Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability
From: Marc Schoenefeld <schonef () uni-muenster de>
Date: Wed, 22 Dec 2004 12:42:04 +0100 (MEZ)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good day,

after my bug report in april 2004 Sun fixed an issue with
remote and local object serialisation. If getting
a bad object package your server may become unresponsive and does not
accept further requests but it does not crash. A PoC exploit
showed that with a little lower socket work RMI communication
is affected, too.

In my opinion it is a deep concept bug (antipattern) in JDK serialisation
semantics, but JDK 1.4.2_06 is only a detail fix.
So chances are high that there are more bugs like this in your JDK
or your application, even after an upgrade to JDK 1.4.2_06.

Below is the relevant snippet from:

http://classic.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57707&zone_32=category%3A%2Asecurity

Happy Xmas and a great 2005 to all
Marc


Sun(sm) Alert Notification

   * Sun Alert ID: 57707
   * Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS)
Vulnerability
   * Category: Security
   * Product: Java SDK and JRE
   * BugIDs: 5037001
   * Avoidance: Upgrade
   * State: Resolved
   * Date Released: 20-Dec-2004
   * Date Closed: 20-Dec-2004
   * Date Modified:

1. Impact

A vulnerability in the Java Runtime Environment (JRE) involving object
deserialization could be exploited remotely to cause the Java Virtual
Machine to become unresponsive, which is a type of Denial-of-Service (DoS).
This issue can affect the JRE if an application that runs on it accepts
serialized data from an untrusted source.

Sun acknowledges with thanks, Marc Schoenefeld, for bringing this issue to
our attention.
2. Contributing Factors

This issue can occur in the following releases:

   * SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases
for Windows, Solaris and Linux

Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not
affected by this issue.

To determine the version of Java on a system, the following command can be
run:

   % java -fullversion
   java full version "1.4.1_06-b01"

3. Symptoms

The Java Runtime Environment (JRE) is unresponsive.
Solution Summary      Top
4. Relief/Workaround

There is no workaround. Please see the "Resolution" section below.
5. Resolution

This issue is addressed in the following releases:

   * SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux

J2SE releases are available for download at:

   * J2SE 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp
   * J2SE 1.4.2_06 at http://java.sun.com/j2se/1.4.2/download.html and
http://java.com/











- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (AIX)

iD8DBQFByV2RqCaQvrKNUNQRAveDAJ4zaWiCWITLXaHuhuHSO6ARhVP12gCfbmw+
c9K0l+Ih5omDU6gsGZ8a8zU=
=hJt+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]