Corsaire Security Advisory: Sun J2RE DoS issue Jan 08 2008 12:36PM
advisories (advisories corsaire com)

-- Corsaire Security Advisory --

Title: Sun J2RE DoS issue
Date: 05.09.06
Application: Sun JRE 5.0 prior to update 14
Environment: Sun JRE
Author: Martin O'Neal [martin.oneal (at) corsaire (dot) com [email concealed]]
Audience: General distribution
Reference: c060905-002

-- Scope --

The aim of this document is to clearly define an issue that exists with
the Sun JRE product [1] that will allow an attacker to cause the JRE and
Internet Explorer to fail, possibly losing unsaved work etc.

-- History --

Discovered: 05.09.06 (Martin O'Neal)
Vendor notified: 09.11.06
Additional analysis: (Kevin O'Reilly)
Document released: 08.01.08

-- Overview --

Sun JRE is described [1] as "the Java APIs, Java Virtual Machine
(HotSpot VM), and other components necessary to run applets and
applications written in the Java programming language".

The software provides a virtualisation layer that allows java
applications to be run across platforms and operating systems. These
java applications can be delivered to the JVM via a number of
mechanisms, and are commonly downloaded from a web server or less
commonly, can be embedded within HTML content.

-- Analysis --

The RFC2397 [2] standard allows for the encoding of java applets within
a URI, allowing it to be embedded in an HTML document.

If an applet is encoded into the data parameter of an object tag with an
undefined "name" attribute, and is then passed to Internet Explorer,
then when the application is unencoded and passed in turn to the JVM it
causes a null pointer exception to occur in jpiexp32.dll.

-- Recommendations --

Upgrade to a version of the Sun JRE product that does not exhibit this
issue (such as Sun JRE 6.0 or JRE 5.0 update 14), and uninstall all
effected versions. This is important, as it is possible for an attacker
to specify which local VM will be used to run an applet (and so select a
vulnerable version).

-- CVE --

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2007-0012 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardises names for
security problems.

-- References --

[1] http://java.sun.com/javase/
[2] http://www.ietf.org/rfc/rfc2397

This bug is tracked by Sun as 6511363.

-- Revision --

a. Initial release.

-- Distribution --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.

-- Disclaimer --

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. Corsaire
accepts no responsibility for any damage caused by the use or misuse of
this information.

-- About Corsaire --

Corsaire are a leading information security consultancy, founded in 1997
in Guildford, Surrey, UK. Corsaire bring innovation, integrity and
analytical rigour to every job, which means fast and dramatic security
performance improvements. Our services centre on the delivery of
information security planning, assessment, implementation, management
and vulnerability research.

A free guide to selecting a security assessment supplier is available at
http://www.penetration-testing.com

Copyright 2006 Corsaire Limited. All rights reserved.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus