WebStart
Security Advisory
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: Java Web Start File Inclusion via System Properties Override
Release Date: 2008-12-03
Application: Sun Java Runtime Environment / Java Web Start
Versions: See below
Severity: High
Author: Timothy D. Morgan <tmorgan {a} vsecurity.com>
http://labs.idefense.com/intelligence/vulnerabilities/
Dec 02, 2008
I. BACKGROUND
Java Web Start (JWS) is a framework built by Sun that is used to run
Java applications outside of the browser. It is distributed with the
Java Runtime Environment (JRE) installation. JWS is typically launched
by clicking on a link in the browser, and results in a separate process
being started that is not tied to the JVM inside of the browser. A file
contains various parameters that describe the Java application to be
Multiple vulnerabilities have been discovered in Sun Java:
* Daniel Soeder discovered that a long codebase attribute string in a
JNLP file will overflow a stack variable when launched by Java
WebStart (CVE-2007-3655).
* Multiple vulnerabilities (CVE-2007-2435, CVE-2007-2788,
CVE-2007-2789) that were previously reported as GLSA 200705-23 and
GLSA 200706-08 also affect 1.4 and 1.6 SLOTs, which was not mentioned
in the initial revision of said GLSAs.
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 25, 2009
I. BACKGROUND
Java Web Start (JWS) is a framework built by Sun that is used to run
Java applications outside of the browser. It is distributed with the
Java Runtime Environment (JRE) installation. JWS is typically launched
by clicking on a link in the browser and results in a separate process
being started that is not tied to the JVM inside the browser. In order
to accomplish this, the Java Network Launching Protocol (JNLP) is used
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 25, 2009
I. BACKGROUND
Java Web Start (JWS) is a framework built by Sun that is used to run
Java applications outside of the browser. It is distributed with the
Java Runtime Environment (JRE) installation. JWS is typically launched
by clicking on a link in the browser and results in a separate process
being started that is not tied to the JVM inside the browser. In order
to accomplish this, the Java Network Launching Protocol (JNLP) is used
java-1.6.0-openjdk:
Unspecified vulnerability in the Java Runtime Environment (JRE)
component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update 29
and earlier, and 1.4.2_31 and earlier allows remote untrusted Java
Web Start applications and untrusted Java applets to affect integrity
via unknown vectors related to Deserialization (CVE-2011-0865).
Multiple unspecified vulnerabilities in the Java Runtime Environment
(JRE) component in Oracle Java SE 6 Update 25 and earlier, 5.0 Update
29 and earlier, and 1.4.2_31 and earlier allow remote attackers
recommendation specifies an HMAC truncation length (HMACOutputLength)
but does not require a minimum for its length, which allows attackers
to spoof HMAC-based signatures and bypass authentication by specifying
a truncation length with a small number of bits (CVE-2009-0217).
The Java Web Start framework does not properly check all application
jar files trust and this allows context-dependent attackers to
execute arbitrary code via a crafted application, related to NetX
(CVE-2009-1896).
Some variables and data structures without the final
(CVE-2010-4351).
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote
untrusted Java Web Start applications and untrusted Java applets to
affect integrity via unknown vectors related to Networking. NOTE: the
previous information was obtained from the February 2011 CPU. Oracle
has not commented on claims from a downstream vendor that this issue
involves DNS cache poisoning by untrusted applets. (CVE-2010-4448)
ZDI-09-050: Sun Java Web Start JPEG Header Parsing Integer Overflow
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-050
August 5, 2009
-- Affected Vendors:
Sun Microsystems
-- Affected Products:
Sun Microsystems Java Runtime
Bye bye my little 0day :(, Tavis Ormandy did a great job uncovering a
big logic flaw within Java JRE. I discovered that bug and other that
affects every browser few weeks ago and I posted the common "0day++" tweet.
The method in which Java Web Start support has been added to the JRE is
not less than a deliberately embedded backdoor(I really don't think so)
or a flagrant case of extreme negligence (+1).
It's even more incredible that Sun didn't assess the real risk of this
flaw after Tavis reported it to them.
(CVE-2009-1094).
The HTTP server implementation (sun.net.httpserver) contained an
unspecified denial of service vulnerability (CVE-2009-1101).
Several issues in Java Web Start have been addressed (CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098). The Debian packages
currently do not support Java Web Start, so these issues are not
directly exploitable, but the relevant code has been updated
nevertheless.
ZDI-08-009: Java Web Start tempbuff Stack Buffer Overflow
http://www.zerodayinitiative.com/advisories/ZDI-08-009
March 12, 2008
-- CVE ID:
CVE-2008-1188
-- Affected Vendors:
Sun Microsystems
ZDI-11-086: Oracle Java Webstart Trusted JNLP Extension Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-086
February 15, 2011
-- CVE ID:
CVE-2010-4463
-- CVSS:
ZDI-08-010: Java Web Start encoding Stack Buffer Overflow
http://www.zerodayinitiative.com/advisories/ZDI-08-010
March 12, 2008
-- CVE ID:
CVE-2008-1188
-- Affected Vendors:
Sun Microsystems
ZDI-08-081: Sun Java Web Start and Applet Multiple Sandbox Bypass
Vulnerabilities
http://www.zerodayinitiative.com/advisories/ZDI-08-081
December 4, 2008
-- Affected Vendors:
Sun Microsystems
-- Affected Products:
Sun Microsystems Java Runtime
ZDI-09-077: Sun Java Web Start Arbitrary Command Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-077
November 4, 2009
-- Affected Vendors:
Sun Microsystems
-- Affected Products:
Sun Microsystems Java Runtime
ZDI-08-042: Sun Java Web Start Sandbox Bypass Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-042
July 17, 2008
-- Affected Vendors:
Sun Microsystems
-- Affected Products:
Sun Microsystems Java Runtime
ZDI-08-043: Sun Java Web Start vm args Stack Buffer Overflow
http://www.zerodayinitiative.com/advisories/ZDI-08-043
July 17, 2008
-- Affected Vendors:
Sun Microsystems
-- Affected Products:
Sun Microsystems Java Runtime
Impact
======
A remote attacker could entice a user to run a specially crafted applet
on a website or start an application in Java Web Start to execute
arbitrary code outside of the Java sandbox and of the Java security
restrictions with the privileges of the user running Java. The attacker
could also obtain sensitive information, create, modify, rename and
read local files, execute local applications, establish connections in
the local network, bypass the same origin policy, and cause a Denial of
Hash: SHA1
On 10/20/2010 10:11 PM, Roberto Suggi Liverani wrote:
<snip />
>
> In Java SE 6 update 10, both the Java Web Start and Java Plug-In
> technologies contain preliminary support for cross-domain policy
> files, which specify how unsigned code may access web services on the
> Internet. The crossdomain.xml policy file is hosted on a given server
> and allows either selected clients, or clients from anywhere, to
> connect to that server. Cross-domain policy files make accessing web
Impact
======
A remote attacker could entice a user to run a specially crafted applet
on a website or start an application in Java Web Start to execute
arbitrary code outside of the Java sandbox and of the Java security
restrictions with the privileges of the user running Java. The attacker
could also obtain sensitive information, create, modify, rename and
read local files, execute local applications, establish connections in
the local network, bypass the same origin policy, and cause a Denial of
Impact
======
A remote attacker could entice a user to open a specially crafted JAR
archive, applet, or Java Web Start application, possibly resulting in
the execution of arbitrary code with the privileges of the user running
the application. Furthermore, a remote attacker could cause a Denial of
Service affecting multiple services via several vectors, disclose
information and memory contents, write or execute local files, conduct
session hijacking attacks via GIFAR files, steal cookies, bypass the
Hi,
There is vulnerability in Java Web Start. Already there is some vulnerability posted for persistenceservice service of java web start. But in Basicservice also we can run any file on the client using showDocument method. Just give the URL of file on client computer. If the browser has software attached to run that filetype it will be run automatically without user knowledge.
Regards
Varun Srivastava
ZDI-11-192: Oracle Java Web Start Command Argument Injection Remote Code Execution Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-11-192
June 8, 2011
-- CVE ID:
CVE-2011-0863
-- CVSS:
|
