U radu programskog paketa Sun Java JRE 1.6.x / 6.x uočena je nova sigurnosna ranjivost. Udaljeni napadač ju može iskoristiti za otkrivanje i izmjenu podataka.
Paket:
Sun Java JRE 1.6.x / 6.x
Operacijski sustavi:
Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista, Microsoft Windows Server 2008, Microsoft Windows 7, Ubuntu Linux 10.04, Ubuntu Linux 10.10, Ubuntu Linux 11.04, Ubuntu Linux 11.10
Problem:
neodgovarajuće rukovanje datotekama
Iskorištavanje:
udaljeno
Posljedica:
izmjena podataka, otkrivanje osjetljivih informacija
Rješenje:
zaobilazno rješenje (workaround)
Izvorni ID preporuke:
SA47134
Izvor:
Secunia
Problem:
Problem sigurnosti se javlja u mehanizmu "Java Update" zbog pogrešnog rukovanja datotekama za nadogradnju spomenutog paketa.
Posljedica:
Udaljeni napadač navedeni propust može iskoristiti za otkrivanje osjetljivih informacija i izmjenu podataka.
Rješenje:
Svim se korisnicima navedenog programskog paketa savjetuje da ne koriste "Java Update" funkcionalnost.
Secunia Advisory SA47134
Oracle Java Software Update Spoofing Vulnerability
Release Date 2011-12-12
Criticality level Less criticalLess critical
Impact Spoofing
Where From remote
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Unpatched
Systems affected Available in Customer Area
Approve distribution Available in Customer Area
Remediation status Secunia VIM
Software:
Sun Java JRE 1.6.x / 6.x
Secunia CVSS Score Available in Customer Area
CVE Reference(s) No CVE references.
Description
Francisco Amato has reported a vulnerability in Oracle Java, which can be exploited by malicious people to conduct spoofing attacks.
The vulnerability is caused due to the "Java Update" mechanism insecurely validating new updates and can be exploited to e.g. spoof an update via Man-in-the-Middle (MitM) attacks.
This is related to vulnerability #12:
SA32991
The vulnerability is reported in versions 1.6.0.28 and prior.
Solution
Do not use the "Java Update" utility.
Provided and/or discovered by
Francisco Amato, Infobyte Security Research.
Original Advisory
Infobyte Security Research:
http://blog.infobytesec.com/2011/12/pwning-java-update-process-2007-today.html
Posljednje sigurnosne preporuke