‘Sun Java JDK/JRE Unpack200 Buffer Overflow Vulnerability’

Summary

A Buffer Overflow vulnerability was discovered in Sun Java JDK/JRE Unpack200.’

Credit:

‘The information has been provided by Sebastien Renaud.
The original article can be found at: http://www.vupen.com/english/advisories/2010/0747


Details

Vulnerable Systems:
 * Sun Java JDK version 6 Update 18 and prior
 * Sun Java JDK version 5.0 Update 23 and prior
 * Sun Java JRE version 6 Update 18 and prior
 * Sun Java JRE version 5.0 Update 23 and prior
 * Sun Java JRE version 1.4.2_25 and prior

The flaw is caused by a buffer overflow error within the Unpack200 component when processing malformed data, which could be exploited by attackers to execute arbitrary code via a malicious archive.

Patch Availability:
Upgrade to Sun Java JDK and JRE 6 Update 19, JDK and JRE 5.0 Update 24, and JRE and SDK version 1.4.2_26 :
http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html

Disclosure Timeline:
2009-10-22 – Vendor notified
2009-10-23 – Vendor response
2010-03-31 – Coordinated public Disclosure’

Categories: News