[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e92364c3041222061983a94c1@mail.gmail.com>
From: jftucker at gmail.com (James Tucker)
Subject: Java Runtime Environment Remote
Denial-of-Service (DoS) Vulnerability
Can this apply to the mobile or embedded VM's, and what level of DoS
occurs, is it a hard processor loop or a locked VM instance?
On Wed, 22 Dec 2004 12:42:04 +0100 (MEZ), Marc Schoenefeld
<schonef@...-muenster.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Good day,
>
> after my bug report in april 2004 Sun fixed an issue with
> remote and local object serialisation. If getting
> a bad object package your server may become unresponsive and does not
> accept further requests but it does not crash. A PoC exploit
> showed that with a little lower socket work RMI communication
> is affected, too.
>
> In my opinion it is a deep concept bug (antipattern) in JDK serialisation
> semantics, but JDK 1.4.2_06 is only a detail fix.
> So chances are high that there are more bugs like this in your JDK
> or your application, even after an upgrade to JDK 1.4.2_06.
>
> Below is the relevant snippet from:
>
> http://classic.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57707&zone_32=category%3A%2Asecurity
>
> Happy Xmas and a great 2005 to all
> Marc
>
> >> Sun(sm) Alert Notification
> >>
> >> * Sun Alert ID: 57707
> >> * Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS)
> Vulnerability
> >> * Category: Security
> >> * Product: Java SDK and JRE
> >> * BugIDs: 5037001
> >> * Avoidance: Upgrade
> >> * State: Resolved
> >> * Date Released: 20-Dec-2004
> >> * Date Closed: 20-Dec-2004
> >> * Date Modified:
> >>
> >>1. Impact
> >>
> >>A vulnerability in the Java Runtime Environment (JRE) involving object
> deserialization could be exploited remotely to cause the Java Virtual
> Machine to become unresponsive, which is a type of Denial-of-Service (DoS).
> This issue can affect the JRE if an application that runs on it accepts
> serialized data from an untrusted source.
> >>
> >>Sun acknowledges with thanks, Marc Schoenefeld, for bringing this issue to
> our attention.
> >>2. Contributing Factors
> >>
> >>This issue can occur in the following releases:
> >>
> >> * SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases
> for Windows, Solaris and Linux
> >>
> >>Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not
> affected by this issue.
> >>
> >>To determine the version of Java on a system, the following command can be
> run:
> >>
> >> % java -fullversion
> >> java full version "1.4.1_06-b01"
> >>
> >>3. Symptoms
> >>
> >>The Java Runtime Environment (JRE) is unresponsive.
> >>Solution Summary Top
> >>4. Relief/Workaround
> >>
> >>There is no workaround. Please see the "Resolution" section below.
> >>5. Resolution
> >>
> >>This issue is addressed in the following releases:
> >>
> >> * SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux
> >>
> >>J2SE releases are available for download at:
> >>
> >> * J2SE 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp
> >> * J2SE 1.4.2_06 at http://java.sun.com/j2se/1.4.2/download.html and
> http://java.com/
>
> - --
>
> Never be afraid to try something new. Remember, amateurs built the
> ark; professionals built the Titanic. -- Anonymous
>
> Marc Sch?nefeld Dipl. Wirtsch.-Inf. / Software Developer
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.6 (AIX)
>
> iD8DBQFByV2RqCaQvrKNUNQRAveDAJ4zaWiCWITLXaHuhuHSO6ARhVP12gCfbmw+
> c9K0l+Ih5omDU6gsGZ8a8zU=
> =hJt+
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists