Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-267: Buffer and Integer Overflow Vulnerabilities in the Java Runtime Environment

November 6, 2009 17:00 GMT
PROBLEM: A vulnerability was reported in Sun Java Runtime Environment (JRE). A remote user can access files on the target user's system. A remote user can cause arbitrary applications on the target user's system to be executed.
PLATFORM: Sun Java Runtime 6 Update 16 and prior, 5.0 Update 21 and prior, 1.4.2_23 and prior, 1.3.1_26 and prior
ABSTRACT: A remote user can create a specially crafted applet or Java Web Start application that, when loaded by the target user, will trigger a buffer or integer overflow in the processing of audio and image files to gain access to files on the target system or execute arbitrary applications residing on the target system
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-267.shtml
  OTHER LINKS: Security Tracker
http://securitytracker.com/alerts/2009/Nov/1023132.html

IMPACT ASSESSMENT: This risk is medium. A remote user can create a Java applet or Java Web Start application that, when loaded by the target user, will access files or execute arbitrary applications on the target user's system. 
Discussion:
Multiple buffer and integer overflow vulnerabilities in the Java Runtime Environment with processing audio and image files may allow an untrusted applet or Java Web Start application to escalate privileges. For example, an untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Vulnerable:
Java SE for Windows, Solaris, and Linux:

    * JDK and JRE 6 Update 16 and earlier
    * JDK and JRE 5.0 Update 21 and earlier

Java SE for Solaris:

    * SDK and JRE 1.4.2_23 and earlier

Java SE for Windows:

    * SDK and JRE 1.3.1_26 and earlier

Java SE for Business for Windows, Solaris and Linux:

    * JDK and JRE 6 Update 16 and earlier
    * JDK and JRE 5.0 Update 21 and earlier
    * SDK and JRE 1.4.2_23 and earlier

Solution:
The vendor has issued a fix.

Java SE for Windows, Solaris, and Linux:

* JDK and JRE 6 Update 17 or later
* JDK and JRE 5.0 Update 22 or later

Java SE for Solaris:

* SDK and JRE 1.4.2_24 or later

Java SE for Windows:

* SDK and JRE 1.3.1_27 or later

Java SE for Business for Windows, Solaris and Linux:

* JDK and JRE 6 Update 17 or later
* JDK and JRE 5.0 Update 22 or later
* SDK and JRE 1.4.2_24 or later
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788