Full Disclosure mailing list archives
Re: Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability
From: James Tucker <jftucker () gmail com>
Date: Wed, 22 Dec 2004 14:19:52 +0000
Can this apply to the mobile or embedded VM's, and what level of DoS occurs, is it a hard processor loop or a locked VM instance? On Wed, 22 Dec 2004 12:42:04 +0100 (MEZ), Marc Schoenefeld <schonef () uni-muenster de> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good day, after my bug report in april 2004 Sun fixed an issue with remote and local object serialisation. If getting a bad object package your server may become unresponsive and does not accept further requests but it does not crash. A PoC exploit showed that with a little lower socket work RMI communication is affected, too. In my opinion it is a deep concept bug (antipattern) in JDK serialisation semantics, but JDK 1.4.2_06 is only a detail fix. So chances are high that there are more bugs like this in your JDK or your application, even after an upgrade to JDK 1.4.2_06. Below is the relevant snippet from: http://classic.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57707&zone_32=category%3A%2Asecurity Happy Xmas and a great 2005 to all MarcSun(sm) Alert Notification * Sun Alert ID: 57707 * Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS)Vulnerability* Category: Security * Product: Java SDK and JRE * BugIDs: 5037001 * Avoidance: Upgrade * State: Resolved * Date Released: 20-Dec-2004 * Date Closed: 20-Dec-2004 * Date Modified: 1. Impact A vulnerability in the Java Runtime Environment (JRE) involving objectdeserialization could be exploited remotely to cause the Java Virtual Machine to become unresponsive, which is a type of Denial-of-Service (DoS). This issue can affect the JRE if an application that runs on it accepts serialized data from an untrusted source.Sun acknowledges with thanks, Marc Schoenefeld, for bringing this issue toour attention.2. Contributing Factors This issue can occur in the following releases: * SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releasesfor Windows, Solaris and LinuxNote: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are notaffected by this issue.To determine the version of Java on a system, the following command can berun:% java -fullversion java full version "1.4.1_06-b01" 3. Symptoms The Java Runtime Environment (JRE) is unresponsive. Solution Summary Top 4. Relief/Workaround There is no workaround. Please see the "Resolution" section below. 5. Resolution This issue is addressed in the following releases: * SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux J2SE releases are available for download at: * J2SE 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp * J2SE 1.4.2_06 at http://java.sun.com/j2se/1.4.2/download.html andhttp://java.com/ - -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (AIX) iD8DBQFByV2RqCaQvrKNUNQRAveDAJ4zaWiCWITLXaHuhuHSO6ARhVP12gCfbmw+ c9K0l+Ih5omDU6gsGZ8a8zU= =hJt+ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability Marc Schoenefeld (Dec 22)
- Re: Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability James Tucker (Dec 22)