Vulnerabilities > CVE-2009-3729 - Unspecified vulnerability in SUN JRE 1.5.0/1.6.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Unspecified vulnerability in the TrueType font parsing functionality in Sun Java SE 5.0 before Update 22 and 6 before Update 17 allows remote attackers to cause a denial of service (application crash) via a certain test suite, aka Bug Id 6815780.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 37 |
Nessus
NASL family Misc. NASL id SUN_JAVA_JRE_269868_UNIX.NASL description The version of Sun Java Runtime Environment (JRE) installed on the remote host is earlier than 6 Update 17 / 5.0 Update 22 / 1.4.2_24 / 1.3.1_27. Such versions are potentially affected by the following security issues : - The Java update mechanism on non-English versions does not update the JRE when a new version is available. (269868) - A command execution vulnerability exists in the Java runtime environment deployment toolkit. (269869) - An issue in the Java web start installer may be leveraged to allow an untrusted Java web start application to run as a trusted application. (269870) - Multiple buffer and integer overflow vulnerabilities exist. (270474) - A security vulnerability in the JRE with verifying HMAC digests may allow authentication to be bypassed. (270475) - Two vulnerabilities in the JRE with decoding DER encoded data and parsing HTTP headers may separately allow a remote client to cause the JRE on the server to run out of memory, resulting in a denial of service. (270476) - A directory traversal vulnerability in the ICC_Profile.getInstance method allows a remote attacker to determine the existence of local International Color Consortium (ICC) profile files. (Bug #6631533) - A denial of service attack is possible via a BMP file containing a link to a UNC share pathname for an International Color Consortium (ICC) profile file. (Bug #6632445) - Resurrected classloaders can still have children, which could allow a remote attacker to gain privileges via unspecified vectors (Bug #6636650) - The Abstract Window Toolkit (AWT) does not properly restrict the objects that may be sent to loggers, which allows attackers to obtain sensitive information via vectors related to the implementation of Component, KeyboardFocusManager, and DefaultKeyboardFocusManager. (Bug #6664512) - An unspecified vulnerability in TrueType font parsing functionality may lead to a denial of service. (Bug #6815780) - The failure to clone arrays returned by the getConfigurations function could lead to multiple, unspecified vulnerabilities in the X11 and Win32GraphicsDevice subsystems. (Bug #6822057) - The TimeZone.getTimeZone method can be used by a remote attacker to determine the existence of local files via its handling of zoneinfo (aka tz) files. (Bug #6824265) - Java Web Start does not properly handle the interaction between a signed JAR file and a JNLP application or applet. (Bug #6870531) last seen 2020-06-01 modified 2020-06-02 plugin id 64831 published 2013-02-22 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/64831 title Sun Java JRE Multiple Vulnerabilities (269868 / 269869 / 270476 ...) (Unix) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(64831); script_version("1.9"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_cve_id( "CVE-2009-3728", "CVE-2009-3729", "CVE-2009-3864", "CVE-2009-3865", "CVE-2009-3866", "CVE-2009-3867", "CVE-2009-3868", "CVE-2009-3869", "CVE-2009-3871", "CVE-2009-3872", "CVE-2009-3873", "CVE-2009-3874", "CVE-2009-3875", "CVE-2009-3876", "CVE-2009-3877", "CVE-2009-3879", "CVE-2009-3880", "CVE-2009-3881", "CVE-2009-3884", "CVE-2009-3885", "CVE-2009-3886" ); script_bugtraq_id(36881); script_name(english:"Sun Java JRE Multiple Vulnerabilities (269868 / 269869 / 270476 ...) (Unix)"); script_summary(english:"Checks version of Sun JRE"); script_set_attribute( attribute:"synopsis", value: "The remote Unix host contains a runtime environment that is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The version of Sun Java Runtime Environment (JRE) installed on the remote host is earlier than 6 Update 17 / 5.0 Update 22 / 1.4.2_24 / 1.3.1_27. Such versions are potentially affected by the following security issues : - The Java update mechanism on non-English versions does not update the JRE when a new version is available. (269868) - A command execution vulnerability exists in the Java runtime environment deployment toolkit. (269869) - An issue in the Java web start installer may be leveraged to allow an untrusted Java web start application to run as a trusted application. (269870) - Multiple buffer and integer overflow vulnerabilities exist. (270474) - A security vulnerability in the JRE with verifying HMAC digests may allow authentication to be bypassed. (270475) - Two vulnerabilities in the JRE with decoding DER encoded data and parsing HTTP headers may separately allow a remote client to cause the JRE on the server to run out of memory, resulting in a denial of service. (270476) - A directory traversal vulnerability in the ICC_Profile.getInstance method allows a remote attacker to determine the existence of local International Color Consortium (ICC) profile files. (Bug #6631533) - A denial of service attack is possible via a BMP file containing a link to a UNC share pathname for an International Color Consortium (ICC) profile file. (Bug #6632445) - Resurrected classloaders can still have children, which could allow a remote attacker to gain privileges via unspecified vectors (Bug #6636650) - The Abstract Window Toolkit (AWT) does not properly restrict the objects that may be sent to loggers, which allows attackers to obtain sensitive information via vectors related to the implementation of Component, KeyboardFocusManager, and DefaultKeyboardFocusManager. (Bug #6664512) - An unspecified vulnerability in TrueType font parsing functionality may lead to a denial of service. (Bug #6815780) - The failure to clone arrays returned by the getConfigurations function could lead to multiple, unspecified vulnerabilities in the X11 and Win32GraphicsDevice subsystems. (Bug #6822057) - The TimeZone.getTimeZone method can be used by a remote attacker to determine the existence of local files via its handling of zoneinfo (aka tz) files. (Bug #6824265) - Java Web Start does not properly handle the interaction between a signed JAR file and a JNLP application or applet. (Bug #6870531)" ); script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021046.1.html"); script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021046.1.html"); script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021048.1.html"); script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021048.1.html"); script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021083.1.html"); script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021084.1.html"); script_set_attribute( attribute:"solution", value: "Update to Sun Java JDK / JRE 6 Update 17, JDK / JRE 5.0 Update 22, SDK / JRE 1.4.2_24, or SDK / JRE 1.3.1_27 or later and remove, if necessary, any affected versions." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Sun Java JRE AWT setDiffICM Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(22, 94, 119, 189, 200, 264, 310, 399); script_set_attribute(attribute:"vuln_publication_date", value:"2009/11/03"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/22"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("sun_java_jre_installed_unix.nasl"); script_require_keys("Host/Java/JRE/Installed"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); # Check each installed JRE. installs = get_kb_list_or_exit("Host/Java/JRE/Unmanaged/*"); info = ""; vuln = 0; vuln2 = 0; installed_versions = ""; granular = ""; foreach install (list_uniq(keys(installs))) { ver = install - "Host/Java/JRE/Unmanaged/"; if (ver !~ "^[0-9.]+") continue; installed_versions = installed_versions + " & " + ver; if ( ver =~ "^1\.6\.0_(0[0-9]|1[0-6])([^0-9]|$)" || ver =~ "^1\.5\.0_([01][0-9]|2[01])([^0-9]|$)" || ver =~ "^1\.4\.([01]_|2_([01][0-9]|2[0-3]([^0-9]|$)))" || ver =~ "^1\.3\.(0_|1_([01][0-9]|2[0-6]([^0-9]|$)))" ) { dirs = make_list(get_kb_list(install)); vuln += max_index(dirs); foreach dir (dirs) info += '\n Path : ' + dir; info += '\n Installed version : ' + ver; info += '\n Fixed version : 1.6.0_17 / 1.5.0_22 / 1.4.2_24 / 1.3.1_27\n'; } else if (ver =~ "^[\d\.]+$") { dirs = make_list(get_kb_list(install)); foreach dir (dirs) granular += "The Oracle Java version "+ver+" at "+dir+" is not granular enough to make a determination."+'\n'; } else { dirs = make_list(get_kb_list(install)); vuln2 += max_index(dirs); } } # Report if any were found to be vulnerable. if (info) { if (report_verbosity > 0) { if (vuln > 1) s = "s of Java are"; else s = " of Java is"; report = '\n' + 'The following vulnerable instance'+s+' installed on the\n' + 'remote host :\n' + info; security_hole(port:0, extra:report); } else security_hole(0); if (granular) exit(0, granular); } else { if (granular) exit(0, granular); installed_versions = substr(installed_versions, 3); if (vuln2 > 1) exit(0, "The Java "+installed_versions+" installs on the remote host are not affected."); else exit(0, "The Java "+installed_versions+" install on the remote host is not affected."); }
NASL family Scientific Linux Local Security Checks NASL id SL_20091109_JAVA__JDK_1_6_0__ON_SL4_X.NASL description CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968) CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503) CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911) CVE-2009-3877 CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357) CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358) CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643) CVE-2009-3728 OpenJDK ICC_Profile file existence detection information leak (6631533) CVE-2009-3881 OpenJDK resurrected classloaders can still have children (6636650) CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable variables (6657026,6657138) CVE-2009-3880 OpenJDK UI logging information leakage(6664512) CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057) CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265) CVE-2009-3729 JRE TrueType font parsing crash (6815780) CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969) CVE-2009-3886 JRE REGRESSION:have problem to run JNLP app and applets with signed Jar files (6870531) CVE-2009-3865 java-1.6.0-sun: ACE in JRE Deployment Toolkit (6869752) CVE-2009-3866 java-1.6.0-sun: Privilege escalation in the Java Web Start Installer (6872824) CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303) CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via crafted image file due improper color profiles parsing (6862970) This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. These vulnerabilities are summarized on the last seen 2020-06-01 modified 2020-06-02 plugin id 60691 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60691 title Scientific Linux Security Update : java (jdk 1.6.0) on SL4.x, SL5.x i386/x86_64 code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(60691); script_version("1.8"); script_cvs_date("Date: 2019/10/25 13:36:18"); script_cve_id("CVE-2009-2409", "CVE-2009-3728", "CVE-2009-3729", "CVE-2009-3865", "CVE-2009-3866", "CVE-2009-3867", "CVE-2009-3868", "CVE-2009-3869", "CVE-2009-3871", "CVE-2009-3872", "CVE-2009-3873", "CVE-2009-3874", "CVE-2009-3875", "CVE-2009-3876", "CVE-2009-3877", "CVE-2009-3879", "CVE-2009-3880", "CVE-2009-3881", "CVE-2009-3882", "CVE-2009-3883", "CVE-2009-3884", "CVE-2009-3886"); script_name(english:"Scientific Linux Security Update : java (jdk 1.6.0) on SL4.x, SL5.x i386/x86_64"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky) CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968) CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503) CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911) CVE-2009-3877 CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357) CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358) CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643) CVE-2009-3728 OpenJDK ICC_Profile file existence detection information leak (6631533) CVE-2009-3881 OpenJDK resurrected classloaders can still have children (6636650) CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable variables (6657026,6657138) CVE-2009-3880 OpenJDK UI logging information leakage(6664512) CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057) CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265) CVE-2009-3729 JRE TrueType font parsing crash (6815780) CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969) CVE-2009-3886 JRE REGRESSION:have problem to run JNLP app and applets with signed Jar files (6870531) CVE-2009-3865 java-1.6.0-sun: ACE in JRE Deployment Toolkit (6869752) CVE-2009-3866 java-1.6.0-sun: Privilege escalation in the Java Web Start Installer (6872824) CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303) CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via crafted image file due improper color profiles parsing (6862970) This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. These vulnerabilities are summarized on the 'Advance notification of Security Updates for Java SE' page from Sun Microsystems, listed in the References section. (CVE-2009-2409, CVE-2009-3728, CVE-2009-3729, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886) All running instances of Sun Java must be restarted for the update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0911&L=scientific-linux-errata&T=0&P=2369 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?6a7a8b8a" ); script_set_attribute( attribute:"solution", value:"Update the affected java-1.6.0-sun-compat and / or jdk packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Sun Java JRE AWT setDiffICM Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(22, 94, 119, 189, 200, 264, 310, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/07/30"); script_set_attribute(attribute:"patch_publication_date", value:"2009/11/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL4", reference:"java-1.6.0-sun-compat-1.6.0.17-1.sl4.jpp")) flag++; if (rpm_check(release:"SL4", reference:"jdk-1.6.0_17-fcs")) flag++; if (rpm_check(release:"SL5", cpu:"i386", reference:"java-1.6.0-sun-compat-1.6.0.17-3.sl5.jpp")) flag++; if (rpm_check(release:"SL5", cpu:"i386", reference:"jdk-1.6.0_17-fcs")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0002_REMOTE.NASL description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the bundled version of the Java Runtime Environment (JRE). last seen 2020-06-01 modified 2020-06-02 plugin id 89736 published 2016-03-08 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89736 title VMware ESX Java Runtime Environment (JRE) Multiple Vulnerabilities (VMSA-2010-0002) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(89736); script_version("1.5"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id( "CVE-2009-1093", "CVE-2009-1094", "CVE-2009-1095", "CVE-2009-1096", "CVE-2009-1097", "CVE-2009-1098", "CVE-2009-1099", "CVE-2009-1100", "CVE-2009-1101", "CVE-2009-1102", "CVE-2009-1103", "CVE-2009-1104", "CVE-2009-1105", "CVE-2009-1106", "CVE-2009-1107", "CVE-2009-2625", "CVE-2009-2670", "CVE-2009-2671", "CVE-2009-2672", "CVE-2009-2673", "CVE-2009-2675", "CVE-2009-2676", "CVE-2009-2716", "CVE-2009-2718", "CVE-2009-2719", "CVE-2009-2720", "CVE-2009-2721", "CVE-2009-2722", "CVE-2009-2723", "CVE-2009-2724", "CVE-2009-3728", "CVE-2009-3729", "CVE-2009-3864", "CVE-2009-3865", "CVE-2009-3866", "CVE-2009-3867", "CVE-2009-3868", "CVE-2009-3869", "CVE-2009-3871", "CVE-2009-3872", "CVE-2009-3873", "CVE-2009-3874", "CVE-2009-3875", "CVE-2009-3876", "CVE-2009-3877", "CVE-2009-3879", "CVE-2009-3880", "CVE-2009-3881", "CVE-2009-3882", "CVE-2009-3883", "CVE-2009-3884", "CVE-2009-3885", "CVE-2009-3886" ); script_bugtraq_id( 34240, 35922, 35939, 35943, 35944, 35946, 35958, 36881 ); script_xref(name:"VMSA", value:"2010-0002"); script_name(english:"VMware ESX Java Runtime Environment (JRE) Multiple Vulnerabilities (VMSA-2010-0002) (remote check)"); script_summary(english:"Checks the ESX / ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESX host is missing a security-related patch."); script_set_attribute(attribute:"description", value: "The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the bundled version of the Java Runtime Environment (JRE)."); script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2010-0002"); script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2010/000097.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the vendor advisory that pertains to ESX version 3.5 / 4.0."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Sun Java JRE AWT setDiffICM Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(16, 20, 22, 94, 119, 189, 200, 264, 310, 362, 399); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2010/01/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); script_require_ports("Host/VMware/vsphere"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); port = get_kb_item_or_exit("Host/VMware/vsphere"); esx = ''; if ("ESX" >!< rel) audit(AUDIT_OS_NOT, "VMware ESX/ESXi"); extract = eregmatch(pattern:"^(ESXi?) (\d\.\d).*$", string:ver); if (isnull(extract)) audit(AUDIT_UNKNOWN_APP_VER, "VMware ESX/ESXi"); else { esx = extract[1]; ver = extract[2]; } # fixed build numbers are the same for ESX and ESXi fixes = make_array( "3.5", "227413", "4.0", "256968" ); fix = FALSE; fix = fixes[ver]; # get the build before checking the fix for the most complete audit trail extract = eregmatch(pattern:'^VMware ESXi?.* build-([0-9]+)$', string:rel); if (isnull(extract)) audit(AUDIT_UNKNOWN_BUILD, "VMware " + esx, ver); build = int(extract[1]); # if there is no fix in the array, fix is FALSE if (!fix) audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build); if (build < fix) { report = '\n Version : ' + esx + " " + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fix + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build);
NASL family Windows NASL id SUN_JAVA_JRE_269868.NASL description The version of Sun Java Runtime Environment (JRE) installed on the remote host is earlier than 6 Update 17 / 5.0 Update 22 / 1.4.2_24 / 1.3.1_27. Such versions are potentially affected by the following security issues : - The Java update mechanism on non-English versions does not update the JRE when a new version is available. (269868) - A command execution vulnerability exists in the Java runtime environment deployment toolkit. (269869) - An issue in the Java web start installer may be leveraged to allow an untrusted Java web start application to run as a trusted application. (269870) - Multiple buffer and integer overflow vulnerabilities. (270474) - A security vulnerability in the JRE with verifying HMAC digests may allow authentication to be bypassed. (270475) - Two vulnerabilities in the JRE with decoding DER encoded data and parsing HTTP headers may separately allow a remote client to cause the JRE on the server to run out of memory, resulting in a denial of service. (270476) - A directory traversal vulnerability in the ICC_Profile.getInstance method allows a remote attacker to determine the existence of local International Color Consortium (ICC) profile files. (Bug #6631533) - A denial of service attack is possible via a BMP file containing a link to a UNC share pathname for an International Color Consortium (ICC) profile file. (Bug #6632445) - Resurrected classloaders can still have children, which could allow a remote attacker to gain privileges via unspecified vectors. (Bug #6636650) - The Abstract Window Toolkit (AWT) does not properly restrict the objects that may be sent to loggers, which allows attackers to obtain sensitive information via vectors related to the implementation of Component, KeyboardFocusManager, and DefaultKeyboardFocusManager. (Bug #6664512) - An unspecified vulnerability in TrueType font parsing functionality may lead to a denial of service. (Bug #6815780) - The failure to clone arrays returned by the getConfigurations function could lead to multiple, unspecified vulnerabilities in the X11 and Win32GraphicsDevice subsystems. (Bug #6822057) - The TimeZone.getTimeZone method can be used by a remote attacker to determine the existence of local files via its handling of zoneinfo (aka tz) files. (Bug #6824265) - Java Web Start does not properly handle the interaction between a signed JAR file and a JNLP application or applet. (Bug #6870531) last seen 2020-06-01 modified 2020-06-02 plugin id 42373 published 2009-11-04 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42373 title Sun Java JRE Multiple Vulnerabilities (269868 / 269869 / 270476 ..) code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(42373); script_version("1.28"); script_cvs_date("Date: 2018/11/15 20:50:28"); script_cve_id("CVE-2009-3728", "CVE-2009-3729", "CVE-2009-3864", "CVE-2009-3865", "CVE-2009-3866", "CVE-2009-3867", "CVE-2009-3868", "CVE-2009-3869", "CVE-2009-3871", "CVE-2009-3872", "CVE-2009-3873", "CVE-2009-3874", "CVE-2009-3875", "CVE-2009-3876", "CVE-2009-3877", "CVE-2009-3879", "CVE-2009-3880", "CVE-2009-3881", "CVE-2009-3884", "CVE-2009-3885", "CVE-2009-3886"); script_bugtraq_id(36881); script_name(english:"Sun Java JRE Multiple Vulnerabilities (269868 / 269869 / 270476 ..)"); script_summary(english:"Checks version of Sun JRE"); script_set_attribute( attribute:"synopsis", value: "The remote Windows host contains a runtime environment that is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The version of Sun Java Runtime Environment (JRE) installed on the remote host is earlier than 6 Update 17 / 5.0 Update 22 / 1.4.2_24 / 1.3.1_27. Such versions are potentially affected by the following security issues : - The Java update mechanism on non-English versions does not update the JRE when a new version is available. (269868) - A command execution vulnerability exists in the Java runtime environment deployment toolkit. (269869) - An issue in the Java web start installer may be leveraged to allow an untrusted Java web start application to run as a trusted application. (269870) - Multiple buffer and integer overflow vulnerabilities. (270474) - A security vulnerability in the JRE with verifying HMAC digests may allow authentication to be bypassed. (270475) - Two vulnerabilities in the JRE with decoding DER encoded data and parsing HTTP headers may separately allow a remote client to cause the JRE on the server to run out of memory, resulting in a denial of service. (270476) - A directory traversal vulnerability in the ICC_Profile.getInstance method allows a remote attacker to determine the existence of local International Color Consortium (ICC) profile files. (Bug #6631533) - A denial of service attack is possible via a BMP file containing a link to a UNC share pathname for an International Color Consortium (ICC) profile file. (Bug #6632445) - Resurrected classloaders can still have children, which could allow a remote attacker to gain privileges via unspecified vectors. (Bug #6636650) - The Abstract Window Toolkit (AWT) does not properly restrict the objects that may be sent to loggers, which allows attackers to obtain sensitive information via vectors related to the implementation of Component, KeyboardFocusManager, and DefaultKeyboardFocusManager. (Bug #6664512) - An unspecified vulnerability in TrueType font parsing functionality may lead to a denial of service. (Bug #6815780) - The failure to clone arrays returned by the getConfigurations function could lead to multiple, unspecified vulnerabilities in the X11 and Win32GraphicsDevice subsystems. (Bug #6822057) - The TimeZone.getTimeZone method can be used by a remote attacker to determine the existence of local files via its handling of zoneinfo (aka tz) files. (Bug #6824265) - Java Web Start does not properly handle the interaction between a signed JAR file and a JNLP application or applet. (Bug #6870531)" ); script_set_attribute( attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021046.1.html" ); script_set_attribute( attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021046.1.html" ); script_set_attribute( attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021048.1.html" ); script_set_attribute( attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021048.1.html" ); script_set_attribute( attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021083.1.html" ); script_set_attribute( attribute:"see_also", value:"https://download.oracle.com/sunalerts/1021084.1.html" ); script_set_attribute( attribute:"solution", value: "Update to Sun Java JDK / JRE 6 Update 17, JDK / JRE 5.0 Update 22, SDK / JRE 1.4.2_24, or SDK / JRE 1.3.1_27 or later and remove, if necessary, any affected versions." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Sun Java JRE AWT setDiffICM Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(22, 94, 119, 189, 200, 264, 310, 399); script_set_attribute( attribute:"vuln_publication_date", value:"2009/11/03" ); script_set_attribute( attribute:"patch_publication_date", value:"2009/11/03" ); script_set_attribute( attribute:"plugin_publication_date", value:"2009/11/04" ); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("sun_java_jre_installed.nasl"); script_require_keys("SMB/Java/JRE/Installed"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); # Check each installed JRE. installs = get_kb_list("SMB/Java/JRE/*"); if (isnull(installs)) exit(1, "The 'SMB/Java/JRE/' KB item is missing."); info = ""; vuln = 0; installed_versions = ""; foreach install (list_uniq(keys(installs))) { ver = install - "SMB/Java/JRE/"; if (ver =~ "^[0-9.]+") installed_versions = installed_versions + " & " + ver; if ( ver =~ "^1\.6\.0_(0[0-9]|1[0-6])([^0-9]|$)" || ver =~ "^1\.5\.0_([01][0-9]|2[01])([^0-9]|$)" || ver =~ "^1\.4\.([01]_|2_([01][0-9]|2[0-3]([^0-9]|$)))" || ver =~ "^1\.3\.(0_|1_([01][0-9]|2[0-6]([^0-9]|$)))" ) { dirs = make_list(get_kb_list(install)); vuln += max_index(dirs); foreach dir (dirs) info += '\n Path : ' + dir; info += '\n Installed version : ' + ver; info += '\n Fixed version : 1.6.0_17 / 1.5.0_22 / 1.4.2_24 / 1.3.1_27\n'; } } # Report if any were found to be vulnerable. if (info) { port = get_kb_item("SMB/transport"); if (!port) port = 445; if (report_verbosity > 0) { if (vuln > 1) s = "s of Java are"; else s = " of Java is"; report = '\n' + 'The following vulnerable instance'+s+' installed on the\n' + 'remote host :\n' + info; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } else { installed_versions = substr(installed_versions, 3); if (" & " >< installed_versions) exit(0, "The Java "+installed_versions+" installs on the remote host are not affected."); else exit(0, "The Java "+installed_versions+" install on the remote host is not affected."); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2009-1560.NASL description Updated java-1.6.0-sun packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. These vulnerabilities are summarized on the last seen 2020-06-01 modified 2020-06-02 plugin id 42431 published 2009-11-10 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42431 title RHEL 4 / 5 : java-1.6.0-sun (RHSA-2009:1560) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200911-02.NASL description The remote host is affected by the vulnerability described in GLSA-200911-02 (Sun JDK/JRE: Multiple vulnerabilities) Multiple vulnerabilities have been reported in the Sun Java implementation. Please review the CVE identifiers referenced below and the associated Sun Alerts for details. Impact : A remote attacker could entice a user to open a specially crafted JAR archive, applet, or Java Web Start application, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Furthermore, a remote attacker could cause a Denial of Service affecting multiple services via several vectors, disclose information and memory contents, write or execute local files, conduct session hijacking attacks via GIFAR files, steal cookies, bypass the same-origin policy, load untrusted JAR files, establish network connections to arbitrary hosts and posts via several vectors, modify the list of supported graphics configurations, bypass HMAC-based authentication systems, escalate privileges via several vectors and cause applet code to be executed with older, possibly vulnerable versions of the JRE. NOTE: Some vulnerabilities require a trusted environment, user interaction, a DNS Man-in-the-Middle or Cross-Site-Scripting attack. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 42834 published 2009-11-18 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42834 title GLSA-200911-02 : Sun JDK/JRE: Multiple vulnerabilities NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0002.NASL description a. Java JRE Security Update JRE update to version 1.5.0_22, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_22: CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886, CVE-2009-3885. last seen 2020-06-01 modified 2020-06-02 plugin id 45386 published 2010-03-31 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45386 title VMSA-2010-0002 : VMware vCenter update release addresses multiple security issues in Java JRE
Oval
accepted | 2014-01-20T04:01:35.593-05:00 | ||||||||
class | vulnerability | ||||||||
contributors |
| ||||||||
definition_extensions |
| ||||||||
description | Unspecified vulnerability in the TrueType font parsing functionality in Sun Java SE 5.0 before Update 22 and 6 before Update 17 allows remote attackers to cause a denial of service (application crash) via a certain test suite, aka Bug Id 6815780. | ||||||||
family | unix | ||||||||
id | oval:org.mitre.oval:def:7537 | ||||||||
status | accepted | ||||||||
submitted | 2010-06-01T17:30:00.000-05:00 | ||||||||
title | JRE TrueType Font Parsing Crash | ||||||||
version | 8 |
Redhat
rpms |
|
References
- http://java.sun.com/j2se/1.5.0/ReleaseNotes.html
- http://java.sun.com/javase/6/webnotes/6u17.html
- http://secunia.com/advisories/37386
- http://security.gentoo.org/glsa/glsa-200911-02.xml
- https://bugzilla.redhat.com/show_bug.cgi?id=532904
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7537