Sun Java JRE Deserialization Denial of Service Vulnerability
You are here:  SillyDog701 > Message Centre > Firefox, SeaMonkey and Netscape > [sdt=10194]
SillyDog701 Forums
Author Message
Ramona
Moderator


Joined: 19 Jun 2002
Posts: 2370
Location: Midwest USA
08 Nov, 2005 1:31 am Sun Java JRE Deserialization Denial of Service Vulnerability [sdp=65946]  
SECUNIA ADVISORY ID:
SA17478
Quote:

VERIFY ADVISORY:
http://secunia.com/advisories/17478/

CRITICAL:
Less critical

IMPACT:
DoS

WHERE:
>From remote

SOFTWARE:
Sun Java JRE 1.5.x / 5.x
http://secunia.com/product/4228/
Sun Java JRE 1.4.x
http://secunia.com/product/784/
Sun Java JRE 1.3.x
http://secunia.com/product/87/
Sun Java JDK 1.5.x
http://secunia.com/product/4621/
Sun Java SDK 1.3.x
http://secunia.com/product/1660/
Sun Java SDK 1.4.x
http://secunia.com/product/1661/

DESCRIPTION:
Marc Schoenefeld has reported a vulnerability in Sun Java Runtime
Environment (JRE), which can be exploited by malicious people to
cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the
handling of serialized Java objects. This can be exploited to crash
the Java Virtual Machine (JVM) via an application deserializing
objects from untrusted sources.

The vulnerability has been reported in versions 1.4.2_08, 1.4.2_09,
and 1.5.0_05. Prior versions may also be affected.

SOLUTION:
The vulnerability will reportedly be fixed by the vendor in upcoming
releases for 1.3.x, 1.4.x, and 1.5.x.

Restrict applications from deserializing objects from untrusted
sources.

PROVIDED AND/OR DISCOVERED BY:
Marc Schoenefeld


UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 (ax)
RAMONA
Netscape, Mozilla, Firefox Solutions
Back to top profile
Antony
Site Admin


Joined: 18 Jun 2002
Posts: 12846
Location: Sydney, Australia
08 Nov, 2005 1:37 am Re: Sun Java JRE Deserialization Denial of Service Vulnerabi [sdp=65947]  
Ramona wrote:
SECUNIA ADVISORY ID:
SA17478
Quote:
SOLUTION:
...

Restrict applications from deserializing objects from untrusted
sources.
Thanks Ramona for the heads-up.

I highly doubt Secunia's Solution is useful to most users.
How many people here know how to de-serialise objects in Java? and how many of us know how to restrict applications from doing so?

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/416.11 (KHTML, like Gecko) Safari/416.12
MozInfo701 | MacCentre701 | AntBlog701 | don't steal music.
Back to top profile website
Ramona
Moderator


Joined: 19 Jun 2002
Posts: 2370
Location: Midwest USA
08 Nov, 2005 1:42 am [sdp=65949]  
Thanks Antony, and I agree. Feel free to delete if you wish. I was just reading about serializing, and it's definitely over my head! Confused

UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 (ax)
RAMONA
Netscape, Mozilla, Firefox Solutions
Back to top profile
Display posts from previous:   
Reply to topic    Forum Index > Firefox, SeaMonkey and Netscape All times are CST (GMT -6)
page 1 of 1
To add your questions, comments, and for more features and more, please join SillyDog701 Message Centre. It's free! This is SillyDog 701 Message Centre (SD701 Forums).

Michael Jackson Thriller 25 You can support SillyDog701 when you buy your favourite music, TV shows, movies from iTunes Store. You can even rent movies from iTunes Store.

*Search | FAQ | Rules and Policies | MozInfo701 - Mozilla Information Centre | SD701 Open Directory | Message Board Map | download Netscape