Vulnerability Alert

Multiple Vendor Java Runtime Environment Malformed Calendar Object Processing Applet Privilege Escalation Vulnerability

 
Threat Type:CWE-94: Code Injection
IntelliShield ID:17203
Version:14
First Published:2008 December 08 17:45 GMT
Last Published:2010 February 10 19:35 GMT
Port: Not available
CVE:CVE-2008-5353
BugTraq ID:32608
Urgency:Possible use
Credibility:Confirmed
Severity:Moderate Damage
CVSS Base:9.3 CVSS Calculator
CVSS Version 2.0
CVSS Temporal:7.7
 
Version Summary:

HP has released an additional security bulletin and updated software to address the?Java Runtime Environment malformed calendar object processing applet privilege escalation vulnerability.

 
 
Description

HP, IBM,?and Sun Java products contain a vulnerability that could allow an unauthenticated, remote attacker to perform actions with elevated privileges.

The vulnerability is due to an error that may occur when the?vulnerable products handle Java applets.? An unauthenticated, remote attacker could exploit the vulnerability by convincing a user to visit a website that loads a malicious applet on the user's system.? The malicious applet could allow the attacker to execute arbitrary commands with the privileges of the user who is running the web browser.?

Functional code that exploits this vulnerability is publicly available.

HP, IBM, and Sun confirmed the vulnerability and released updated software.

 
Warning Indicators

The following Java products are vulnerable:

IBM JDK 1.4.2 SR12 and prior
IBM JDK 5.0 SR8a and prior
IBM JDK 6.0 SR2 and prior
Sun JRE 6 Update 10 and prior
Sun JDK 6 Update 10 and prior
Sun JRE 5.0 Update 16 and prior
Sun JDK 5.0 Update 16 and prior
Sun SDK 1.4.2_18 and prior
Sun JRE 1.4.2_18 and prior
HP JDK and JRE 6.0.02 and prior
HP JDK and JRE 5.0.14 and prior
HP SDK and JRE 1.4.2.20 and prior

 
IntelliShield Analysis

Code execution will take place with the privileges of the user who is logged in.? On platforms that grant users administrative privileges, such as certain versions of Microsoft Windows, an unauthenticated, remote attacker may be able to take control of the targeted systems.? However, the attacker will gain the privileges of the current user on systems that restrict user privileges.

 
Vendor Announcements

HP has released security bulletin c01683026 at the following link: HPSBUX02411 SSRT080111.? HP has released security bulletin c02000725 for registered users at the following link: HPSBMA02486 SSRT090049

IBM has released a security alert at the following link: CVE-2008-5353

Sun has released an alert notification at the following link: 244990

Apple has released?security updates at the following links: Java for Mac OS X 10.5 Update 4?and Java for Mac OS X 10.4 Release 9

Novell has released security announcements at the following links: SUSE-SA:2009:001?and SUSE-SA:2009:007?

Oracle has released a security advisory at the following link: Oracle Critical Patch Update April 2009

Red Hat has released security advisories at the following links: RHSA-2008:1018, RHSA-2008:1025, RHSA-2009:0015,? RHSA-2009:0016, RHSA-2009-0445?and RHSA-2009-0466

VMware has re-released a security advisory at the following link: VMSA-2009-0014.1

 
Impact

An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary commands with the privileges of the user who is running the web browser.? If that user holds administrative rights, code execution could result in a full system compromise.

 
Technical Information

The vulnerability is due to an error that may occur when the Java Runtime Environment processes Calendar.read objects within Java applets.? An unauthenticated, remote attacker could exploit this vulnerability by creating a Java applet that contains a malicious Calendar object and convincing a user to view that applet.? This object could allow the attacker to break out of the Java sandbox and execute arbitrary code on the affected system with the privileges of the user.

 
Safeguards

Administrators are advised to apply the appropriate update.

Users are advised not to visit untrusted websites.

Users are advised not to accept Java applets from untrusted sources.

Administrators are advised not to browse the Internet or accept files from untrusted sources on critical systems.

Administrators may consider?removing older versions of the affected software that are likely to remain on the system, preventing these versions from being called and exploited.

 
Patches/Software

HP has released updates at the following links:

HP-UX B.11.11
JDK and JRE v6.0.03 or subsequent?
JDK and JRE v5.0.15 or subsequent?
SDK and JRE v1.4.2.21 or subsequent?

HP-UX B.11.23
JDK and JRE v6.0.03 or subsequent?
JDK and JRE v5.0.15 or subsequent?
SDK and JRE v1.4.2.21 or subsequent?

HP-UX B.11.31
JDK and JRE v6.0.03 or subsequent?
JDK and JRE v5.0.15 or subsequent?
SDK and JRE v1.4.2.21 or subsequent?

HP has released software updates for OV NNM v7.53 at the following links:

HP-UX (IA)
PHSS_40374 or later

HP-UX (PA)
PHSS_40375 or later

Linux RedHatAS2.1?
LXOV_00101 or later

Linux RedHat4AS-x86_64
LXOV_00102 or later

Solaris
PSOV_03525 or later

Windows
NNM_01201 or later

IBM has released updates at the following link: IBM developer kits

Sun has released updated software at the following links:

JDK and JRE 6.0 Update 11
JDK and JRE 5.0 Update 17
SDK and JRE 1.4.2_19

JDK 6 Update 11 for Solaris
Java SE 6: Update 11 125136-14
Java SE 6: Update 11 64bit 125137-14
Java SE 6_x86: Update 11 125138-14
Java SE 6_x86: Update 11 64bit 125139-14

JDK 5.0 Update 17 for Solaris
J2SE 5.0: Update 17 118666-19
J2SE 5.0: Update 17 64bit 118667-19
J2SE 5.0_x86: Update 17 118668-19
J2SE 5.0_x86: Update 17 64bit 118669-19

Apple has released updates at the following links: Java for Mac OS X 10.5 Update 4?and Java for Mac OS X 10.4 Release 9?

Novell has released updated packages; users can install the updates using YaST.

Oracle has released patches for registered users at the following link: Oracle

Red Hat packages can be updated using the up2date or yum command.

VMware has released updated software at the following links:

ESX 3.5
ESX350-200910403-SG

vCenter 4.0
Update 1

ESX 4.0
ESX400-200911223-UG


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
17998/0JRE Deserialization VulnerabilityS6282012 Feb 25 
 
Alert History
 

Version 13, January 6, 2010, 8:43 AM: Functional code that exploits the Java Runtime Environment malformed calendar object processing applet privilege escalation vulnerability is publicly available.

Version 12, November 23, 2009, 9:47 AM: VMware has re-released a security advisory and updated software to address the Java Runtime Environment malformed calendar object processing applet privilege escalation vulnerability.

Version 11, October 20, 2009, 12:13 PM: VMware has released a security advisory and updated software to address the Java Runtime Environment malformed calendar object processing applet privilege escalation vulnerability.

Version 10, June 22, 2009, 4:28 PM: Apple has released security updates and updated software to address the Java Runtime Environment malformed calendar object processing applet privilege escalation vulnerability.

Version 9, May 22, 2009, 10:10 AM: Proof-of-concept code and additional technical details are available for the Java Runtime Environment malformed calendar object processing applet privilege escalation vulnerability.

Version 8, May 12, 2009, 11:55 AM: Red Hat?has released an additional?security bulletin and updated?packages to address the Java Runtime Environment malformed calendar object processing applet privilege escalation vulnerability.

Version 7, April 30, 2009, 12:38 PM: Red Hat has released a security bulletin and updated packages to address the Java Runtime Environment malformed calendar object processing applet privilege escalation vulnerability.

Version 6, April 15, 2009, 10:42 AM: Oracle has released a security bulletin and updated software to address the Java Environment malformed calendar object processing applet privilege escalation vulnerability.

Version 5, March 11, 2009, 2:40 PM:? HP has released a security bulletin and updated software to address the Java Environment malformed calendar object processing applet privilege escalation vulnerability.

Version 4, January 30, 2009, 2:09 PM: Novell has released a security announcement and updated packages to address the Java Environment malformed calendar object processing applet privilege escalation vulnerability in IBM.

Version 3, January 15, 2009, 12:39 PM: IBM and Red Hat have released security advisories and updates to address the Java Environment malformed calendar object processing applet privilege escalation vulnerability.

Version 2, January 12, 2009, 8:17 AM: Novell has released a security announcement and updated packages to address the Sun Java Environment malformed calendar object processing applet privilege escalation vulnerability.

Version 1, December 8, 2008, 12:45 PM: Sun Java Runtime Environment contains a vulnerability that could allow an unauthenticated, remote attacker to perform actions with elevated privileges.? Updated software is available.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
HPHP Java Development Kit (JDK) 5.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13, Update 14 | 6.0 .00, .01, .02
HPHP Java Runtime Environment (JRE) 1.4.2 .00, .01, .02, .03, .04, .05, .06, .07, .08, .09, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20 | 5.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13, Update 14 | 6.0 .00, .01, .02
HPHP Java Software Development Kit (SDK) 1.4.2 .00, .01, .02, .03, .04, .05, .06, .07, .08, .09, .10, .11, .12, .13, .14, .15, .16, .17, .18, .19, .20
IBMJava Development Kit (JDK) 1.4 Base, .1, .2, .2 SR1, .2 SR2, .2 SR3, .2 SR4, .2 SR5, .2 SR6, .2 SR7, .2 SR8, .2 SR9, .2 SR10, .2 SR11, .2 SR12 | 5.0 Base, SR1, SR2, SR3, SR4, SR5, SR5a, SR6, SR7, SR8, SR8a | 6.0 Base, SR1, SR2
Sun Microsystems, Inc.Java Development Kit (JDK) 5.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16 | 6.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 10
Sun Microsystems, Inc.Java Runtime Environment (JRE) 5.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16 | 6.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 10
Sun Microsystems, Inc.Java Software Development Kit (SDK) 1.4.2 Base, _01, _02, _03, _04, _05, _06, _07, _08, _09, _10, _11, _12, _13, _14, _15, _16, _17, _18

Associated Products:
AppleMac OS X 10.4.0 Base | 10.4.1 Base | 10.4.2 Base | 10.4.3 Base | 10.4.4 Intel, PPC | 10.4.5 Intel, PPC | 10.4.6 Intel, PPC | 10.4.7 Intel, PPC | 10.4.8 Intel, PPC | 10.4.9 Intel, PPC | 10.4.10 Intel, PPC | 10.4.11 Intel, PPC | 10.5 Intel, PPC | 10.5.1 Intel, PPC | 10.5.2 Intel, PPC | 10.5.3 Intel, PPC | 10.5.4 Intel, PPC | 10.5.5 Intel, PPC | 10.5.6 Intel, PPC | 10.5.7 Intel, PPC
AppleMac OS X Server 10.4.0 Base | 10.4.1 Base | 10.4.2 Base | 10.4.3 Base | 10.4.4 Base | 10.4.5 Base | 10.4.6 Base | 10.4.7 Intel, PPC | 10.4.8 Intel, PPC | 10.4.9 Intel, PPC | 10.4.10 Intel, PPC | 10.4.11 PPC, Intel | 10.5 Intel, PPC | 10.5.1 Intel, PPC | 10.5.2 Intel, PPC | 10.5.3 Intel, PPC | 10.5.4 Intel, PPC | 10.5.5 Intel, PPC | 10.5.6 Intel, PPC | 10.5.7 Intel, PPC
HPHP OpenView Network Node Manager (NNM) 7.51 Base | 7.53 Base
HPHP-UX 11.11/11i Base | 11.23 Base | 11.31 Base
Novell, Inc.Novell Linux Desktop 9 x86, x86_64
Novell, Inc.Novell Linux POS 9 Base
Novell, Inc.Novell Open Enterprise Server 1 i386 | 2 x86, x86-64
Oracle CorporationWebLogic JRockit 6 JDK 1.4 .0, .1, .1_01, .1_02, .1_03, .1_04, .1_05, .1_06, .1_07, .2, .2_01, .2_02, .2_03, .2_04, .2_05, .2_06, .2_07, .2_08, .2_09, .2_10, .2_11, .2_12, .2_13, .2_14, .2_15, .2_16, .2_17, .2_18 | 5.0 Base, .0, .0_01, .0_02, .0_03, .0_04, .0_05, .0_06, .0_07, .0_08, .0_09, .0_10, .0_11, .0_12, .0_13, .0_14, .0_15, .0_16 | 6.0 Base, .0_01, .0_02, .0_03, .0_04, .0_05, .0_06, .0_07, .0_08, .0_09, .0_10
Red Hat, Inc.Red Hat Enterprise Linux Desktop Supplementary 5.0 IA-32, x86-64
Red Hat, Inc.Red Hat Enterprise Linux Extras 3 IA-32, IA-64, PPC, s390, s390x, x86_64 | 4 IA-32, IA-64, x86_64, PPC, s390, s390x
Red Hat, Inc.Red Hat Network Satellite 5.2 Base
Red Hat, Inc.RHEL Supplementary 5 IA-32, IA-64, PPC, PPC64, S390, S390x, x86_64
SUSESUSE Linux Enterprise Desktop (SLED) 10 SP2 amd64, SP2 x86, SP2 EM64T
SUSESuSE Linux Enterprise Server 9 IBM Power, IPF (itanium), iSeries, pSeries, s/390, x86, x86-64 (amd64, em64t), zSeries, zSeries 64bit | 10 SP2 AMD64, SP2 EM64T, SP2 Itanium (IPF), SP2 zSeries 64bit, SP2 x86, SP2 PPC
VMware, Inc.VirtualCenter 2.0.2 Base, Update 1, Update 2, Update 3, Update 4, Update 5 | 2.5 Base, Update 1, Update 2, Update 3 | 4.0 Base
VMware, Inc.VMware ESX Server 3.0 Base, .1, .2, .3 | 3.5 Base, Update 1, Update 2, Update 3, Update 4 | 4.0 Base
VMware, Inc.VMware Server 2.0 .0, .1




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield