[Full-Disclosure] Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability

From: Marc Schoenefeld (schonef_at_uni-muenster.de)
Date: 12/22/04

  • Next message: Przemyslaw Frasunek: "[Full-Disclosure] Funny Google segfault"
    Date: Wed, 22 Dec 2004 12:42:04 +0100 (MEZ)
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com

    Hash: SHA1

    Good day,

    after my bug report in april 2004 Sun fixed an issue with
    remote and local object serialisation. If getting
    a bad object package your server may become unresponsive and does not
    accept further requests but it does not crash. A PoC exploit
    showed that with a little lower socket work RMI communication
    is affected, too.

    In my opinion it is a deep concept bug (antipattern) in JDK serialisation
    semantics, but JDK 1.4.2_06 is only a detail fix.
    So chances are high that there are more bugs like this in your JDK
    or your application, even after an upgrade to JDK 1.4.2_06.

    Below is the relevant snippet from:


    Happy Xmas and a great 2005 to all

    >> Sun(sm) Alert Notification
    >> * Sun Alert ID: 57707
    >> * Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS)
    >> * Category: Security
    >> * Product: Java SDK and JRE
    >> * BugIDs: 5037001
    >> * Avoidance: Upgrade
    >> * State: Resolved
    >> * Date Released: 20-Dec-2004
    >> * Date Closed: 20-Dec-2004
    >> * Date Modified:
    >>1. Impact
    >>A vulnerability in the Java Runtime Environment (JRE) involving object
    deserialization could be exploited remotely to cause the Java Virtual
    Machine to become unresponsive, which is a type of Denial-of-Service (DoS).
    This issue can affect the JRE if an application that runs on it accepts
    serialized data from an untrusted source.
    >>Sun acknowledges with thanks, Marc Schoenefeld, for bringing this issue to
    our attention.
    >>2. Contributing Factors
    >>This issue can occur in the following releases:
    >> * SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases
    for Windows, Solaris and Linux
    >>Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not
    affected by this issue.
    >>To determine the version of Java on a system, the following command can be
    >> % java -fullversion
    >> java full version "1.4.1_06-b01"
    >>3. Symptoms
    >>The Java Runtime Environment (JRE) is unresponsive.
    >>Solution Summary Top
    >>4. Relief/Workaround
    >>There is no workaround. Please see the "Resolution" section below.
    >>5. Resolution
    >>This issue is addressed in the following releases:
    >> * SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux
    >>J2SE releases are available for download at:
    >> * J2SE 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp
    >> * J2SE 1.4.2_06 at http://java.sun.com/j2se/1.4.2/download.html and

    - --

    Never be afraid to try something new. Remember, amateurs built the
    ark; professionals built the Titanic. -- Anonymous

    Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
    Version: GnuPG v1.2.6 (AIX)

    -----END PGP SIGNATURE-----

    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Przemyslaw Frasunek: "[Full-Disclosure] Funny Google segfault"

    Relevant Pages