Skip to main content

Sun Java Multiple Code Execution and Security Bypass Vulnerabilities

Last Update Date: 28 Jan 2011 Release Date: 5 Nov 2009 5522 Views

RISK: Medium Risk

Multiple vulnerabilities have been identified in Sun Java, which could be exploited by attackers to bypass security restrictions, disclose sensitive information, cause a denial of service, or compromise an affected system.

1. An errors when decoding DER encoded data and parsing HTTP headers, which may allow a remote client to cause the JRE on the server to run out of memory, creating a denial of service condition.

2. An error when verifying HMAC digests, which may allow authentication to be bypassed via a forged digital signature.

3. An error in the Java Web Start Installer, which may be leveraged to allow an untrusted Java Web Start application to run as a trusted application and execute arbitrary code.

4. An error in the Java Runtime Environment Deployment Toolkit, which could be exploited by malicious web sites to execute arbitrary commands.

5. An error in the Java Runtime Environment Java Update mechanism, when running on non-English versions of the Windows operating system, not updating the JRE when a new version is available.

Various buffer and integer overflow errors exist within the processing of malformed audio and image files, which may allow an untrusted applet or Java Web Start application to escalate privileges and execute arbitrary code or read/write local files.


Impact

  • Denial of Service
  • Remote Code Execution
  • Security Restriction Bypass
  • Information Disclosure

System / Technologies affected

  • Sun Java JDK and JRE version 6 Update 16 and prior
  • Sun Java JDK and JRE version 5.0 Update 21 and prior
  • Sun Java SDK and JRE version 1.4.2_23 and prior
  • Sun Java SDK and JRE version 1.3.1_26 and prior

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

Upgrade to Sun JDK and JRE 6 Update 17 or later :
http://java.sun.com/javase/downloads/index.jsp

Upgrade to Sun JDK and JRE 5.0 Update 22 or later :
http://java.sun.com/javase/downloads/index_jdk5.jsp

Upgrade to Sun SDK and JRE 1.4.2_24 or later :
http://java.sun.com/j2se/1.4.2/download.html

Upgrade to Sun SDK and JRE 1.3.1_27 or later :
http://java.sun.com/j2se/1.3/download.html

Java SE for Business :
http://www.sun.com/software/javaseforbusiness/getit_download.jsp

Apple Mac OS X 10.6Apply Java Update 1 :
http://support.apple.com/kb/DL972

Apple Mac OS X 10.5Apply Java Update 6 :
http://support.apple.com/kb/DL971


Vulnerability Identifier


Source


Related Link