....
 

Guardian Digital Inc. > InfoCenter > Mailing List Archives > BugTraq

BugTraq Mailing List Archive

From: Marc Schoenefeld (schonef@uni-muenster.de)
Date: Wed Dec 22 2004 - 06:42:04 EST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good day,

after my bug report in april 2004 Sun fixed an issue with
remote and local object serialisation. If getting
a bad object package your server may become unresponsive and does not
accept further requests but it does not crash. A PoC exploit
showed that with a little lower socket work RMI communication
is affected, too.

In my opinion it is a deep concept bug (antipattern) in JDK serialisation
semantics, but JDK 1.4.2_06 is only a detail fix.
So chances are high that there are more bugs like this in your JDK
or your application, even after an upgrade to JDK 1.4.2_06.

Below is the relevant snippet from:

http://classic.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57707&zone_32=category%3A%2Asecurity

Happy Xmas and a great 2005 to all
Marc

>> Sun(sm) Alert Notification
>>
>> * Sun Alert ID: 57707
>> * Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS)
Vulnerability
>> * Category: Security
>> * Product: Java SDK and JRE
>> * BugIDs: 5037001
>> * Avoidance: Upgrade
>> * State: Resolved
>> * Date Released: 20-Dec-2004
>> * Date Closed: 20-Dec-2004
>> * Date Modified:
>>
>>1. Impact
>>
>>A vulnerability in the Java Runtime Environment (JRE) involving object
deserialization could be exploited remotely to cause the Java Virtual
Machine to become unresponsive, which is a type of Denial-of-Service (DoS).
This issue can affect the JRE if an application that runs on it accepts
serialized data from an untrusted source.
>>
>>Sun acknowledges with thanks, Marc Schoenefeld, for bringing this issue to
our attention.
>>2. Contributing Factors
>>
>>This issue can occur in the following releases:
>>
>> * SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases
for Windows, Solaris and Linux
>>
>>Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not
affected by this issue.
>>
>>To determine the version of Java on a system, the following command can be
run:
>>
>> % java -fullversion
>> java full version "1.4.1_06-b01"
>>
>>3. Symptoms
>>
>>The Java Runtime Environment (JRE) is unresponsive.
>>Solution Summary Top
>>4. Relief/Workaround
>>
>>There is no workaround. Please see the "Resolution" section below.
>>5. Resolution
>>
>>This issue is addressed in the following releases:
>>
>> * SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux
>>
>>J2SE releases are available for download at:
>>
>> * J2SE 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp
>> * J2SE 1.4.2_06 at http://java.sun.com/j2se/1.4.2/download.html and
http://java.com/

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (AIX)

iD8DBQFByV2RqCaQvrKNUNQRAveDAJ4zaWiCWITLXaHuhuHSO6ARhVP12gCfbmw+
c9K0l+Ih5omDU6gsGZ8a8zU=
=hJt+
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



[ About Guardian Digital ] - [ Press Center ] - [ Contact Us ] - [ System Activation ] - [ Reseller Info ] - [ Online Store ] - [ Site Map ]
Copyright (c) 2000 - 2004 Guardian Digital, Inc. Linux Lockbox and EnGarde are Trademarks of Guardian Digital, Inc.