[gentoo-announce] [ GLSA 200503-28 ] Sun Java: Web Start argument injection vulnerability - gentoo-announce

From:	Thierry Carrez <koon@g.o>
To:	gentoo-announce@××××××××××××.org
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200503-28 ] Sun Java: Web Start argument injection vulnerability
Date:	Thu, 24 Mar 2005 21:36:21
Message-Id:	`424332CD.8010809@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200503-28

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Sun Java: Web Start argument injection vulnerability

9

      Date: March 24, 2005

10

      Bugs: #85804

11

        ID: 200503-28

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Java Web Start JNLP files can be abused to evade sandbox restriction

19

and execute arbitrary code.

20

21

Background

22

==========

23

24

Sun provides implementations of Java Development Kits (JDK) and Java

25

Runtime Environments (JRE). These implementations provide the Java Web

26

Start technology that can be used for easy client-side deployment of

27

Java applications.

28

29

Affected packages

30

=================

31

32

    -------------------------------------------------------------------

33

     Package               /  Vulnerable  /                 Unaffected

34

    -------------------------------------------------------------------

35

  1  dev-java/sun-jdk         < 1.4.2.07                   >= 1.4.2.07

36

                                                               < 1.4.2

37

  2  dev-java/sun-jre-bin     < 1.4.2.07                   >= 1.4.2.07

38

                                                               < 1.4.2

39

    -------------------------------------------------------------------

40

     2 affected packages on all of their supported architectures.

41

    -------------------------------------------------------------------

42

43

Description

44

===========

45

46

Jouko Pynnonen discovered that Java Web Start contains a vulnerability

47

in the way it handles property tags in JNLP files.

48

49

Impact

50

======

51

52

By enticing a user to open a malicious JNLP file, a remote attacker

53

could pass command line arguments to the Java Virtual machine, which

54

can be used to bypass the Java "sandbox" and to execute arbitrary code

55

with the permissions of the user running the application.

56

57

Workaround

58

==========

59

60

There is no known workaround at this time.

61

62

Resolution

63

==========

64

65

All Sun JDK users should upgrade to the latest version:

66

67

    # emerge --sync

68

    # emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.07"

69

70

All Sun JRE users should upgrade to the latest version:

71

72

    # emerge --sync

73

    # emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.07"

74

75

References

76

==========

77

78

  [ 1 ] Jouko Pynnonen advisory

79

        http://jouko.iki.fi/adv/ws.html

80

  [ 2 ] Sun Microsystems Alert Notification

81

        http://sunsolve.sun.com/search/document.do?assetkey=1-26-57740-1

82

83

Availability

84

============

85

86

This GLSA and any updates to it are available for viewing at

87

the Gentoo Security Website:

88

89

  http://security.gentoo.org/glsa/glsa-200503-28.xml

90

91

Concerns?

92

=========

93

94

Security is a primary focus of Gentoo Linux and ensuring the

95

confidentiality and security of our users machines is of utmost

96

importance to us. Any security concerns should be addressed to

97

security@g.o or alternatively, you may file a bug at

98

http://bugs.gentoo.org.

99

100

License

101

=======

102

103

Copyright 2005 Gentoo Foundation, Inc; referenced text

104

belongs to its owner(s).

105

106

The contents of this document are licensed under the

107

Creative Commons - Attribution / Share Alike license.

108

109

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200503-28
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Sun Java: Web Start argument injection vulnerability
9	Date: March 24, 2005
10	Bugs: #85804
11	ID: 200503-28
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Java Web Start JNLP files can be abused to evade sandbox restriction
19	and execute arbitrary code.
20
21	Background
22	==========
23
24	Sun provides implementations of Java Development Kits (JDK) and Java
25	Runtime Environments (JRE). These implementations provide the Java Web
26	Start technology that can be used for easy client-side deployment of
27	Java applications.
28
29	Affected packages
30	=================
31
32	-------------------------------------------------------------------
33	Package / Vulnerable / Unaffected
34	-------------------------------------------------------------------
35	1 dev-java/sun-jdk < 1.4.2.07 >= 1.4.2.07
36	< 1.4.2
37	2 dev-java/sun-jre-bin < 1.4.2.07 >= 1.4.2.07
38	< 1.4.2
39	-------------------------------------------------------------------
40	2 affected packages on all of their supported architectures.
41	-------------------------------------------------------------------
42
43	Description
44	===========
45
46	Jouko Pynnonen discovered that Java Web Start contains a vulnerability
47	in the way it handles property tags in JNLP files.
48
49	Impact
50	======
51
52	By enticing a user to open a malicious JNLP file, a remote attacker
53	could pass command line arguments to the Java Virtual machine, which
54	can be used to bypass the Java "sandbox" and to execute arbitrary code
55	with the permissions of the user running the application.
56
57	Workaround
58	==========
59
60	There is no known workaround at this time.
61
62	Resolution
63	==========
64
65	All Sun JDK users should upgrade to the latest version:
66
67	# emerge --sync
68	# emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.07"
69
70	All Sun JRE users should upgrade to the latest version:
71
72	# emerge --sync
73	# emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.07"
74
75	References
76	==========
77
78	[ 1 ] Jouko Pynnonen advisory
79	http://jouko.iki.fi/adv/ws.html
80	[ 2 ] Sun Microsystems Alert Notification
81	http://sunsolve.sun.com/search/document.do?assetkey=1-26-57740-1
82
83	Availability
84	============
85
86	This GLSA and any updates to it are available for viewing at
87	the Gentoo Security Website:
88
89	http://security.gentoo.org/glsa/glsa-200503-28.xml
90
91	Concerns?
92	=========
93
94	Security is a primary focus of Gentoo Linux and ensuring the
95	confidentiality and security of our users machines is of utmost
96	importance to us. Any security concerns should be addressed to
97	security@g.o or alternatively, you may file a bug at
98	http://bugs.gentoo.org.
99
100	License
101	=======
102
103	Copyright 2005 Gentoo Foundation, Inc; referenced text
104	belongs to its owner(s).
105
106	The contents of this document are licensed under the
107	Creative Commons - Attribution / Share Alike license.
108
109	http://creativecommons.org/licenses/by-sa/2.0