Quick write up discussing how you can harden OS X to protect yourself from the recent Java vulnerability.
36bfdf78c6bf5ae2dde784a8130e4b9a24a88e86824fa590483c0cd9490d32e0HITBSecConf2006 Presentation - Pentesting Java/J2EE - Discovering Remote Holes.
1415cf54b295ce5b73fb813b0ebf680add2c464363512687c557911aa8ecc12aOpera 8.50 is susceptible to a denial of service condition via an applet.
935a51472ab3bd6c59b138c3c68c739c9d4623061a00d164c3b0f659f1aea147There is a vulnerability with how JDK is used with Parosproxy that allows the JDBC to be used as an attack path.
4f3fa44948cb97b0233e4284486e6b495f394d9dbae1b2fe29d244a601741407Advisory regarding the ability to denial of service JBoss 4.0.2 with serialized java object due to vulnerabilities in JDK 1.4.2.
fb2df7f6d6ed871ffdb6e6a6ce634c2afd1a1a8f0e55f406bcd1e6987245d89fSecure Java Programming - The talk is about the causes and effects of coding errors and the techniques to detect them, demonstrated with findings in the current Sun JDK.
bfb10720627d3dc700ef445feae88f44314c35a60fde542354635e8898180b8cXcon 2005: Java & Secure Programming
d6b3ac72fd172c204d6d57072918910fec85af743030e6cc24440b1c52cf37ddJBoss jBPM suffers from a remote command execution flaw that allows a remote attacker to execute commands with the rights of the JBoss process.
b6366cd9f0cc53fbd4d73248a7eb8dce5d3fc8b82e395db714cead860175645dMacOSX Java Runtime Environment Remote Denial of Service. Java SDK and JRE contain a flaw which crops up when objects are being de-serialized. This affects servers which are remotely getting data fed over RMI/IIOP, as well as "evil applet" attacks where a user can be persuaded to visit a site and attempt to load an applet.
9240b9c36216337500ad4e6dfbbd857f177a6bbbc8ca8a2b74647cc9add4b812A vulnerability in the Java Runtime Environment (JRE) involving object deserialization could be exploited remotely to cause the Java Virtual Machine to become unresponsive, which is a type of Denial-of-Service (DoS). This issue can affect the JRE if an application that runs on it accepts serialized data from an untrusted source. Includes Sun advisory announcing release of JDK 1.4.2_06 and a note from Marc Shoenefeld who discovered the flaw.
9cf73029ae65a9c940c9cc21f96e0bd049756e8dd0f54bec1a662a8e2357de33Opera 7.54 is vulnerable to leakage of the java sandbox, allowing malicious applets to gain privileges. This allows for information gathering as well as denial of service effects.
1f4ec2410d1b05e6a1c8e4034bf16cf1d34b5675d0c35d73f31016c81d7cf149Sun Security Advisory - The XSLT processor included with the Java Runtime Environment (JRE) may allow an untrusted applet to read data from another applet that is processed using the XSLT processor and may allow the untrusted applet to escalate privileges. All variants of Sun Java JRE 1.4.x and Sun Java SDK 1.4.x are affected, except releases 1.4.2_05 and above.
441d16f4938f5f20a31b65a37e706bd5bb719aa73130e7418c55e5fea7934e5dThe Microsoft Java Virtual Machine suffers from a cross-site communication vulnerability that allows Java applets originating from different domains to communicate.
1ac451abafed1ae8f6d56e153fc9d3e676e21a33c0eeff20a26841bdf18887e3Sun-Java-App-Server PE version 8.0 suffers from a path disclosure vulnerability when returning server error 500 pages.
80f7cd44aca210a567313a3abe3eec919dc378cf120eb973210189e875ca9082IBM cloudscape SQL Database (DB2J) version 5.1 on Windows with jdk 1.4.2 is vulnerable to remote command injection, denial of service attacks, and information leakage via specially crafted SQL statements.
c978f42930b6ec8b774c8919d065e66eb3f5f2a2502016807c1aba06dba01d78Attached is an exploit that crashes the Pointbase 4.6 database server that comes with the J2EE reference implementation. It is caused by fact that the Pointbase installation coming with j2ee/ri 1.4. is not equipped with an appropriate security manager, thus giving all jars implicitly all permissions. These unlimited permissions can be exploited by an attacker using jdbc to crash the jvm running the pointbase server. Further exploitations possible are information disclosure and remote command injection.
dce14b7ba6ef63416061596683c967a3e51ca10f2c1f0204a348921ccdd803caIllegalaccess.org Security Alert - Openoffice 1.1.0 is vulnerable to a denial of service attack when enabled and a TCP connection to the daemon gets fed a bunch of zeroes.
f0e475822a5cb5d02bafd4ef52b5d3bcc86b303db8dcd07cd2bef486b0ce779bIllegalaccess.org Security Alert - JBoss 3.2.1, the Java server for running J2EE enterprise applications, is vulnerable to denial of service attacks, log manipulation, manipulation of process variables, and arbitrary command injection.
55f58d333af30e5d98fa812f5f028f618ac98fb90bf33ce53c06b5ffbb621018Boss 3.2.1 with Jetty is vulnerable to full JSP source code disclosure when using a null byte.
5fa351f9ce58e57f2eea703a4be52cd1c81ec605244c7ecb9a5c8efb1cfdf9cfA specially constructed Java Applet crashes Opera versions 6.05 and 7.01. Opera's own class files in the opera.jar library are susceptible to a buffer overrun which causes a JVM crash and then crashes Opera.
348fa9d0eb2e4f65de49b13f851cd88cba36942bf730efaae4b722eecbce6fa8This simple java program crashes the VM (at least 1.3.1-b24) on W2K, and is another example of Java-Frontier Bugs.
6f26c966da14268cd5e14f4a814470f95cfd0613135a33dbef76e8ce95c142f9
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed