The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Oracle JRE

computer vulnerability note CVE-2012-4416 CVE-2012-4420

Java JRE: memory reading via Arrays.fill

Synthesis of the vulnerability

When a Java application uses an integer array, and the Arrays.fill() method, the array memory area is not initialized to zero by the JRE, so an attacker can obtain a fragment memory.
Impacted products: Fedora, HP-UX, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, Solaris, RHEL, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data reading.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/09/2012.
Identifiers: 7196857, BID-55501, BID-55538, c03595351, CERTA-2012-AVI-746, CVE-2012-4416, CVE-2012-4420, FEDORA-2012-16346, FEDORA-2012-16351, MDVSA-2012:169, openSUSE-SU-2012:1419-1, openSUSE-SU-2012:1423-1, openSUSE-SU-2012:1424-1, RHSA-2012:1384-01, RHSA-2012:1385-01, RHSA-2012:1386-01, RHSA-2012:1391-01, RHSA-2012:1392-01, VIGILANCE-VUL-11929.

Description of the vulnerability

In Java language, an array is created with:
  array = new int[10];
According to the specifications, this array must be filled with zeros.

Then, this array can be filled with 33 using the following method:
  Arrays.fill(array, 33);

However, as the compiler detects that the array will be filled with 33, it does not fill it with zeros. So, between both instructions, the array contains values previously stored at its memory address. The array thus contains data which can be sensitive, and which (depending on the code) can be sent to the attacker.

When a Java application uses an integer array, and the Arrays.fill() method, the array memory area is not initialized to zero by the JRE, so an attacker can therefore obtain a fragment memory.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2012-0547

Java JRE/JDK: aggravate vulnerability via AWT

Synthesis of the vulnerability

An attacker can use a vulnerability of Java AWT, in order to aggravate the severity of another vulnerability.
Impacted products: Fedora, HP-UX, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: document.
Creation date: 31/08/2012.
Identifiers: BID-55339, c03533078, c03538957, CERTA-2012-AVI-595, CVE-2012-0547, FEDORA-2012-13127, HPSBUX02824, HPSBUX02825, MDVSA-2012:150, MDVSA-2012:150-1, openSUSE-SU-2012:1154-1, openSUSE-SU-2012:1175-1, RHSA-2012:1221-01, RHSA-2012:1222-01, RHSA-2012:1223-01, RHSA-2012:1225-01, RHSA-2012:1392-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100970, SSRT100974, SUSE-SU-2012:1148-1, SUSE-SU-2012:1231-1, VIGILANCE-VUL-11910.

Description of the vulnerability

The java.awt package is used to create user interfaces.

An attacker can use a vulnerability of Java AWT, in order to aggravate the severity of another vulnerability.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2012-1682 CVE-2012-3136 CVE-2012-4681

Java JRE/JDK 7: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Fedora, HP-UX, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 31/08/2012.
Identifiers: BID-55213, BID-55336, BID-55337, c03533078, CERTA-2012-ALE-005, CERTA-2012-AVI-473, CERTA-2012-AVI-595, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681, FEDORA-2012-13127, HPSBUX02824, MDVSA-2012:150, MDVSA-2012:150-1, openSUSE-SU-2012:1154-1, openSUSE-SU-2012:1175-1, RHSA-2012:1221-01, RHSA-2012:1222-01, RHSA-2012:1223-01, RHSA-2012:1225-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100970, SUSE-SU-2012:1148-1, SUSE-SU-2012:1231-1, VIGILANCE-VUL-11909, VU#636312, ZDI-12-197.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use ClassFinder and getField, in order to execute code on victim's computer (VIGILANCE-VUL-11897). [severity:3/4; BID-55213, CERTA-2012-ALE-005, CERTA-2012-AVI-473, CVE-2012-4681, VU#636312]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-55336, CVE-2012-1682, ZDI-12-197]

An attacker can use a vulnerability of Beans, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-55337, CVE-2012-3136]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2012-4681

Java JRE 7: code execution via ClassFinder and getField

Synthesis of the vulnerability

An attacker can create an HTML page containing a malicious Java applet, in order to execute code on victim's computer.
Impacted products: Fedora, HP-UX, Windows (platform) ~ not comprehensive, Java OpenJDK, Java Oracle, RHEL, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 27/08/2012.
Revision date: 28/08/2012.
Identifiers: BID-55213, c03533078, CERTA-2012-ALE-005, CERTA-2012-AVI-473, CERTA-2012-AVI-595, CVE-2012-3539-REJECT, CVE-2012-4681, FEDORA-2012-13131, FEDORA-2012-13138, HPSBUX02824, RHSA-2012:1221-01, RHSA-2012:1222-01, RHSA-2012:1223-01, RHSA-2012:1225-01, SE-2012-01, SSRT100970, SUSE-SU-2012:1231-1, VIGILANCE-VUL-11897, VU#636312.

Description of the vulnerability

The Java Plug-in is called to display Java applets contained in an HTML page. This applet runs in a jail, in order to forbid access to the system.

The ClassFinder.resolveClass() (or Class.forName("name")) method can be used to access to the Class object from its name expressed as a String.

The Expression.execute() method calls a method on a class.

An attacker can use Expression.execute() with Class.forName("sun.awt.SunToolkit") to load the class "sun.awt.SunToolkit", which is a restricted package. Then, he can call Expression.execute() again to call to method SunToolkit.getField(Statement(setSecurityManager), "acc") to access to the restricted acc (AccessControlContext) field. Finally, the can change permissions (by changing the ProtectionDomain to "file:///") of the security manager.

An attacker can therefore create an HTML page containing a malicious Java applet, in order to execute code on victim's computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2012-2739

Java Language: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Impacted products: Java OpenJDK, Java Oracle.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 18/06/2012.
Identifiers: CVE-2012-2739, VIGILANCE-VUL-11715.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11254 describes a vulnerability which can be used to create a denial of service on several applications.

This vulnerability impacts the Java language (java.util.HashMap, Hashtable, LinkedHashMap, WeakHashMap and ConcurrentHashMap).

In order to simplify VIGILANCE-VUL-11254, which was too big, solutions for Java were moved here.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2012-0551 CVE-2012-1711 CVE-2012-1713

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Debian, Fedora, HP-UX, IBM IMS, Tivoli System Automation, WebSphere MQ, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, vCenter Server.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 14.
Creation date: 13/06/2012.
Identifiers: BID-53946, BID-53947, BID-53948, BID-53949, BID-53950, BID-53951, BID-53952, BID-53953, BID-53954, BID-53956, BID-53958, BID-53959, BID-53960, c03441075, CERTA-2012-AVI-331, CERTA-2012-AVI-452, CERTA-2012-AVI-607, CERTA-2012-AVI-666, CVE-2012-0551, CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1720, CVE-2012-1721, CVE-2012-1722, CVE-2012-1723, CVE-2012-1724, CVE-2012-1725, CVE-2012-1726, DSA-2507-1, ESX400-201209001, ESX400-201209401-SG, ESX400-201209402-SG, ESX400-201209404-SG, FEDORA-2012-9541, FEDORA-2012-9545, FEDORA-2012-9590, FEDORA-2012-9593, HPSBUX02805, IC87301, javacpujun2012, MDVSA-2012:095, openSUSE-SU-2012:0828-1, PM65379, RHSA-2012:0729-01, RHSA-2012:0730-01, RHSA-2012:0734-01, RHSA-2012:1009-01, RHSA-2012:1019-01, RHSA-2012:1238-01, RHSA-2012:1243-01, RHSA-2012:1245-01, RHSA-2012:1289-01, RHSA-2012:1332-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100919, SUSE-SU-2012:0762-1, SUSE-SU-2012:1177-1, SUSE-SU-2012:1177-2, SUSE-SU-2012:1204-1, SUSE-SU-2012:1231-1, SUSE-SU-2012:1264-1, SUSE-SU-2012:1265-1, SUSE-SU-2012:1475-1, swg21615246, swg21617572, swg21632667, swg21632668, swg21633991, swg21633992, VIGILANCE-VUL-11703, VMSA-2012-0003.1, VMSA-2012-0005.3, VMSA-2012-0008.1, VMSA-2012-0013.1, ZDI-12-142, ZDI-12-189.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D (BasicService.showDocument), in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53946, CVE-2012-1713, ZDI-12-142]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53959, CVE-2012-1721, ZDI-12-189]

An attacker can use a vulnerability of Deployment, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53953, CVE-2012-1722]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53960, CVE-2012-1723]

An attacker can use a vulnerability of Hotspot, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53954, CVE-2012-1725]

An attacker can use a vulnerability of Swing, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53947, CVE-2012-1716]

An attacker can use a vulnerability of CORBA, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53949, CVE-2012-1711]

An attacker can use a vulnerability of Libraries, in order to obtain or alter information. [severity:2/4; BID-53948, CVE-2012-1726]

An attacker can use a vulnerability of Deployment, in order to obtain information, or to create a denial of service. [severity:2/4; CVE-2012-0551]

An attacker can use a vulnerability of CORBA, in order to alter information. [severity:2/4; BID-53950, CVE-2012-1719]

An attacker can use a vulnerability of CVE-2012-1724, in order to create a denial of service. [severity:2/4; BID-53958, CVE-2012-1724]

An attacker can use a vulnerability of Security, in order to create a denial of service. [severity:2/4; BID-53951, CVE-2012-1718]

An attacker can use a vulnerability of Networking, in order to obtain information, to alter information, or to create a denial of service. [severity:2/4; BID-53956, CVE-2012-1720]

An attacker can use a vulnerability of JRE, in order to obtain information. [severity:1/4; BID-53952, CVE-2012-1717]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2011-5035

Java Lightweight HTTP Server: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Impacted products: Debian, HP-UX, Mandriva Linux, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive.
Severity: 3/4.
Consequences: denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/02/2012.
Identifiers: BID-51236, c03254184, c03350339, CVE-2011-4838-ERROR, CVE-2011-5035, DSA-2420-1, HPSBUX02757, HPSBUX02784, MDVSA-2012:021, openSUSE-SU-2012:0309-1, RHSA-2012:0139-01, RHSA-2012:0514-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100779, SSRT100871, SUSE-SU-2012:0308-1, VIGILANCE-VUL-11381.

Description of the vulnerability

The bulletin VIGILANCE-VUL-11254 describes a vulnerability which can be used to create a denial of service on several applications.

This vulnerability impacts Java Lightweight HTTP Server .

In order to simplify VIGILANCE-VUL-11254, which was too big, solutions for Java were moved here.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2011-3563 CVE-2011-3571 CVE-2011-5035

Java JRE/JDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JRE/JDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted products: Debian, Fedora, HPE NNMi, HP-UX, Tivoli System Automation, Mandriva Linux, Windows (platform) ~ not comprehensive, Java OpenJDK, openSUSE, Java Oracle, RHEL, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, ESX, vCenter Server, VMware vSphere.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: document.
Number of vulnerabilities in this bulletin: 14.
Creation date: 15/02/2012.
Identifiers: BID-52009, BID-52010, BID-52011, BID-52012, BID-52013, BID-52014, BID-52015, BID-52016, BID-52017, BID-52018, BID-52019, BID-52020, BID-52161, c03254184, c03266681, c03316985, c03350339, c03358587, c03405642, CERTA-2012-AVI-085, CERTA-2012-AVI-286, CERTA-2012-AVI-395, CERTA-2012-AVI-479, CVE-2011-3563, CVE-2011-3571, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0504, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507, CVE-2012-0508, DSA-2420-1, ESX410-201208101-SG, ESX410-201208102-SG, ESX410-201208103-SG, ESX410-201208104-SG, ESX410-201208105-SG, ESX410-201208106-SG, ESX410-201208107-SG, FEDORA-2012-1690, FEDORA-2012-1711, FEDORA-2012-1721, HPSBMU02797, HPSBMU02799, HPSBUX02757, HPSBUX02760, HPSBUX02777, HPSBUX02784, javacpufeb2012, MDVSA-2012:021, openSUSE-SU-2012:0309-1, PRE-SA-2012-01, RHSA-2012:0135-01, RHSA-2012:0139-01, RHSA-2012:0322-01, RHSA-2012:0508-01, RHSA-2012:0514-01, RHSA-2012:0702-01, RHSA-2012:1080-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100779, SSRT100805, SSRT100854, SSRT100867, SSRT100871, SUSE-SU-2012:0308-1, SUSE-SU-2012:0602-1, SUSE-SU-2012:0603-1, SUSE-SU-2012:0734-1, SUSE-SU-2012:0881-1, SUSE-SU-2012:1013-1, swg21632667, swg21632668, swg21633991, swg21633992, TPTI-12-01, TSL20120214-01, VIGILANCE-VUL-11368, VMSA-2012-0005.2, VMSA-2012-0005.4, VMSA-2012-0013, VMSA-2012-0013.2, VMSA-2012-0018.1, VMSA-2013-0003, ZDI-12-032, ZDI-12-037, ZDI-12-038, ZDI-12-039, ZDI-12-045, ZDI-12-060, ZDI-12-081, ZDI-12-082, ZDI-12-083.

Description of the vulnerability

Several vulnerabilities were announced in Java JRE/JDK. The most severe vulnerabilities lead to code execution.

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-52009, CVE-2012-0497]

An attacker can use a vulnerability of 2D (readMabCurveData nTblSize), in order to execute code. [severity:4/4; BID-52019, CVE-2012-0498, ZDI-12-032, ZDI-12-060]

An attacker can use a vulnerability of 2D, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-52016, CVE-2012-0499]

An attacker can invite the vicim to open a malicious JNLP file, in order to execute code via Java Web Start Deployment. [severity:4/4; BID-52015, CVE-2012-0500, TSL20120214-01, ZDI-12-037, ZDI-12-039]

An attacker can use a vulnerability of JavaFX, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-52010, CVE-2012-0508, ZDI-12-038]

An attacker can use a vulnerability of Install, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-52020, CVE-2012-0504]

An attacker can use a vulnerability of Concurrency, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-52161, CVE-2011-3571, CVE-2012-0507]

An attacker can use a vulnerability of I18n, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-52018, CVE-2012-0503]

An attacker can use a vulnerability of Serialization, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-52017, CVE-2012-0505]

An attacker can use a vulnerability of AWT, in order to obtain information, or to create a denial of service. [severity:3/4; BID-52011, CVE-2012-0502]

An attacker can use a vulnerability of Sound, in order to obtain information, or to create a denial of service. [severity:3/4; BID-52012, CERTA-2012-AVI-085, CVE-2011-3563]

An attacker can post HTTP data to Lightweight HTTP Server generating storage collisions, in order to overload a remote web server (VIGILANCE-VUL-11381). [severity:3/4; CVE-2011-5035]

An attacker can use a ZIP archive generating an infinite loop in the JRE. [severity:3/4; BID-52013, CVE-2012-0501, PRE-SA-2012-01]

An attacker can use a vulnerability of CORBA, in order to alter information. [severity:2/4; BID-52014, CVE-2012-0506]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce 11212

Java: bypassing the update check

Synthesis of the vulnerability

When the Java JRE is automatically updated, an attacker can replace the binary to be downloaded by a program calling a Trojan, which is not detected, nor rejected.
Impacted products: Java OpenJDK, Java Oracle.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet server.
Creation date: 13/12/2011.
Identifiers: BID-50986, VIGILANCE-VUL-11212.

Description of the vulnerability

The Java JRE can be automatically updated. In this case, it downloads an XML document from the java.sun.com site, which indicates the url of the updated program (for example http://javadl.sun.com/.../jre-6update-windows.exe). The JRE then checks if this program is signed by Sun before accepting to execute it.

However, an attacker can create a fake XML file, replacing "jre-6update-windows.exe" by "javaws.exe" (Java Web Start), and indicating a malicious JNLP (Java Network Launching Protocol) as an option. He can then intercept the JRE query to http://javadl.sun.com/ (which does not use TLS/SSL), and return the fake XML file to the victim. The JRE then checks if this program is signed by Sun, so it checks that javaws.exe is signed, which is the case. The JRE thus accepts to execute Java Web Start with a malicious JNLP file.

When the Java JRE is automatically updated, an attacker can therefore replace the binary to be downloaded by a program calling a Trojan, which is not detected, nor rejected.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2010-4448 CVE-2011-3552

Windows, Java: poisoning the DNS cache

Synthesis of the vulnerability

An attacker can open numerous UDP ports, in order to facilitate a DNS cache poisoning attack.
Impacted products: HP-UX, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 7, Windows (platform) ~ not comprehensive, Windows Vista, Windows XP, Java OpenJDK, Java Oracle, DNS protocol, RHEL, Unix (platform) ~ not comprehensive.
Severity: 1/4.
Consequences: data creation/edition, data flow.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 20/10/2011.
Identifiers: BID-50281, c03266681, CVE-2010-4448, CVE-2011-3552, HPSBUX02760, javacpuoct2011, RHSA-2012:0006-01, RHSA-2013:1455-01, RHSA-2013:1456-01, SSRT100805, VIGILANCE-VUL-11087.

Description of the vulnerability

The DNS protocol is used to obtain the IP address associated to a computer name:
 - the client sends a query coming from an UDP source port on 16 bit, and containing a TXID identifier of 16 bit
 - the server replies to the UDP source port, with the TXID received in the query
An attacker, who spoofs a DNS reply packet thus has to guess 32 bit, in order to poison the client DNS cache.

However, if an attacker runs a malicious program on the client which opens most UDP ports, the DNS resolver then uses the remaining free ports. The attacker thus only has to guess the 16 bits of TXID.

This malicious program can be run by an unprivileged local attacker (on an Windows computer shared between several users). This malicious program can also be a Java applet located on a web site visited by the victim.

On Windows, the local attacker is allowed to flush the DNS cache between each trial. He can thus retry as many times as necessary until he guesses the TXID.

An attacker can therefore open numerous UDP ports, in order to facilitate a DNS cache poisoning attack.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Oracle JRE: