1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Sun Java Calendar Deserialization Priv Escalation

HTTP Sun Java Calendar Deserialization Priv Escalation

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects a security vulnerability in JRE.

Additional Information

Sun Java Runtime Environment (JRE) allows users to run Java applications.

JRE and Sun Java Development Kit are prone to multiple security vulnerabilities:

1. JRE creates temporary files in an insecure manner. Attackers can exploit this issue to write arbitrary JAR files and perform restricted actions on the affected computer. The issue is tracked in Sun Alert ID 244986 and CVE-2008-5360.

2. Multiple buffer-overflow vulnerabilities occur when JRE handles GIF images (CR 6766136) and processes fonts (CRs 6733336 and 6751322). The issues stem from heap overflows in the AWT library and may allow attacker to execute arbitrary code. The issues occur when a custom image model is used for the source 'Raster' during a conversion through a 'ConvolveOp' operation. These issues are tracked in Sun Alert ID 244987, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358, and CVE-2008-5359.

3. A security-bypass weakness is present because the 'Java Update' mechanism of JRE fails to check digital signatures before installing them. This may allow attackers to install a malicious file on the affected computer by performing DNS-spoofing attacks. The issue is tracked in Sun Alert ID 244989 and CVE-2008-5355.

4. A buffer-overflow vulnerability in JRE occurs when a malicious application is launched through the command line. Attackers can exploit this to run untrusted applets with the privileges of the user launching the malicious application. The issue is tracked in Sun Alert ID 244990 and CVE-2008-5354.

5. A security vulnerability in JRE may allow an untrusted applet or application to elevate privileges to the privileges of the user running the malicious application. The issue presents itself when deserializing the 'sun.util.calendar.ZoneInfo' calendar object. An attacker can get ZoneInfo object deserialized in a privilege context by deserializing a calendar. The issue is tracked in Sun Alert ID 244991 and CVE-2008-5353.

6. A buffer-overflow vulnerability occurs in JRE and Java Web Start when unpacking applets and using the 'unpack200' JAR unpacking utility. Attackers can exploit this to run untrusted applets with the privileges of the user running the malicious application. The issue is tracked in Sun Alert ID 244992 and CVE-2008-5352.

7. A weakness in the JRE UTF-8 (Unicode Transformation Format-8) decoder occurs because it accepts encodings that are longer than the 'shortest' form. Attackers may exploit this issue to trick applications using the decoder into accepting invalid input. The issue is tracked in Sun Alert ID 245246 and CVE-2008-5351.

8. An information-disclosure vulnerability may allow attackers to use an untrusted applet or an application to list the contents of the home directory of the user running the applet or application. The issue is tracked in Sun Alert ID 246266 and CVE-2008-5350.

9. A denial-of-service vulnerability occurs because JRE improperly handles certain RSA public keys provided by remote clients of Java applications. The issue is tracked in Sun Alert ID 246286 and CVE-2008-5349.

10. A denial-of-service vulnerability occurs because of the way JRE authenticates users through Kerberos. Attackers may exploit this to exhaust operating system resources and deny service to legitimate users. The issue is tracked in Sun Alert ID 246346 and CVE-2008-5348.

11. Multiple security vulnerabilities in the JAX-WS and JAXB packages in JRE may allow untrusted applets to perform actions with elevated privileges. These issues are tracked in Sun Alert ID 246366 and CVE-2008-5347.

12. A security-bypass vulnerability occurs because code loaded from the local filesystem is allowed to access localhost. This may be used in attacks violating the same-origin policy. The issue is tracked in Sun Alert ID 246387 and CVE-2008-5345.

13. An information-disclosure vulnerability in JRE when parsing zip files may allow an untrusted applet or an application to gain read access to arbitrary memory locations in the context of the process they are running in. The issue is tracked in Sun Alert ID 246386 and CVE-2008-5346.

Note that Sun Alert ID 244988 is described in BID 32620 (Sun Java Web Start and Java Plug-in Multiple Privilege Escalation Vulnerabilities).

Successful exploits of these issues may result in a compromise of affected computers.

These issues affect versions *prior to* the following:

JDK and JRE 6 Update 11
JDK and JRE 5.0 Update 17
SDK and JRE 1.4.2_19
SDK and JRE 1.3.1_24

Response

Updates are available. Please see the references for more information.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube