, CERTA-2012-AVI-479, CVE-2011-3563, CVE-2011-3571, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0504, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507, CVE-2012-0508, DSA-2420-1, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-1690, FEDORA-2012-1711, FEDORA-2012-1721, HPSBMU02797, HPSBMU02799, HPSBUX02757, HPSBUX02760, HPSBUX02777, HPSBUX02784, javacpufeb2012, MDVSA-2012:021, openSUSE-SU-2012:0309-1, PRE-SA-2012-01, RHSA-2012:0135-01, RHSA-2012:0139-01, RHSA-2012:0322-01, RHSA-2012:0508-01, RHSA-2012:0514-01, RHSA-2012:0702-01, RHSA-2012:1080-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100779, SSRT100805, SSRT100854, SSRT100867, SSRT100871, SUSE-SU-2012:0308-1, SUSE-SU-2012:0602-1, SUSE-SU-2012:0603-1, SUSE-SU-2012:0734-1, SUSE-SU-2012:0881-1, SUSE-SU-2012:1013-1, swg21632667, swg21632668, swg21633991, swg21633992, TPTI-12-01, TSL20120214-01, VIGILANCE-VUL-11368, VMSA-2012-0005.2, VMSA-2012-0005.4, VMSA-2012-0013, VMSA-2012-0013.2, VMSA-2012-0018.1, VMSA-2013-0003, ZDI-12-032, ZDI-12-037, ZDI-12-038, ZDI-12-039, ZDI-12-045, ZDI-12-060, ZDI-12-081, ZDI-12-082, ZDI-12-083.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-52009, CVE-2012-0497]

An attacker can use a vulnerability of 2D (readMabCurveData nTblSize), in order to execute code. [severity:4/4; BID-52019, CVE-2012-0498, ZDI-12-032, ZDI-12-060]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-52016, CVE-2012-0499]

An attacker can invite the vicim to open a malicious JNLP file, in order to execute code via Java Web Start Deployment. [severity:4/4; BID-52015, CVE-2012-0500, TSL20120214-01, ZDI-12-037, ZDI-12-039]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-52010, CVE-2012-0508, ZDI-12-038]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-52020, CVE-2012-0504]

An attacker can use a vulnerability of Concurrency, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-52161, CVE-2011-3571, CVE-2012-0507]

An attacker can use a vulnerability of I18n, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-52018, CVE-2012-0503]

An attacker can use a vulnerability of Serialization, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-52017, CVE-2012-0505]

An attacker can use a vulnerability of AWT, in order to obtain information, or to create a denial of service. [severity:3/4; BID-52011, CVE-2012-0502]

An attacker can use a vulnerability of Sound, in order to obtain information, or to create a denial of service. [severity:3/4; BID-52012, CERTA-2012-AVI-085, CVE-2011-3563]

An attacker can post HTTP data to Lightweight HTTP Server generating storage collisions, in order to overload a remote web server (VIGILANCE-VUL-11381). [severity:3/4; CVE-2011-5035]

An attacker can use a ZIP archive generating an infinite loop in the JRE. [severity:3/4; BID-52013, CVE-2012-0501, PRE-SA-2012-01]

An attacker can use a vulnerability of CORBA, in order to alter information. [severity:2/4; BID-52014, CVE-2012-0506]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 11212

Java: bypassing the update check

Synthesis of the vulnerability

When the Java JRE is automatically updated, an attacker can replace the binary to be downloaded by a program calling a Trojan, which is not detected, nor rejected.
Impacted products: Java OpenJDK, Java Oracle.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 13/12/2011.
Identifiers: BID-50986, VIGILANCE-VUL-11212.

Description of the vulnerability

The Java JRE can be automatically updated. In this case, it downloads an XML document from the java.sun.com site, which indicates the url of the updated program (for example http://javadl.sun.com/.../jre-6update-windows.exe). The JRE then checks if this program is signed by Sun before accepting to execute it.

However, an attacker can create a fake XML file, replacing "jre-6update-windows.exe" by "javaws.exe" (Java Web Start), and indicating a malicious JNLP (Java Network Launching Protocol) as an option. He can then intercept the JRE query to http://javadl.sun.com/ (which does not use TLS/SSL), and return the fake XML file to the victim. The JRE then checks if this program is signed by Sun, so it checks that javaws.exe is signed, which is the case. The JRE thus accepts to execute Java Web Start with a malicious JNLP file.

When the Java JRE is automatically updated, an attacker can therefore replace the binary to be downloaded by a program calling a Trojan, which is not detected, nor rejected.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-4448 CVE-2011-3552

Windows, Java: poisoning the DNS cache

Synthesis of the vulnerability

An attacker can open numerous UDP ports, in order to facilitate a DNS cache poisoning attack.
Impacted products: HP-UX, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP, Java OpenJDK, Java Oracle, DNS protocol, RHEL, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data creation/edition, data flow.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 20/10/2011.
Identifiers: BID-50281, c03266681, CVE-2010-4448, CVE-2011-3552, HPSBUX02760, javacpuoct2011, RHSA-2012:0006-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100805, VIGILANCE-VUL-11087.

Description of the vulnerability

The DNS protocol is used to obtain the IP address associated to a computer name:
 - the client sends a query coming from an UDP source port on 16 bit, and containing a TXID identifier of 16 bit
 - the server replies to the UDP source port, with the TXID received in the query
An attacker, who spoofs a DNS reply packet thus has to guess 32 bit, in order to poison the client DNS cache.

However, if an attacker runs a malicious program on the client which opens most UDP ports, the DNS resolver then uses the remaining free ports. The attacker thus only has to guess the 16 bits of TXID.

This malicious program can be run by an unprivileged local attacker (on an Windows computer shared between several users). This malicious program can also be a Java applet located on a web site visited by the victim.

On Windows, the local attacker is allowed to flush the DNS cache between each trial. He can thus retry as many times as necessary until he guesses the TXID.

An attacker can therefore open numerous UDP ports, in order to facilitate a DNS cache poisoning attack.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-3389 CVE-2011-3516 CVE-2011-3521

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Debian, Fedora, HPE NNMi, HP-UX, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VirtualCenter.
Severity: 4/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 20.
Creation date: 19/10/2011.
Identifiers: BID-49778, BID-50211, BID-50215, BID-50216, BID-50218, BID-50220, BID-50223, BID-50224, BID-50226, BID-50229, BID-50231, BID-50234, BID-50236, BID-50237, BID-50239, BID-50242, BID-50243, BID-50246, BID-50248, BID-50250, c03122753, c03266681, c03316985, c03358587, c03405642, CERTA-2011-AVI-541, CERTA-2011-AVI-580, CERTA-2011-AVI-675, CERTA-2012-AVI-012, CERTA-2012-AVI-045, CERTA-2012-AVI-190, CERTA-2012-AVI-238, CERTA-2012-AVI-286, CERTA-2012-AVI-395, CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561, DSA-2356-1, DSA-2358-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, FEDORA-2011-14638, FEDORA-2011-14648, FEDORA-2011-15555, HPSBMU02797, HPSBMU02799, HPSBUX02730, HPSBUX02760, HPSBUX02777, javacpuoct2011, MDVSA-2011:170, openSUSE-SU-2011:1196-1, RHSA-2011:1380-01, RHSA-2011:1384-01, RHSA-2011:1478-01, RHSA-2012:0006-01, RHSA-2012:0034-01, RHSA-2012:0343-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100710, SSRT100805, SSRT100854, SSRT100867, SUSE-SU-2011:1298-1, SUSE-SU-2012:0114-1, SUSE-SU-2012:0114-2, SUSE-SU-2012:0122-1, SUSE-SU-2012:0122-2, VIGILANCE-VUL-11072, VMSA-2012-0003, VMSA-2012-0003.1, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013.1, VU#864643, ZDI-11-305, ZDI-11-306, ZDI-11-307.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50211, CVE-2011-3548]

An attacker can use a vulnerability of Java IIOP Deserialization, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50215, CVE-2011-3521, ZDI-11-306]

An attacker can use a vulnerability of Java Runtime Environment, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50216, CVE-2011-3554]

An attacker can use a vulnerability of Rhino Javascript, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50218, CVE-2011-3544, ZDI-11-305]

An attacker can use a vulnerability of Sound MixerSequencer.nAddControllerEventCallback, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50220, CVE-2011-3545, ZDI-11-307]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50223, CVE-2011-3549]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50224, CVE-2011-3551]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50226, CVE-2011-3550]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-50229, CVE-2011-3516]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-50231, CVE-2011-3556]

An attacker can use a vulnerability of RMI, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-50234, CVE-2011-3557]

An attacker can use a vulnerability of JSSE, in order to obtain or alter information. [severity:3/4; BID-50236, CVE-2011-3560]

An attacker can use a vulnerability of Java Runtime Environment, in order to alter information, or to create a denial of service. [severity:3/4; BID-50237, CVE-2011-3555]

An attacker can use a vulnerability of Deployment, in order to obtain or alter information. [severity:3/4; BID-50239, CVE-2011-3546]

An attacker can use a vulnerability of HotSpot, in order to obtain information. [severity:2/4; BID-50242, CVE-2011-3558]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:2/4; BID-50243, CERTA-2012-AVI-238, CVE-2011-3547]

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can use several SSL sessions in order to compute HTTP headers, such as cookies (VIGILANCE-VUL-11014). [severity:1/4; BID-49778, CERTA-2011-AVI-541, CERTA-2011-AVI-580, CERTA-2011-AVI-675, CERTA-2012-AVI-012, CERTA-2012-AVI-045, CERTA-2012-AVI-190, CVE-2011-3389, VU#864643]

An attacker can use a vulnerability of JAXWS, in order to obtain information. [severity:2/4; BID-50246, CVE-2011-3553]

An attacker can open numerous UDP ports, in order to facilitate a DNS cache poisoning attack (VIGILANCE-VUL-11087). [severity:1/4; BID-50248, CVE-2011-3552]

An attacker can use a vulnerability of Deployment, in order to obtain information. [severity:1/4; BID-50250, CVE-2011-3561]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2011-3389 CVE-2012-1870

SSL, TLS: obtaining HTTPS Cookies, BEAST

Synthesis of the vulnerability

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can use several SSL sessions in order to compute HTTP headers, such as cookies.
Impacted products: Asterisk Open Source, IPSO, SecurePlatform, CheckPoint Security Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, HP-UX, Domino, Mandriva Linux, IIS, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows Vista, Windows XP, Java OpenJDK, openSUSE, Opera, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Java Oracle, Oracle Web Tier, SSL protocol, RHEL, Sun AS, SUSE Linux Enterprise Desktop, SLES, Nessus.
Severity: 1/4.
Consequences: data reading.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 3.
Creation date: 26/09/2011.
Identifiers: 2588513, 2643584, 2655992, AST-2016-001, BID-49778, BID-54304, c03122753, CERTA-2012-AVI-381, CERTFR-2016-AVI-046, CVE-2004-2770-REJECT, CVE-2011-3389, CVE-2012-1870, DSA-2368-1, DSA-2398-1, DSA-2398-2, FEDORA-2012-5916, FEDORA-2012-5924, FEDORA-2012-9135, FEDORA-2014-13764, FEDORA-2014-13777, HPSBUX02730, javacpuoct2011, MDVSA-2012:058, MDVSA-2012:096, MDVSA-2012:096-1, MDVSA-2012:097, MS12-006, MS12-049, openSUSE-SU-2012:0030-1, openSUSE-SU-2012:0063-1, openSUSE-SU-2012:0199-1, openSUSE-SU-2012:0229-1, openSUSE-SU-2012:0667-1, RHSA-2012:0034-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk74100, sk86440, SOL13400, SSRT100710, SUSE-SU-2012:0114-1, SUSE-SU-2012:0114-2, SUSE-SU-2012:0122-1, SUSE-SU-2012:0122-2, swg21568229, VIGILANCE-VUL-11014, VU#864643.

Description of the vulnerability

The SSL/TLS protocol supports CBC (Cipher Block Chaining) encryption: a clear block is "XORed" (operation Exclusive OR) with the last encrypted block, and the result is encrypted. This dependence between a block and its previous block was the subject of several theoretical studies since 2002, and led to the definition of TLS 1.1 in 2006, which uses a different algorithm.

The HTTPS "protocol", used by web browsers, encapsulates an HTTP session in a SSL/TLS session. An HTTP query is like:
  GET /abcdefg HTTP/1.0
  Headers (cookies)
  ...
This query is fragmented in blocks of 8 bytes, which are encrypted by CBC. The first block is thus "GET /abc".

An attacker can setup a malicious web site, and invite the victim to connect. This web site can request the victim's web browser to load the page "/abcdefg" of a site secured by SSL/TLS.

The attacker controls the size of the requested url (via "/abcdefg"), so he can place the first byte of headers at the end of a block (the 7 other bytes are known: "P/1.1\r\n"). This blocks follows a block which is fully known ("defg HTT"). The attacker can then capture the encrypted SSL/TLS session, and memorize the last encrypted block. This block is used as an initialization vector to compute an XOR between "defg HTT" (block 2) encrypted, and a guessed character located at the end of "P/1.1\r\n" (block 3). The result is reinjected by the attacker at the end of the HTTP query in clear text. He captures the resulting encrypted block, and if it is the same as the third encrypted block, then the guessed character was correct. The attacker repeats these queries as many times as necessary.

An attacker, who can control HTTPS connections of victim's web browser and which has a sufficient bandwidth, can therefore use several SSL sessions in order to compute HTTP headers, such as cookies.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 10825

Java JRE: code execution via .hotspotrc

Synthesis of the vulnerability

An attacker can invite the victim to open an HTML page calling a Java applet located on a network share, in order to execute code on is computer.
Impacted products: Java OpenJDK, Java Oracle.
Severity: 2/4.
Consequences: user access/rights.
Provenance: intranet server.
Creation date: 11/07/2011.
Identifiers: VIGILANCE-VUL-10825.

Description of the vulnerability

The Java HotSpot Virtual Machine is a component of Java SE.

The Hotspot VM can be configured with the following files:
 - .hotspotrc : indicates arguments of the command line (define the memory size, etc.)
 - .hotspot_compiler : alters the JIT behavior (exclude methods, etc.)
Both files are usually located in the Java application directory.

However, an attacker with a network share can store:
 - a malicious program named "malicious.exe"
 - a .hotspotrc file containing: OnOutOfMemoryError="malicious.exe" (to indicate that malicious.exe has to be executed when a memory error occurs)
 - a Java applet, creating an out of memory error
 - an HTML file calling this Java applet

An attacker can therefore invite the victim to open this HTML page calling a Java applet located on a network share, in order to execute code on is computer.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-0786 CVE-2011-0788 CVE-2011-0802

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Debian, Fedora, HPE NNMi, HP-UX, NSMXpress, Mandriva Linux, NLD, OES, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, ESX, vCenter Server.
Severity: 4/4.
Consequences: administrator access/rights, privileged access/rights, user access/rights, client access/rights, data creation/edition, data deletion, data flow, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 17.
Creation date: 08/06/2011.
Identifiers: BID-48133, BID-48134, BID-48135, BID-48136, BID-48137, BID-48138, BID-48139, BID-48140, BID-48141, BID-48142, BID-48143, BID-48144, BID-48145, BID-48146, BID-48147, BID-48148, BID-48149, c02945548, c03316985, c03358587, c03405642, CERTA-2003-AVI-005, CERTA-2011-AVI-336, CERTA-2012-AVI-286, CERTA-2012-AVI-395, CVE-2011-0786, CVE-2011-0788, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0817, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0866, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873, DSA-2311-1, DSA-2358-1, FEDORA-2011-8003, FEDORA-2011-8020, FEDORA-2011-8028, HPSBMU02797, HPSBMU02799, HPSBUX02697, HPSBUX02777, javacpujune2011, MDVSA-2011:126, openSUSE-SU-2011:0633-1, openSUSE-SU-2011:0706-1, PSN-2012-08-686, PSN-2012-08-687, PSN-2012-08-688, PSN-2012-08-689, PSN-2012-08-690, RHSA-2011:0856-01, RHSA-2011:0857-01, RHSA-2011:0860-01, RHSA-2011:0938-01, RHSA-2011:1087-01, RHSA-2011:1159-01, RHSA-2011:1265-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100591, SSRT100854, SSRT100867, SUSE-SA:2011:030, SUSE-SA:2011:032, SUSE-SA:2011:036, SUSE-SU-2011:0632-1, SUSE-SU-2011:0807-1, SUSE-SU-2011:0863-1, SUSE-SU-2011:0863-2, SUSE-SU-2011:0966-1, SUSE-SU-2011:1082-1, TPTI-11-06, VIGILANCE-VUL-10722, VMSA-2011-0013.1, ZDI-11-182, ZDI-11-183, ZDI-11-184, ZDI-11-185, ZDI-11-186, ZDI-11-187, ZDI-11-188, ZDI-11-189, ZDI-11-190, ZDI-11-191, ZDI-11-192, ZDI-11-199.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D (ICC profile), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48137, CVE-2011-0862, TPTI-11-06, ZDI-11-183, ZDI-11-184, ZDI-11-185, ZDI-11-186, ZDI-11-187, ZDI-11-188, ZDI-11-189, ZDI-11-190, ZDI-11-191]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48148, CVE-2011-0873]

An attacker can use a vulnerability of AWT, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48143, CVE-2011-0815]

An attacker can use a vulnerability of Deployment (IE Browser Plugin), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48134, CVE-2011-0817, ZDI-11-182]

An attacker can use a vulnerability of Deployment (Java Web Start), in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48138, CVE-2011-0863, ZDI-11-192]

An attacker can use a vulnerability of HotSpot, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48139, CVE-2011-0864]

An attacker can use a vulnerability of Soundbank Decompression, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48149, CVE-2011-0802, ZDI-11-199]

An attacker can use a vulnerability of Sound, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48145, CVE-2011-0814]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-48142, CVE-2011-0871]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48133, CERTA-2011-AVI-336, CVE-2011-0786]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48135, CVE-2011-0788]

An attacker can use a vulnerability of Java Runtime Environment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-48136, CVE-2011-0866]

An attacker can use a vulnerability of 2D, in order to obtain information. [severity:2/4; BID-48140, CVE-2011-0868]

An attacker can use a vulnerability of NIO, in order to create a denial of service. [severity:2/4; BID-48141, CVE-2011-0872]

An attacker can use a vulnerability of Networking, in order to obtain information. [severity:2/4; BID-48144, CVE-2011-0867]

An attacker can use a vulnerability of SAAJ, in order to obtain information. [severity:2/4; BID-48146, CVE-2011-0869]

An attacker can use a vulnerability of Deserialization, in order to alter information. [severity:1/4; BID-48147, CVE-2011-0865]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Oracle JRE: