Re: [Full-Disclosure] Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability

From: James Tucker (jftucker_at_gmail.com)
Date: 12/22/04

  • Next message: Steve Wray: "Re: [Full-Disclosure] RE: NetWare Screensaver Authentication Bypass From The Local Console"
    Date: Wed, 22 Dec 2004 14:19:52 +0000
    To: Marc Schoenefeld <schonef@uni-muenster.de>
    
    

    Can this apply to the mobile or embedded VM's, and what level of DoS
    occurs, is it a hard processor loop or a locked VM instance?

    On Wed, 22 Dec 2004 12:42:04 +0100 (MEZ), Marc Schoenefeld
    <schonef@uni-muenster.de> wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Good day,
    >
    > after my bug report in april 2004 Sun fixed an issue with
    > remote and local object serialisation. If getting
    > a bad object package your server may become unresponsive and does not
    > accept further requests but it does not crash. A PoC exploit
    > showed that with a little lower socket work RMI communication
    > is affected, too.
    >
    > In my opinion it is a deep concept bug (antipattern) in JDK serialisation
    > semantics, but JDK 1.4.2_06 is only a detail fix.
    > So chances are high that there are more bugs like this in your JDK
    > or your application, even after an upgrade to JDK 1.4.2_06.
    >
    > Below is the relevant snippet from:
    >
    > http://classic.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57707&zone_32=category%3A%2Asecurity
    >
    > Happy Xmas and a great 2005 to all
    > Marc
    >
    > >> Sun(sm) Alert Notification
    > >>
    > >> * Sun Alert ID: 57707
    > >> * Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS)
    > Vulnerability
    > >> * Category: Security
    > >> * Product: Java SDK and JRE
    > >> * BugIDs: 5037001
    > >> * Avoidance: Upgrade
    > >> * State: Resolved
    > >> * Date Released: 20-Dec-2004
    > >> * Date Closed: 20-Dec-2004
    > >> * Date Modified:
    > >>
    > >>1. Impact
    > >>
    > >>A vulnerability in the Java Runtime Environment (JRE) involving object
    > deserialization could be exploited remotely to cause the Java Virtual
    > Machine to become unresponsive, which is a type of Denial-of-Service (DoS).
    > This issue can affect the JRE if an application that runs on it accepts
    > serialized data from an untrusted source.
    > >>
    > >>Sun acknowledges with thanks, Marc Schoenefeld, for bringing this issue to
    > our attention.
    > >>2. Contributing Factors
    > >>
    > >>This issue can occur in the following releases:
    > >>
    > >> * SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases
    > for Windows, Solaris and Linux
    > >>
    > >>Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not
    > affected by this issue.
    > >>
    > >>To determine the version of Java on a system, the following command can be
    > run:
    > >>
    > >> % java -fullversion
    > >> java full version "1.4.1_06-b01"
    > >>
    > >>3. Symptoms
    > >>
    > >>The Java Runtime Environment (JRE) is unresponsive.
    > >>Solution Summary Top
    > >>4. Relief/Workaround
    > >>
    > >>There is no workaround. Please see the "Resolution" section below.
    > >>5. Resolution
    > >>
    > >>This issue is addressed in the following releases:
    > >>
    > >> * SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux
    > >>
    > >>J2SE releases are available for download at:
    > >>
    > >> * J2SE 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp
    > >> * J2SE 1.4.2_06 at http://java.sun.com/j2se/1.4.2/download.html and
    > http://java.com/
    >
    > - --
    >
    > Never be afraid to try something new. Remember, amateurs built the
    > ark; professionals built the Titanic. -- Anonymous
    >
    > Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.6 (AIX)
    >
    > iD8DBQFByV2RqCaQvrKNUNQRAveDAJ4zaWiCWITLXaHuhuHSO6ARhVP12gCfbmw+
    > c9K0l+Ih5omDU6gsGZ8a8zU=
    > =hJt+
    > -----END PGP SIGNATURE-----
    >
    > _______________________________________________
    > Full-Disclosure - We believe in it.
    > Charter: http://lists.netsys.com/full-disclosure-charter.html
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Steve Wray: "Re: [Full-Disclosure] RE: NetWare Screensaver Authentication Bypass From The Local Console"

    Relevant Pages