Java Runtime Environment LDAP Implementation Bugs Lets Remote Users Deny Service and Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1021893 |
|
SecurityTracker URL: http://securitytracker.com/id/1021893
|
|
CVE Reference:
CVE-2009-1093, CVE-2009-1094
(Links to External Site)
|
Updated: Mar 26 2009
|
Original Entry Date: Mar 25 2009
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): Prior to 5.0 Update 18 and 6 Update 13
|
Description:
Two vulnerabilities were reported in Sun Java Runtime Environment (JRE). A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions.
A remote LDAP server can send specially crafted data to trigger a flaw in the LDAP client implementation and execute arbitrary code on the target client [CVE-2009-1094].
A remote client can send specially crafted data to trigger a flaw in the initialization of LDAP connections to cause the target LDAP service to stop responding [CVE-2009-1093].
|
Impact:
A remote LDAP server can execute arbitrary code on the target client.
A remote user can cause the target LDAP service to stop responding.
|
Solution:
The vendor has issued the following fixes.
* JDK and JRE 6 Update 13 or later
* JDK and JRE 5.0 Update 18 or later
and in the following Java SE for Business release for Windows, Solaris, and Linux:
* SDK and JRE 1.4.2_20 or later
and in the following Java SE release for Windows and Solaris:
* SDK and JRE 1.3.1_25 or later
Java SE releases are available at:
JDK and JRE 6 Update 13:
* http://java.sun.com/javase/downloads/index.jsp
JRE 6 Update 13:
* http://java.com/
* Through the Java Update tool for Microsoft Windows users
JDK 6 Update 13 for Solaris is available in the following patches:
* Java SE 6: update 13 (as delivered in patch 125136-14)
* Java SE 6: update 13 (as delivered in patch 125137-14 (64bit))
* Java SE 6_x86: update 13 (as delivered in patch 125138-14)
* Java SE 6_x86: update 13 (as delivered in patch 125139-14 (64bit))
JDK and JRE 5.0 Update 18:
* http://java.sun.com/javase/downloads/index_jdk5.jsp
JDK 5.0 Update 18 for Solaris is available in the following patches:
* J2SE 5.0: update 18 (as delivered in patch 118666-19)
* J2SE 5.0: update 18 (as delivered in patch 118667-19 (64bit))
* J2SE 5.0_x86: update 18 (as delivered in patch 118668-19)
* J2SE 5.0_x86: update 18 (as delivered in patch 118669-19 (64bit))
Java SE for Business releases are available at:
* http://www.sun.com/software/javaseforbusiness/getit_download.jsp
The vendor's advisory is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-254569-1
|
Vendor URL: sunsolve.sun.com/search/document.do?assetkey=1-66-254569-1 (Links to External Site)
|
Cause:
Not specified
|
Underlying OS:
Linux (Any), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Wed, 25 Mar 2009 07:30:55 -0500
Subject: http://sunsolve.sun.com/search/document.do?assetkey=1-66-254569-1
|
Sun Java
|
|
