Sun Java JRE Multiple Vulnerabilities (244986 et al) - Nessus
High Plugin ID: 35030This page contains detailed information about the Sun Java JRE Multiple Vulnerabilities (244986 et al) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 35030
Name: Sun Java JRE Multiple Vulnerabilities (244986 et al)
Filename: sun_java_jre_244986.nasl
Vulnerability Published: N/A
This Plugin Published: 2008-12-04
Last Modification Time: 2022-04-11
Plugin Version: 1.34
Plugin Type: local
Plugin Family: Windows
Dependencies:
sun_java_jre_installed.nasl
Required KB Items [?]: SMB/Java/JRE/Installed
Vulnerability Information
Severity: High
Vulnerability Published: N/A
Patch Published: 2008-12-03
CVE [?]: CVE-2008-2086, CVE-2008-5339, CVE-2008-5340, CVE-2008-5341, CVE-2008-5342, CVE-2008-5343, CVE-2008-5344, CVE-2008-5345, CVE-2008-5346, CVE-2008-5347, CVE-2008-5348, CVE-2008-5349, CVE-2008-5350, CVE-2008-5351, CVE-2008-5352, CVE-2008-5353, CVE-2008-5354, CVE-2008-5355, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358, CVE-2008-5359, CVE-2008-5360
CPE [?]: cpe:/a:oracle:jre
Exploited by Malware: True
Synopsis
The remote Windows host contains a runtime environment that is affected by multiple vulnerabilities.
Description
The version of Sun Java Runtime Environment (JRE) installed on the remote host is earlier than 6 Update 11 / 5.0 Update 17 / 1.4.2_19 / 1.3.1_24. Such versions are potentially affected by the following security issues :
- The JRE creates temporary files with insufficiently random names. (244986)
- There are multiple buffer overflow vulnerabilities involving the JRE's image processing code, its handling of GIF images, and its font processing. (244987)
- It may be possible for an attacker to bypass security checks due to the manner in which it handles the 'non-shortest form' of UTF-8 byte sequences.
- There are multiple security vulnerabilities in Java Web Start and Java Plug-in that may allow for privilege escalation. (244988)
- The JRE Java Update mechanism does not check the digital signature of the JRE that it downloads. (244989)
- A buffer overflow may allow an untrusted Java application that is launched through the commandline to escalate its privileges. (244990)
- A vulnerability related to deserializing calendar objects may allow an untrusted applet or application to escalate its privileges. (244991)
- A buffer overflow affects the 'unpack200' JAR unpacking utility and may allow an untrusted applet or application to escalate its privileges with unpacking applets and Java Web Start applications. (244992)
- The UTF-8 decoder accepts encodings longer than the 'shortest' form. Although not a vulnerability per se, it may be leveraged to exploit software that relies on the JRE UTF-8 decoder to reject the 'non-shortest form' sequence. (245246)
- An untrusted applet or application may be able to list the contents of the home directory of the user running the applet or application. (246266)
- A denial of service vulnerability may be triggered when the JRE handles certain RSA public keys. (246286)
- A vulnerability may be triggered while authenticating users through Kerberos and lead to a system-wide denial of service due to excessive consumption of operating system resources. (246346)
- Security vulnerabilities in the JAX-WS and JAXB packages where internal classes can be accessed may allow an untrusted applet or application to escalate privileges. (246366)
- An untrusted applet or application when parsing zip files may be able to read arbitrary memory locations in the process that the applet or application is running. (246386)
- The JRE allows code loaded from the local filesystem to access localhost. (246387)
Solution
Update to Sun Java JDK / JRE 6 Update 11, JDK / JRE 5.0 Update 17, SDK / JRE 1.4.2_19, or SDK / JRE 1.3.1_24 or later and remove if necessary any affected versions.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact, D2 Elliot)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the Sun Java JRE Multiple Vulnerabilities (244986 et al) vulnerability:
- Metasploit: exploit/multi/browser/java_calendar_deserialize
[Sun Java Calendar Deserialization Privilege Escalation] - Exploit-DB: exploits/osx/remote/8753.txt
[EDB-8753: Apple Mac OSX - Java applet Remote Deserialization Remote (2)] - Exploit-DB: exploits/multiple/remote/9948.rb
[EDB-9948: Sun Java Runtime and Development Kit 6 Update 10 - Calendar Deserialization (Metasploit)] - Exploit-DB: exploits/multiple/remote/16293.rb
[EDB-16293: Sun Java - Calendar Deserialization (Metasploit)] - Exploit-DB: exploits/multiple/remote/16302.rb
[EDB-16302: Signed Applet Social Engineering - Code Execution (Metasploit)] - GitHub: https://github.com/LAIR-RCC/InfSecurityRussianNLP
[CVE-2008-5353] - GitHub: https://github.com/svartkanin/source_code_analyzer
[CVE-2008-5353] - GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/8753.tgz
[EDB-8753] - D2 Elliot: apache_tomcat_file_disclosure.html
[Apache Tomcat File Disclosure] - Immunity Canvas: CANVAS
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
CVSS Base Score: | 9.3 (High) |
Impact Subscore: | 10.0 |
Exploitability Subscore: | 8.6 |
CVSS Temporal Score: | 8.1 (High) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 8.1 (High) |
CVSS Base Score: | 8.8 (High) |
Impact Subscore: | 5.9 |
Exploitability Subscore: | 2.8 |
CVSS Temporal Score: | 8.4 (High) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 8.4 (High) |
Go back to menu.
Plugin Source
This is the sun_java_jre_244986.nasl nessus plugin source code. This script is Copyright (C) 2008-2022 Tenable Network Security, Inc.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
if (NASL_LEVEL < 3000) exit(0);
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(35030);
script_version("1.34");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id(
"CVE-2008-2086",
"CVE-2008-5339",
"CVE-2008-5340",
"CVE-2008-5341",
"CVE-2008-5342",
"CVE-2008-5343",
"CVE-2008-5344",
"CVE-2008-5345",
"CVE-2008-5346",
"CVE-2008-5347",
"CVE-2008-5348",
"CVE-2008-5349",
"CVE-2008-5350",
"CVE-2008-5351",
"CVE-2008-5352",
"CVE-2008-5353",
"CVE-2008-5354",
"CVE-2008-5355",
"CVE-2008-5356",
"CVE-2008-5357",
"CVE-2008-5358",
"CVE-2008-5359",
"CVE-2008-5360"
);
script_bugtraq_id(
30633,
32608,
32620,
32892
);
script_name(english:"Sun Java JRE Multiple Vulnerabilities (244986 et al)");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a runtime environment that is
affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Sun Java Runtime Environment (JRE) installed on the
remote host is earlier than 6 Update 11 / 5.0 Update 17 / 1.4.2_19 /
1.3.1_24. Such versions are potentially affected by the following
security issues :
- The JRE creates temporary files with insufficiently
random names. (244986)
- There are multiple buffer overflow vulnerabilities
involving the JRE's image processing code, its
handling of GIF images, and its font processing.
(244987)
- It may be possible for an attacker to bypass security
checks due to the manner in which it handles the
'non-shortest form' of UTF-8 byte sequences.
- There are multiple security vulnerabilities in Java
Web Start and Java Plug-in that may allow for privilege
escalation. (244988)
- The JRE Java Update mechanism does not check the digital
signature of the JRE that it downloads. (244989)
- A buffer overflow may allow an untrusted Java
application that is launched through the commandline to
escalate its privileges. (244990)
- A vulnerability related to deserializing calendar
objects may allow an untrusted applet or application to
escalate its privileges. (244991)
- A buffer overflow affects the 'unpack200' JAR unpacking
utility and may allow an untrusted applet or application
to escalate its privileges with unpacking applets and
Java Web Start applications. (244992)
- The UTF-8 decoder accepts encodings longer than the
'shortest' form. Although not a vulnerability per se,
it may be leveraged to exploit software that relies on
the JRE UTF-8 decoder to reject the 'non-shortest form'
sequence. (245246)
- An untrusted applet or application may be able to list
the contents of the home directory of the user running
the applet or application. (246266)
- A denial of service vulnerability may be triggered when
the JRE handles certain RSA public keys. (246286)
- A vulnerability may be triggered while authenticating
users through Kerberos and lead to a system-wide denial
of service due to excessive consumption of operating
system resources. (246346)
- Security vulnerabilities in the JAX-WS and JAXB packages
where internal classes can be accessed may allow an
untrusted applet or application to escalate privileges.
(246366)
- An untrusted applet or application when parsing zip
files may be able to read arbitrary memory locations in
the process that the applet or application is running.
(246386)
- The JRE allows code loaded from the local filesystem to
access localhost. (246387)");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019736.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019737.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019738.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019739.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019740.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019741.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019742.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019759.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019793.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019794.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019797.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019798.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019799.1.html");
script_set_attribute(attribute:"see_also", value:"https://download.oracle.com/sunalerts/1019800.1.html");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/java/javase/6u11-139394.html");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/java/javase/releasenotes-142123.html");
script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/java/javase/releasenotes-138306.html");
script_set_attribute(attribute:"solution", value:
"Update to Sun Java JDK / JRE 6 Update 11, JDK / JRE 5.0 Update 17,
SDK / JRE 1.4.2_19, or SDK / JRE 1.3.1_24 or later and
remove if necessary any affected versions.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"d2_elliot_name", value:"Apache Tomcat File Disclosure");
script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Sun Java Calendar Deserialization Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_cwe_id(94, 119, 189, 200, 264, 287);
script_set_attribute(attribute:"patch_publication_date", value:"2008/12/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2008/12/04");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2008-2022 Tenable Network Security, Inc.");
script_dependencies("sun_java_jre_installed.nasl");
script_require_keys("SMB/Java/JRE/Installed");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
# Check each installed JRE.
installs = get_kb_list("SMB/Java/JRE/*");
if (isnull(installs)) exit(1, "The 'SMB/Java/JRE/' KB item is missing.");
info = "";
vuln = 0;
installed_versions = "";
foreach install (list_uniq(keys(installs)))
{
ver = install - "SMB/Java/JRE/";
if (ver =~ "^[0-9.]+")
installed_versions = installed_versions + " & " + ver;
if (
ver =~ "^1\.6\.0_(0[0-9]|10)([^0-9]|$)" ||
ver =~ "^1\.5\.0_(0[0-9]|1[0-6])([^0-9]|$)" ||
ver =~ "^1\.4\.([01]_|2_(0[0-9]|1[0-8]([^0-9]|$)))" ||
ver =~ "^1\.3\.(0_|1_([01][0-9]|2[0-3]([^0-9]|$)))"
)
{
dirs = make_list(get_kb_list(install));
vuln += max_index(dirs);
foreach dir (dirs)
info += '\n Path : ' + dir;
info += '\n Installed version : ' + ver;
info += '\n Fixed version : 1.6.0_11 / 1.5.0_17 / 1.4.2_19 / 1.3.1_24\n';
}
}
# Report if any were found to be vulnerable.
if (info)
{
port = get_kb_item("SMB/transport");
if (!port) port = 445;
if (report_verbosity > 0)
{
if (vuln > 1) s = "s of Java are";
else s = " of Java is";
report =
'\n' +
'The following vulnerable instance'+s+' installed on the\n' +
'remote host :\n' +
info;
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
else
{
installed_versions = substr(installed_versions, 3);
if (" & " >< installed_versions)
exit(0, "The Java "+installed_versions+" installs on the remote host are not affected.");
else
exit(0, "The Java "+installed_versions+" install on the remote host is not affected.");
}
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/sun_java_jre_244986.nasl
- Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\sun_java_jre_244986.nasl
- Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/sun_java_jre_244986.nasl
Go back to menu.
How to Run
Here is how to run the Sun Java JRE Multiple Vulnerabilities (244986 et al) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Windows plugin family.
- On the right side table select Sun Java JRE Multiple Vulnerabilities (244986 et al) plugin ID 35030.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl sun_java_jre_244986.nasl -t <IP/HOST>
Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a sun_java_jre_244986.nasl -t <IP/HOST>
Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - sun_java_jre_244986.nasl -t <IP/HOST>
Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state sun_java_jre_244986.nasl -t <IP/HOST>
Go back to menu.
References
BID | SecurityFocus Bugtraq ID: CWE | Common Weakness Enumeration:
- CWE-94 (Weakness) Improper Control of Generation of Code ('Code Injection')
- CWE-119 (Weakness) Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-189 (Category) Numeric Errors
- CWE-200 (Weakness) Exposure of Sensitive Information to an Unauthorized Actor
- CWE-264 (Category) Permissions, Privileges, and Access Controls
- CWE-287 (Weakness) Improper Authentication
- https://www.tenable.com/plugins/nessus/35030
- https://download.oracle.com/sunalerts/1019736.1.html
- https://download.oracle.com/sunalerts/1019737.1.html
- https://download.oracle.com/sunalerts/1019738.1.html
- https://download.oracle.com/sunalerts/1019739.1.html
- https://download.oracle.com/sunalerts/1019740.1.html
- https://download.oracle.com/sunalerts/1019741.1.html
- https://download.oracle.com/sunalerts/1019742.1.html
- https://download.oracle.com/sunalerts/1019759.1.html
- https://download.oracle.com/sunalerts/1019793.1.html
- https://download.oracle.com/sunalerts/1019794.1.html
- https://download.oracle.com/sunalerts/1019797.1.html
- https://download.oracle.com/sunalerts/1019798.1.html
- https://download.oracle.com/sunalerts/1019799.1.html
- https://download.oracle.com/sunalerts/1019800.1.html
- https://www.oracle.com/technetwork/java/javase/6u11-139394.html
- https://www.oracle.com/technetwork/java/javase/releasenotes-138306.html
- https://www.oracle.com/technetwork/java/javase/releasenotes-142123.html
- https://vulners.com/nessus/SUN_JAVA_JRE_244986.NASL
- 35046 - Fedora 9 : java-1.6.0-openjdk-1.6.0.0-0.20.b09.fc9 (2008-10860)
- 37147 - Fedora 10 : java-1.6.0-openjdk-1.6.0.0-7.b12.fc10 (2008-10913)
- 42834 - GLSA-200911-02 : Sun JDK/JRE: Multiple vulnerabilities
- 43142 - HP-UX PHSS_40374 : s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 25
- 43143 - HP-UX PHSS_40375 : s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 25
- 39435 - Mac OS X : Java for Mac OS X 10.5 Update 4
- 39766 - Mac OS X : Java for Mac OS X 10.4 Release 9
- 40731 - RHEL 4 / 5 : java-1.6.0-sun (RHSA-2008:1018)
- 40732 - RHEL 4 / 5 : java-1.5.0-sun (RHSA-2008:1025)
- 40737 - RHEL 4 / 5 : java-1.6.0-ibm (RHSA-2009:0015)
- 40738 - RHEL 4 / 5 : java-1.5.0-ibm (RHSA-2009:0016)
- 40743 - RHEL 3 / 4 / 5 : java-1.4.2-ibm (RHSA-2009:0445)
- 43843 - RHEL 4 / 5 : java-1.5.0-ibm (RHSA-2009:0466)
- 53539 - RHEL 4 : Sun Java Runtime in Satellite Server (RHSA-2009:1662)
- 64828 - Sun Java JRE Multiple Vulnerabilities (244986 et al) (Unix)
- 39997 - openSUSE Security Update : java-1_5_0-sun (java-1_5_0-sun-375)
- 40002 - openSUSE Security Update : java-1_6_0-sun (java-1_6_0-sun-376)
- 40235 - openSUSE Security Update : java-1_5_0-sun (java-1_5_0-sun-375)
- 40238 - openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-578)
- 40241 - openSUSE Security Update : java-1_6_0-sun (java-1_6_0-sun-376)
- 41404 - SuSE 11 Security Update : IBM Java 1.4.2 (SAT Patch Number 735)
- 41263 - SuSE9 Security Update : Sun Java (YOU Patch Number 12321)
- 41268 - SuSE9 Security Update : IBM Java5 JRE and SDK (YOU Patch Number 12336)
- 41289 - SuSE9 Security Update : IBM Java2 JRE and SDK (YOU Patch Number 12387)
- 41525 - SuSE 10 Security Update : IBM Java 1.4.2 (ZYPP Patch Number 6136)
- 41526 - SuSE 10 Security Update : Sun Java 1.4.2 (ZYPP Patch Number 5852)
- 41527 - SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 5960)
- 35305 - openSUSE 10 Security Update : java-1_5_0-sun (java-1_5_0-sun-5875)
- 35306 - openSUSE 10 Security Update : java-1_6_0-sun (java-1_6_0-sun-5876)
- 37381 - Ubuntu 8.10 : OpenJDK vulnerabilities (USN-713-1)
- 42179 - VMSA-2009-0014 : VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issues
- 89116 - VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0014) (remote check)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file sun_java_jre_244986.nasl version 1.34. For more plugins, visit the Nessus Plugin Library.
Go back to menu.