Višestruke ranjivosti u Java JDK, JRE, SDK

Otkriveno je nekoliko ranjivosti u Oracle Sun Java JDK, JRE i SDK. Ranjivosti se javljaju u komponentama Deployment, Sound, Swing, HotSpot, Install, JAXP, 2D, JDBC, Launcher, Networking, XML, Digital Signature i Security. Udaljeni ih napadači mogu iskoristiti kako bi dobili pristup osjetljivim informacijama, zaobišli postavljene zabrane, izveli napad uskraćivanjem usluga (DoS napad) ili pokrenuli proizvoljni programski kod. Za više informacija upućuje se na čitanje izvorne preporuke, a svim korisnicima se savjetuje korištenje najnovije inačice.

Oracle Sun Java SE and Java for Business Code Execution Vulnerabilities

VUPEN ID 	VUPEN/ADV-2011-0405
CVE ID 	CVE-2010-4422 - CVE-2010-4447 - CVE-2010-4448 - CVE-2010-4450 - CVE-2010-4451 - CVE-2010-4452 - CVE-2010-4454 - CVE-2010-4462 - CVE-2010-4463 - CVE-2010-4465 - CVE-2010-4466 - CVE-2010-4467 - CVE-2010-4468 - CVE-2010-4469 - CVE-2010-4470 - CVE-2010-4471 - CVE-2010-4472 - CVE-2010-4473 - CVE-2010-4474 - CVE-2010-4475 - CVE-2010-4476
 
CWE ID 	Available in VUPEN VNS Customer Area
CVSS V2 	Available in VUPEN VNS Customer Area
Rated as 	Critical 
Impact 	Available in VUPEN VNS Customer Area
Authentication Level 	Available in VUPEN VNS Customer Area
Access Vector 	Available in VUPEN VNS Customer Area
Release Date 	2011-02-16
Share 	Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

Multiple vulnerabilities have been identified in Oracle Sun Java JDK, JRE and SDK, which could be exploited by remote attackers or malicious users to manipulate or gain knowledge of sensitive information, bypass restrictions, cause a denial of service or compromise a vulnerable system. These issues are caused by errors in the Deployment, Sound, Swing, HotSpot, Install, JAXP, 2D, JDBC, Launcher, Networking, XML Digital Signature, and Security components.

Affected Products

Oracle Sun JDK version 6 Update 23 and prior
Oracle Sun JDK version 5.0 Update 27 and prior
Oracle Sun JRE version 6 Update 23 and prior
Oracle Sun JRE version 5.0 Update 27 and prior
Oracle Sun JRE version 1.4.2_29 and prior
Oracle Sun SDK version 1.4.2_29 and prior

Solution 

Upgrade to fixed versions :
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html

References

http://www.vupen.com/english/advisories/2011/0405
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html
http://www.zerodayinitiative.com/advisories/ZDI-11-086
http://www.zerodayinitiative.com/advisories/ZDI-11-085
http://www.zerodayinitiative.com/advisories/ZDI-11-084
http://www.zerodayinitiative.com/advisories/ZDI-11-083
http://www.zerodayinitiative.com/advisories/ZDI-11-082

Credits 

Vulnerabilities reported by Afik Castiel (Versafe Anti Fraud), Billy Rios (Google), binaryproof via Tipping Point ZDI and iDefense, Dmitri Gribenko, Eduardo Vela Nava (Google), Frederic Hoguin via Tipping Point ZDI, Marc Schoenefeld (Red Hat), Peter Csepely via Tipping Point ZDI, Roee Hay (IBM Rational Application Security Research Group), Sami Koivu via Tipping Point ZDI, Stefano Di Paola (Minded Security), and Tom Hawtin.

Changelog 

2011-02-16 : Initial release

Višestruke ranjivosti u Java JDK, JRE, SDK

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti