SillyDog701

Message Centre 3.0

Skip to content

Sun Java JRE Deserialization Denial of Service Vulnerability

Firefox, Thunderbird, SeaMonkey, Camino, Mozilla, Netscape 6/7/8/9, and all Gecko-based browsers discussion and support forum.
(MozInfo701, Netscape Browser Archive)

Moderators: Antony, Edward, profman, Ramona

Post a reply

Sun Java JRE Deserialization Denial of Service Vulnerability

Postby Ramona » Tue 08 Nov, 2005 2:31 am

SECUNIA ADVISORY ID:
SA17478
VERIFY ADVISORY:
http://secunia.com/advisories/17478/

CRITICAL:
Less critical

IMPACT:
DoS

WHERE:
>From remote

SOFTWARE:
Sun Java JRE 1.5.x / 5.x
http://secunia.com/product/4228/
Sun Java JRE 1.4.x
http://secunia.com/product/784/
Sun Java JRE 1.3.x
http://secunia.com/product/87/
Sun Java JDK 1.5.x
http://secunia.com/product/4621/
Sun Java SDK 1.3.x
http://secunia.com/product/1660/
Sun Java SDK 1.4.x
http://secunia.com/product/1661/

DESCRIPTION:
Marc Schoenefeld has reported a vulnerability in Sun Java Runtime
Environment (JRE), which can be exploited by malicious people to
cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the
handling of serialized Java objects. This can be exploited to crash
the Java Virtual Machine (JVM) via an application deserializing
objects from untrusted sources.

The vulnerability has been reported in versions 1.4.2_08, 1.4.2_09,
and 1.5.0_05. Prior versions may also be affected.

SOLUTION:
The vulnerability will reportedly be fixed by the vendor in upcoming
releases for 1.3.x, 1.4.x, and 1.5.x.

Restrict applications from deserializing objects from untrusted
sources.

PROVIDED AND/OR DISCOVERED BY:
Marc Schoenefeld
UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 (ax)
User avatar
Ramona
Moderator
Moderator
 
Posts: 2376
Joined: Wed 19 Jun, 2002 3:50 pm
Location: Midwest USA
Top

Re: Sun Java JRE Deserialization Denial of Service Vulnerabi

Postby Antony » Tue 08 Nov, 2005 2:37 am

Ramona wrote:SECUNIA ADVISORY ID:
SA17478
SOLUTION:
...

Restrict applications from deserializing objects from untrusted
sources.
Thanks Ramona for the heads-up.

I highly doubt Secunia's Solution is useful to most users.
How many people here know how to de-serialise objects in Java? and how many of us know how to restrict applications from doing so?
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/416.11 (KHTML, like Gecko) Safari/416.12
User avatar
Antony
diamond member
diamond member
 
Posts: 14510
Joined: Tue 18 Jun, 2002 11:36 pm
Location: Sydney, Australia
Top

Postby Ramona » Tue 08 Nov, 2005 2:42 am

Thanks Antony, and I agree. Feel free to delete if you wish. I was just reading about serializing, and it's definitely over my head! :?
UserAgent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 (ax)
User avatar
Ramona
Moderator
Moderator
 
Posts: 2376
Joined: Wed 19 Jun, 2002 3:50 pm
Location: Midwest USA
Top
Post a reply

Return to Firefox, SeaMonkey and Netscape

Who is online

Registered users: Google [Bot], Yahoo [Bot]

Powered by phpBB © phpBB Group
Cheap Web Hosting

support SillyDog701
[SillyDog701 home] [Netscape] [download NS] [MozInfo701] [MacCentre701] [Feedback] [Search] [Sitemap]
All messages posted in this forum do not necessarily represent SillyDog701. This forum is operated by Antony Shen. All rights reserved. Copyright Notice. Privacy Statement.		 get FirefoxMade on a Mac