Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Security Activity Bulletin

Multiple Java Security Explorations

 
Threat Type:IntelliShield: Applied Mitigation Bulletin
IntelliShield ID:28404
Version:1
First Published:2013 March 01 20:59 GMT
Last Published:2013 March 01 20:59 GMT
Port: Not available
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Moderate Damage
Related Resources:
View related IPS Signature
 
 
Version Summary:Oracle Java SE contains multiple vulnerabilities that could allow an unauthenticated, remote attacker to bypass security restrictions or execute arbitrary code.
 

Description
 
Security researchers have released details on multiple new instances of certain types of vulnerabilities in Oracle Java. The vulnerabilities result from flaws similar to recent vulnerabilities that take advantage of various Java Virtual Machine (VM) components such as class loaders, byte code verifiers, security managers, the JVM Runtime execution engine and classes definition, or the garbage collector.

In addition, security risks associated with the abuse of Java Reflection Application Programming Interface (API) calls could allow an attacker to load restricted classes; obtain references to constructors, methods, or fields of a restricted class; create new object instances or methods; or obtain setting field values of a restricted class. Using these flaws, an attacker could access sensitive objects and bypass sandbox protections, allowing the  attacker to compromise a Java VM.

The security researchers have released 28 examples of proof-of-concept code that could allow a complete compromise of the Java security sandbox. A further 17 examples of proof-of-concept code are related to Oracle Java SE, Apple QuickTime for Java, and IBM Java. The exploit vectors include a call to the getField method and sun.awt.SunToolkit class, also a call to the java.lang.invoke.MethodHandles.Lookup class, remote server-side code execution by the way of Remote Method Invocation (RMI) protocol attack, or the improper implementation of XML Beans decoder.

Some of these vulnerabilities are due to insecure use of the invoke method of java.lang.relect.Method in the specific products-related package. Numerous partial security bypass vulnerabilities due to the insecure or improper use of method objects of restricted classes were also identified.

Although Oracle has addressed many of these vulnerabilities in multiple Java SE critical patch advisories, reports have indicated that a few of these vulnerabilities remain unpatched.

Proof-of-concept code that could aid attackers in building functional exploits is publicly available.

Administrators are advised to contact the vendor regarding future updates and releases.

Users are advised to disable Java content in web browsers through the Java control panel applet.

Administrators may consider disabling Java and the Java plug-in in web browsers. Instructions for disabling Java in web browsers is available at the following links:
  
    •    Safari
    •    Chrome
    •    Firefox
    •    Internet Explorer

Administrators may consider uninstalling Java.

Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
4164/0IBM Java com.ibm.rmi.util.ProxyUtil Sandbox BreachS7522013 Nov 06 
 
Alert History
 
Initial Release


Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Sun Microsystems, Inc.Java Development Kit (JDK) 6.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16, Update 17, Update 18, Update 19, Update 20, Update 21, Update 22, Update 23, Update 24, Update 25, Update 26, Update 27, Update 28, Update 29, Update 30, Update 31, Update 32, Update 33, Update 34, Update 35, Update 37, Update 38, Update 39 | 7.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13
Sun Microsystems, Inc.Java Runtime Environment (JRE) 1.4.2 Base, _01, _02, _03, _04, _05, _06, _07, _08, _09, _10, _11, _12, _13, _14, _15, _16, _17, _18, _19, _20, _21, _22, _23, _24, _25, _26, _27, _28, _29, _30, _31, _32, _33, _34, _35, _36, _37, _38, _39, _40, _41 | 1.5.0 Base, .02 | 1.7.0 Base | 5.0.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16, Update 17, Update 18, Update 19, Update 20, Update 21, Update 22, Update 23, Update 24, Update 25, Update 26, Update 27, Update 28, Update 29, Update 30, Update 31, Update 32, Update 33, Update 34, Update 35, Update 36, Update 37, Update 38, Update 39 | 6.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 10, Update 11, Update 12, Update 13, Update 14, Update 15, Update 16, Update 17, Update 18, Update 19, Update 20, Update 21, Update 22, Update 23, Update 24, Update 25, Update 26, Update 27, Update 28, Update 29, Update 30, Update 31, Update 32, Update 33, Update 34, Update 35, .36, .37, .38, Update 39 | 7.0 Base, Update 1, Update 2, Update 3, Update 4, Update 5, Update 6, Update 7, Update 8, Update 9, Update 10, Update 11, Update 12, Update 13

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield