Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24984
HistoryOct 24, 2010 - 12:00 a.m.

Java Multiple Issues

2010-10-2400:00:00
vulners.com
19
JSON

Hi all and sorry for cross post,
after several months since I contacted Oracle informing them about ten
issues on Java applet security, they finally released an Java 6 update
22 which fixes several security issues

In particular the issues are the following, sorted by impact:

* Information Disclosure:
      - 17364779 NETWORKINTERFACE HASHCODE PROBLEM
      - 17322679 JAVA APPLET DNS IP DISCLOSURE
* User Assisted Arbitrary Execution:
      - 17322757 ZERO TERMINATOR ALLOWS JNLP SHORTCUTS
      - 17322755 NEW LINES IN JNLP TITLE ARE COPIED INTO LNK FILES
* Network and WEB Attacks:
      - 17322683 HTTP REQUEST SPLITTING WITH JAVA ADDREQUESTPROPERTY
      - 17764405 DNS REBINDING ISSUE
      - 17322681 JAVA APPLET SAME IP HOST ACCESS

You can read all details here:
http://blog.mindedsecurity.com/2010/10/java-6u21-seven-issues-summary.html

Disclosure Timeline:
20th Apr - 6 May 2010: Advisories sent to Oracle
25th June 2010: Oracle Confirms all issues
12 Oct 2010: Java update 22 released which fixes 7 out of 10 issues.
11-20 Oct 2010: Minded Security Advisories pubicly disclosed.

Cheers,
Stefano Di Paola


Stefano Di Paola
Chief Technology Officer, Lead Auditor ISO 27001
Minded Security - Application Security Consulting

JSON