| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Dec 2004 12:42:04 +0100 (MEZ) From: Marc Schoenefeld <schonef@...-muenster.de> To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good day, after my bug report in april 2004 Sun fixed an issue with remote and local object serialisation. If getting a bad object package your server may become unresponsive and does not accept further requests but it does not crash. A PoC exploit showed that with a little lower socket work RMI communication is affected, too. In my opinion it is a deep concept bug (antipattern) in JDK serialisation semantics, but JDK 1.4.2_06 is only a detail fix. So chances are high that there are more bugs like this in your JDK or your application, even after an upgrade to JDK 1.4.2_06. Below is the relevant snippet from: http://classic.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57707&zone_32=category%3A%2Asecurity Happy Xmas and a great 2005 to all Marc >> Sun(sm) Alert Notification >> >> * Sun Alert ID: 57707 >> * Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability >> * Category: Security >> * Product: Java SDK and JRE >> * BugIDs: 5037001 >> * Avoidance: Upgrade >> * State: Resolved >> * Date Released: 20-Dec-2004 >> * Date Closed: 20-Dec-2004 >> * Date Modified: >> >>1. Impact >> >>A vulnerability in the Java Runtime Environment (JRE) involving object deserialization could be exploited remotely to cause the Java Virtual Machine to become unresponsive, which is a type of Denial-of-Service (DoS). This issue can affect the JRE if an application that runs on it accepts serialized data from an untrusted source. >> >>Sun acknowledges with thanks, Marc Schoenefeld, for bringing this issue to our attention. >>2. Contributing Factors >> >>This issue can occur in the following releases: >> >> * SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases for Windows, Solaris and Linux >> >>Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not affected by this issue. >> >>To determine the version of Java on a system, the following command can be run: >> >> % java -fullversion >> java full version "1.4.1_06-b01" >> >>3. Symptoms >> >>The Java Runtime Environment (JRE) is unresponsive. >>Solution Summary Top >>4. Relief/Workaround >> >>There is no workaround. Please see the "Resolution" section below. >>5. Resolution >> >>This issue is addressed in the following releases: >> >> * SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux >> >>J2SE releases are available for download at: >> >> * J2SE 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp >> * J2SE 1.4.2_06 at http://java.sun.com/j2se/1.4.2/download.html and http://java.com/ - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (AIX) iD8DBQFByV2RqCaQvrKNUNQRAveDAJ4zaWiCWITLXaHuhuHSO6ARhVP12gCfbmw+ c9K0l+Ih5omDU6gsGZ8a8zU= =hJt+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists