The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Sun JDK

vulnerability announce CVE-2008-1185 CVE-2008-1186 CVE-2008-1187

Java JDK/JRE/SDK: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities were announced in Java JDK/JRE/SDK.
Impacted products: Fedora, NLD, OES, openSUSE, Java Oracle, RHEL, SLES, ESX.
Severity: 4/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 04/03/2008.
Revision date: 06/03/2008.
Identifiers: 233321, 233322, 233323, 233324, 233325, 233326, 233327, 6587132, 6588002, 6593303, 6605184, 6605187, 6608712, 6609756, 6611594, 6623233, 6633265, 6633278, 6634129, 6660121, 6660717, BID-28083, BID-28125, CERTA-2008-AVI-118, CERTA-2008-AVI-476, CESA-2007-005, CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195, CVE-2008-1196, FEDORA-2008-2229, RHSA-2008:0186-01, RHSA-2008:0210-01, RHSA-2008:0243-01, RHSA-2008:0244-01, RHSA-2008:0245-01, RHSA-2008:0267-01, RHSA-2008:0555-01, SUSE-SA:2008:018, SUSE-SA:2008:025, VIGILANCE-VUL-7632, VMSA-2008-00010.3, VU#223028, ZDI-08-009, ZDI-08-010.

Description of the vulnerability

Several vulnerabilities were announced in Java JDK/JRE/SDK.

An applet can use two vulnerabilities of Java Runtime Environment Virtual Machine in order to access to files or to execute code. [severity:4/4; 233321, 6587132, 6593303, CERTA-2008-AVI-118, CERTA-2008-AVI-476, CVE-2008-1185, CVE-2008-1186]

An applet can use XSLT to access to resources via an url, execute code or create a denial of service. [severity:3/4; 233322, 6588002, CVE-2008-1187]

Three buffer overflows of Java Web Start permit an application to execute code. Two other vulnerabilities can be used to access to files. [severity:4/4; 233323, 6605184, 6605187, 6609756, 6611594, 6623233, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, ZDI-08-009, ZDI-08-010]

An applet can execute software installed on the computer. [severity:3/4; 233324, 6608712, CVE-2008-1192]

An applet can use a malicious image in order to execute code or to create a denial of service. [severity:4/4; 233325, 6633265, 6633278, 6660717, BID-28125, CESA-2007-005, CVE-2008-1193, CVE-2008-1194]

A JavaScript code can use the JRE to connect to network services. [severity:2/4; 233326, 6634129, CVE-2008-1195]

An application can create an overflow in Java Web Start in order to execute code. [severity:4/4; 233327, 6660121, CVE-2008-1196, VU#223028]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2008-0657

Java JDK/JRE: two vulnerabilities

Synthesis of the vulnerability

Two vulnerabilities permit an applet or an application to access to a file or to execute commands.
Impacted products: WebSphere AS Traditional, NSM Central Manager, NLD, OES, Java Oracle, Solaris, Trusted Solaris, RHEL, SLES, ESX.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 06/02/2008.
Identifiers: 231261, 6529590, 6529591, BID-27650, CERTA-2008-AVI-044, CVE-2008-0657, PK64999, PK65161, PSN-2011-02-159, RHSA-2008:0123-01, RHSA-2008:0156-02, RHSA-2008:0210-01, SUSE-SA:2008:025, VIGILANCE-VUL-7549, VMSA-2008-00010.3.

Description of the vulnerability

Two vulnerabilities were announced in Java JDK/JRE.

A malicious applet or application can read and write local files. [severity:2/4]

A malicious applet or application can execute a local application. [severity:3/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2008-0628

Java JRE: file access via XML entities

Synthesis of the vulnerability

An attacker can provide XML data using an external entity, in order to access to the content of a file or to create a denial of service.
Impacted products: Java Oracle, RHEL.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 01/02/2008.
Revision date: 04/02/2008.
Identifiers: 231246, 6568262, BID-27553, CERTA-2008-AVI-216, CESA-2007-002, CVE-2008-0628, RHSA-2008:0245-01, VIGILANCE-VUL-7539.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
To validate the XML document, the program can replace these entities by data coming from the file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file

To forbid this attack, this feature ("external general entities") is disabled in the JRE. However, a regression error, appeared in version 6, always enables this feature.

When a Java program handles XML data from a untrusted source, an attacker can therefore access to files or create a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-4381

Java JRE, JDK, SDK: privilege elevation via a font

Synthesis of the vulnerability

A malicious Java applet can generate an error when a font is parsed in order to execute code.
Impacted products: WebSphere AS Traditional, NLD, OES, Java Oracle, RHEL, SLES.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 16/08/2007.
Revision date: 30/10/2007.
Identifiers: 102934, 103024, 6376296, 6483556, 6483560, BID-25340, CVE-2007-4381, NGS00419, PK64999, PK65161, RHSA-2007:0956-01, RHSA-2007:1086-01, RHSA-2008:0100-01, RHSA-2008:0132-01, SUSE-SA:2008:025, VIGILANCE-VUL-7102.

Description of the vulnerability

A TrueType font file contains instructions to convert a character to a bitmap image ("hinting language"). This micro-language supports following items: loops, conditional branches (if), variables, functions, instructions on points, etc.

The CVT table (Control Value Table) contains global variables about appearance of the character: generic horizontal width, generic horizontal height, mean round, etc. The WCVTP (opcode 0x44) and WCVTF (opcode 0x70) instructions change value of a CV, and RCVT (opcode 0x45) reads a CV:
 - WCVTP value, location
 - RCVT location

However, the TrueType language implementation in JRE/JDK/SDK does not check value of "location" parameter. An attacker can thus read/write to/from an arbitrary memory location.

This vulnerability therefore permits an applet to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2007-3922

JRE, JDK, SDK: connection to a local port

Synthesis of the vulnerability

A Java applet can connect to a local port of victim's computer.
Impacted products: OpenView, OpenView Operations, openSUSE, Java Oracle, RHEL, Slackware, SLES.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 19/07/2007.
Revision date: 30/10/2007.
Identifiers: 102934, 102958, 102995, 6483556, 6483560, 6490790, BID-25054, c01269450, CERTA-2007-AVI-349, CVE-2007-3922, HPSBMA02288, NGS00443, RHSA-2007:0818-01, RHSA-2007:0829-01, RHSA-2008:0133-01, SSA:2007-243-01, SSRT071465, SUSE-SA:2007:056, VIGILANCE-VUL-7020.

Description of the vulnerability

The APPLET tag permit to insert a Java applet in a HTML page. For example:
  <APPLET codebase="http://internet-server/dir" code="name.class">
The "codebase" attribute indicates the name of directory containing the applet.

An Java applet coming from internet cannot normally access to resources of computer. However, if the codebase attribute starts by "verbatim:", the applet is loaded from the internet server, but the Java plugin thinks it is local.

This applet can thus connect to local ports of victim's computer.

An attacker can therefore obtain information or exploit a vulnerability of these services.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-5689

JRE: privilege escalation of an applet

Synthesis of the vulnerability

A remote attacker can create a malicious Java applet in order to run code on the machine of the target.
Impacted products: HP-UX, WebSphere AS Traditional, Java Oracle, Solaris, Trusted Solaris, ESX.
Severity: 3/4.
Consequences: user access/rights, data creation/edition.
Provenance: document.
Creation date: 24/10/2007.
Identifiers: 103112, 6571539, c01234533, CVE-2007-5689, HPSBUX02284, PK64999, PK65161, SSRT071483, VIGILANCE-VUL-7277, VMSA-2008-00010.3.

Description of the vulnerability

Java applets loaded by users are run on a virtual machine integrated in JRE.

A vulnerability in the implementation of the virtual machine of JRE permits an malicious applet to elevate his privileges in order to run code on the machine of the user with user rights.

A remote attacker can thus create a malicious Java applet in order to run code with user rights.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-5232 CVE-2007-5236 CVE-2007-5237

Java JDK/SDK/JRE: multiple vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of Java JDK/SDK/JRE environment permit an attacker to access to files or to create network connections.
Impacted products: HP-UX, NLD, OES, openSUSE, Java Oracle, Solaris, Trusted Solaris, RHEL, SLES, ESX.
Severity: 3/4.
Consequences: data reading, data creation/edition, data flow.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 04/10/2007.
Revision date: 23/10/2007.
Identifiers: 103071, 103072, 103073, 103078, 103079, 6569621, 6589527, 6590813, 6590827, 6590837, 6590850, 6590857, 6594007, 6609269, BID-25918, BID-25920, c01234533, CERTA-2007-AVI-440, CVE-2007-5232, CVE-2007-5236, CVE-2007-5237, CVE-2007-5238, CVE-2007-5239, CVE-2007-5240, CVE-2007-5273, CVE-2007-5274, HPSBUX02284, RHSA-2007:0963-01, RHSA-2007:1041-01, RHSA-2008:0100-01, RHSA-2008:0132-01, RHSA-2008:0156-02, SSRT071483, SUSE-SA:2007:055, SUSE-SA:2008:025, VIGILANCE-VUL-7212, VMSA-2008-00010.3, VU#336105.

Description of the vulnerability

Several vulnerabilities of Java JDK/SDK/JRE environment permit an attacker to access to files or to create network connections.

An applet can create a large window in order to mask other windows or user's desktop. [severity:3/4; 103071, 6589527, CVE-2007-5240]

A Java applet or a Java Web Start application can invite victim to Drag and Drop a file in order to create it on his computer. [severity:3/4; 103072, 6590857, CVE-2007-5239]

A Java Web Start application can read or write files on victim's computer, or obtain the location of the cache. [severity:3/4; 103073, 6590813, 6590827, 6590837, 6590850, BID-25920, CVE-2007-5236, CVE-2007-5237, CVE-2007-5238]

A Java applet or a Javascript code can connect to computers different than the originating server. [severity:3/4; 103078, 6569621, 6609269, CVE-2007-5273, CVE-2007-5274]

A Java applet can connect to computers different than the originating server. [severity:3/4; 103079, 6594007, CERTA-2007-AVI-440, CVE-2007-5232, VU#336105]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2007-2788 CVE-2007-2789

JDK: buffer overflow via a BMP or JPG image

Synthesis of the vulnerability

An attacker can create a malicious BMP or JPG image in order to execute code on computer of victims opening it with a JDK application.
Impacted products: NLD, OES, Java OpenJDK, openSUSE, Java Oracle, RHEL, SLES, ESX.
Severity: 1/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 16/05/2007.
Revision date: 23/10/2007.
Identifiers: 102686, 102934, 6466389, 6469538, 6483556, 6483560, BID-24004, BID-24267, CESA-2006-004, CVE-2007-2788, CVE-2007-2789, CVE-2007-3004-REJECT, CVE-2007-3005-REJECT, RHSA-2007:0817-01, RHSA-2007:0818-01, RHSA-2007:0829-01, RHSA-2007:0956-01, RHSA-2007:1086-01, RHSA-2008:0100-01, RHSA-2008:0133-01, RHSA-2008:0261-01, RHSA-2008:0524-01, SUSE-SA:2007:045, SUSE-SA:2007:056, VIGILANCE-VUL-6817, VMSA-2008-0002, VMSA-2008-0002.1, VU#138545.

Description of the vulnerability

The javax.imagio.ImageIO class handles images from a Java application. This class has two vulnerabilities.

The ICC profile (International Color Consortium) defines color variations to apply on each device to display identical colors. Some image types, such as JPEG or PNG, can contain ICC profiles. An overflow occurs in ICC JPEG parser for JDK during the analysis of a malicious image. This overflow can lead to code execution. [severity:1/4; CVE-2007-2788, CVE-2007-3004-REJECT]

Under Linux, the analysis of a malicious BMP image generates a denial of service because JDK tries to access to /dev/tty. [severity:1/4; CVE-2007-2789, CVE-2007-3005-REJECT]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2007-5273 CVE-2007-5274 CVE-2007-5275

Java JRE, Flash: bypassing DNS pinning

Synthesis of the vulnerability

An attacker can create a HTML page calling a plugin and bypassing the DNS pinning protection included in web browsers.
Impacted products: Flash Player, Windows (platform) ~ not comprehensive, NLD, OES, Java Oracle, Solaris, Trusted Solaris, RHEL, SLES, Unix (platform) ~ not comprehensive, ESX.
Severity: 1/4.
Consequences: data reading, data flow.
Provenance: internet server.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/10/2007.
Identifiers: 103078, 6569621, 6609269, APSB07-20, CVE-2007-5273, CVE-2007-5274, CVE-2007-5275, CVE-2007-5375, RHSA-2007:1126-01, SUSE-SA:2008:025, VIGILANCE-VUL-7238, VMSA-2008-00010.3.

Description of the vulnerability

A "DNS rebinding" attack has the objective to force the web browser to connect to a server different than the one which provided the HTML document. This vulnerability for example permits to scan ports or to obtain information without going through the firewall.

This attack uses the following method:
 - Attacker setups a DNS server for his "attacker.dom" domain. This server answers that IP address of www.attacker.dom is 1.2.3.4, with a TTL of 10 seconds.
 - Attacker setups a web server to host a HTML page containing a script creating a connection to the originating server.
 - Attacker invites victim to connect to his web server.
 - When the HTML page is displayed, the script tries to access to the server: as the TTL expired, the web browser sends a new DNS query. However, this time, attacker's DNS server indicates the IP address of www.attacker.dom is 192.168.1.1.
 - Script thus connects to the 192.168.1.1 address which is an internal address.

To protect against this attack, web browsers implement "DNS pinning" which consists in storing IP addresses in the cache whatever the duration indicated by the TTL. However, cache of plugins is different than cache of web browser, which permits to bypass this protection.

An attack can be created on the JVM by using LiveConnect, an Applet with an HTTP proxy or Relative Paths. [severity:1/4; 103078, 6569621, 6609269, CVE-2007-5273, CVE-2007-5274, CVE-2007-5375]

An attack can be created on the Flash plugin which also uses a separate cache. [severity:1/4; CVE-2007-5275]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2007-3715 CVE-2007-3716

JDK, JRE: code execution via XSLT style sheets

Synthesis of the vulnerability

When a XML signature contains a malicious style sheet, code can run with privileges of application.
Impacted products: Oracle iPlanet Web Server, Java Oracle, Sun AS.
Severity: 1/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/07/2007.
Revision date: 13/07/2007.
Identifiers: 102945, 102992, 102993, 201255, 6519471, 6523817, 6534224, 6540248, 6542007, 6546271, 6567841, 6568090, BID-24850, CVE-2007-3715, CVE-2007-3716, VIGILANCE-VUL-6993.

Description of the vulnerability

Version 6 of JDK and JRE implements a digital signature in XML format. This signature is associated to a XSLT style sheet.

An attacker can create a malicious style sheet. When application analyzes this style sheet, code can be run. It could be a buffer overflow.

Attacker can thus execute code with privileges of Java application analyzing XML signatures.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Sun JDK: