(Sun Issues Fix) Re: Sun Java Runtime Environment (JRE) Bytecode Verifier Analysis Flaw Lets Remote Users Bypass Many Java Security Restrictions
|
|
SecurityTracker Alert ID: 1005780 |
|
SecurityTracker URL: http://securitytracker.com/id/1005780
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 10 2002
|
Impact:
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Host/resource access via network, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 1.1-1.4
|
Description:
A vulnerability was reported in Sun's Java Runtime Environment (JRE). A remote user can gain access to the local file system and networking resources. On some target systems, the remote user can execute arbitrary code.
The Last Stage of Delirium reported that there is a flaw in the Bytecode Verifier. A remote user can reportedly create new instances of objects without calling the proper initialization method (super or this) from within the constructor of the created class.
A remote user can supply code where the invocation of a superclass constructor does not occur, but where the Bytecode Verifier incorrectly interprets the invocation as having occurred. The virtual machine apparently does not track the actual execution of the method, but rather, analyzes the bytecode instruction stream. So, a remote user can create Java code that will result in bytecode instructions that will trick the analysis. According to the report, this flaw can be exploited by the remote user to construct partially initialized Class Loader objects.
For additional information on this flaw, see the original report at:
http://lsd-pl.net/java_security.html
|
Impact:
A remote user can gain read and write access to the target user's file system.
A remote user can bypass Java network access restrictions and gain access to networking functions (e.g., socket, bind, listen, accept, and connect calls) on a target user's system.
On Microsoft Windows-based systems, a remote user can execute arbitrary code on a target user's system.
|
Solution:
Sun has issued the following fixes:
Windows Production Releases
SDK and JRE 1.4.1_01 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.4.0_03 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.3.1_06 http://java.sun.com/j2se/1.3/ or later
SDK and JRE 1.2.2_014 http://java.sun.com/j2se/1.2/ or later
Solaris OE Reference Releases
SDK and JRE 1.2.2_014 http://java.sun.com/j2se/1.2/ or later
Solaris OE Production Releases
SDK and JRE 1.4.1_01 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.4.0_03 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.3.1_06 http://java.sun.com/j2se/1.3/ or later
SDK and JRE 1.2.2_14 http://java.sun.com/j2se/1.2/ or later
Linux Production Releases
SDK and JRE 1.4.1_01 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.4.0_03 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.3.1_06 http://java.sun.com/j2se/1.3/ or later
SDK and JRE 1.2.2_014 http://java.sun.com/j2se/1.2/ or later
|
Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F49304 (Links to External Site)
|
Cause:
State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 10 Dec 2002 02:38:41 -0500
Subject: Sun Alert
|
Sun issued Sun Alert #49304 warning of a flaw in Sun's Java Virtual Machine. According to
the report, a flaw in the Java Bytecode Verifier may allow Java code to create new
instances of objects without calling the proper initialization method from within the
constructor of the created class.
Sun credits the LSD Research Group with reporting this flaw.
According to Sun, the following releases are vulnerable:
Windows Production Releases
SDK and JRE 1.4.1
SDK and JRE 1.4.0_02 and earlier
SDK and JRE 1.3.1_05 and earlier
SDK and JRE 1.3.0_05 and earlier
SDK and JRE 1.2.2_013 and earlier
JDK and JRE 1.1.x
Solaris Operating Environment (OE) Reference Releases
SDK and JRE 1.2.2_013 or earlier
Solaris OE Production Releases
SDK and JRE 1.4.1
SDK and JRE 1.4.0_02 and earlier
SDK and JRE 1.3.1_05 and earlier
SDK and JRE 1.3.0_05 and earlier
SDK and JRE 1.2.2_13 and earlier
JDK and JRE 1.1.x
Linux Production Releases
SDK and JRE 1.4.1
SDK and JRE 1.4.0_02 and earlier
SDK and JRE 1.3.1_05 and earlier
SDK and JRE 1.3.0_05 and earlier
SDK and JRE 1.2.2_013 and earlier
Sun has released the following fixes:
Windows Production Releases
SDK and JRE 1.4.1_01 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.4.0_03 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.3.1_06 http://java.sun.com/j2se/1.3/ or later
SDK and JRE 1.2.2_014 http://java.sun.com/j2se/1.2/ or later
Solaris OE Reference Releases
SDK and JRE 1.2.2_014 http://java.sun.com/j2se/1.2/ or later
Solaris OE Production Releases
SDK and JRE 1.4.1_01 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.4.0_03 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.3.1_06 http://java.sun.com/j2se/1.3/ or later
SDK and JRE 1.2.2_14 http://java.sun.com/j2se/1.2/ or later
Linux Production Releases
SDK and JRE 1.4.1_01 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.4.0_03 http://java.sun.com/j2se/1.4/ or later
SDK and JRE 1.3.1_06 http://java.sun.com/j2se/1.3/ or later
SDK and JRE 1.2.2_014 http://java.sun.com/j2se/1.2/ or later
-----
Sun Alert ID: 49304
Synopsis: Java VM Allows Constructors not to Call Other Constructors
Category: Security
Product: Java JRE/SDK
BugIDs: 4243535
Avoidance: Upgrade
State: Resolved
Date Released: 09-Dec-2002
Date Closed: 09-Dec-2002
Date Modified:
|
|
