| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e92364c3041222061983a94c1@mail.gmail.com> From: jftucker at gmail.com (James Tucker) Subject: Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability Can this apply to the mobile or embedded VM's, and what level of DoS occurs, is it a hard processor loop or a locked VM instance? On Wed, 22 Dec 2004 12:42:04 +0100 (MEZ), Marc Schoenefeld <schonef@...-muenster.de> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Good day, > > after my bug report in april 2004 Sun fixed an issue with > remote and local object serialisation. If getting > a bad object package your server may become unresponsive and does not > accept further requests but it does not crash. A PoC exploit > showed that with a little lower socket work RMI communication > is affected, too. > > In my opinion it is a deep concept bug (antipattern) in JDK serialisation > semantics, but JDK 1.4.2_06 is only a detail fix. > So chances are high that there are more bugs like this in your JDK > or your application, even after an upgrade to JDK 1.4.2_06. > > Below is the relevant snippet from: > > http://classic.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57707&zone_32=category%3A%2Asecurity > > Happy Xmas and a great 2005 to all > Marc > > >> Sun(sm) Alert Notification > >> > >> * Sun Alert ID: 57707 > >> * Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS) > Vulnerability > >> * Category: Security > >> * Product: Java SDK and JRE > >> * BugIDs: 5037001 > >> * Avoidance: Upgrade > >> * State: Resolved > >> * Date Released: 20-Dec-2004 > >> * Date Closed: 20-Dec-2004 > >> * Date Modified: > >> > >>1. Impact > >> > >>A vulnerability in the Java Runtime Environment (JRE) involving object > deserialization could be exploited remotely to cause the Java Virtual > Machine to become unresponsive, which is a type of Denial-of-Service (DoS). > This issue can affect the JRE if an application that runs on it accepts > serialized data from an untrusted source. > >> > >>Sun acknowledges with thanks, Marc Schoenefeld, for bringing this issue to > our attention. > >>2. Contributing Factors > >> > >>This issue can occur in the following releases: > >> > >> * SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases > for Windows, Solaris and Linux > >> > >>Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not > affected by this issue. > >> > >>To determine the version of Java on a system, the following command can be > run: > >> > >> % java -fullversion > >> java full version "1.4.1_06-b01" > >> > >>3. Symptoms > >> > >>The Java Runtime Environment (JRE) is unresponsive. > >>Solution Summary Top > >>4. Relief/Workaround > >> > >>There is no workaround. Please see the "Resolution" section below. > >>5. Resolution > >> > >>This issue is addressed in the following releases: > >> > >> * SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux > >> > >>J2SE releases are available for download at: > >> > >> * J2SE 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp > >> * J2SE 1.4.2_06 at http://java.sun.com/j2se/1.4.2/download.html and > http://java.com/ > > - -- > > Never be afraid to try something new. Remember, amateurs built the > ark; professionals built the Titanic. -- Anonymous > > Marc Sch?nefeld Dipl. Wirtsch.-Inf. / Software Developer > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (AIX) > > iD8DBQFByV2RqCaQvrKNUNQRAveDAJ4zaWiCWITLXaHuhuHSO6ARhVP12gCfbmw+ > c9K0l+Ih5omDU6gsGZ8a8zU= > =hJt+ > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html >
Powered by blists - more mailing lists