Security Advisories and Notifications


Subject: SECURITY ADVISORY (CVE-2009-1006)
From: Oracle Corporation
Minor Subject: Multiple security vulnerabilities in JRockit
Product(s) Affected: WebLogic Server

Oracle treats potential security problems with a high degree of urgency and endeavors to take appropriate steps to help ensure the security of our customers’ systems. As a result, Oracle strongly suggests the following actions:

I. Read the following advisory.
II. Apply the suggested action.
III. If you know of any additional users interested in future security advisories, please forward them the registration instructions included in this advisory.

I. DESCRIPTION

Sun Microsystems released a Security alert in December 2008. This advisory, CVE-2009-1006 refers to all the vulnerability fixes that have been made in JRockit for addressing the applicable issues that were published by Sun Microsystems in December.

The advisories from Sun's Security Alert that were applicable to and fixed in JRockit are listed below. For details about the individual advisories, please refer to the respective Sun advisory pages (shown as links):

  • CVE 2008-5345: A Security Vulnerability in the Java Runtime Environment may Allow Code Loaded From the Local Filesystem to Access LocalHost
  • CVE 2008-5347: Security Vulnerabilities in the Java Runtime Environment (JRE) JAX-WS and JAXB Packages may Allow Privileges to be Escalated
  • CVE 2008-5348: A Security Vulnerability in Java Runtime Environment (JRE) With Authenticating Users Through Kerberos May Lead to a Denial of Service (DoS)
  • CVE 2008-5349: Security Vulnerability in the Java Runtime Environment With Processing RSA Public Keys
  • CVE 2008-5350: Security Vulnerability in Java Runtime Environment May Allow Applets to List the Contents of the Current User's Home Directory
  • CVE 2008-5351: The Java Runtime Environment UTF-8 Decoder May Allow Multiple Representations of UTF-8 Input
  • CVE 2008-5352: A Buffer Overflow Vulnerability in the Java Runtime Environment (JRE) "Unpack200" JAR Unpacking Utility May Lead to Escalation of Privileges
  • CVE 2008-5353: A Security Vulnerability in the Java Runtime Environment (JRE) Related to Deserializing Calendar Objects May Allow Privileges to be Escalated
  • CVE 2008-5354: A Buffer Overflow Vulnerability in the Java Runtime Environment (JRE) May Allow Privileges to be Escalated
  • CVE 2008-5356, CVE 2008-5357, CVE 2008-5358,CVE 2008-5359: Java Runtime Environment (JRE) Buffer Overflow Vulnerabilities in Processing Image Files and Fonts May Allow Applets or Java Web Start Applications to Elevate Their Privileges
  • CVE 2008-5360: The Java Runtime Environment Creates Temporary Files That Have "Guessable" File Names

II. IMPACT AND CVSS RATINGS

CVSS Severity Score: 10.0
Attack Range (AV): Network
Attack Complexity (AC): Low
Authentication Level (Au): None
Impact Type: Complete confidentiality, integrity and availability violation
CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Note: The CVSS score shows the highest score (as calculated by NVD) of all the advisories fixed in this JRockit advisory.


III. AFFECTED VERSIONS

The following versions of Oracle JRockit are affected by this vulnerability
  • JRockit R27.6.2 and earlier, SDK and JRE 1.4.2
  • JRockit R27.6.2 and earlier, JRE and JDK 5.0
  • JRockit R27.6.2 and earlier, JRE and JDK 6

IV. SUGGESTED ACTION

If you are using JRockit release R27.6.2 or earlier, Oracle strongly recommends to install R27.6.3.

Oracle Jrockit releases are available at http://www.oracle.com/technology/software/products/jrockit/index.html



SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation