【TWCERT/CC安全通報】TW-CA-2005-028-[Sun(sm) Alert Notification

看板NetSecurity (資安資訊安全)作者Lan.時間20年前 (2005/03/10 21:32)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

※ 本文轉錄自 [Lan] 信箱作者: twcert@cert.org.tw (TWCERT/CC Fellows) 標題: 【TWCERT/CC安全通報】TW-CA-2005-028-[Sun(sm) A 時間: Thu Mar 10 16:32:41 2005 -----BEGIN PGP SIGNED MESSAGE----- TW-CA-2005-028-[Sun(sm) Alert Notification #57707: Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability] ──────────────────────────────────────── TWCERT/CC發布日期：2005-03-10 原漏洞發布日期：2004-12-20 原漏洞最新更新日期：2004-01-07 通用安全漏洞編號：分類：Dos, 來源參考：Sun(sm) Alert Notification #57707 ──── 簡述 ───────────────────────────────── ──── 說明 ───────────────────────────────── Java Runtime Environment (JRE) 在object deserialization (物件讀取)中存在一個安全弱點。攻擊者可利用此弱點進行遠端攻擊，進而造成 Java 虛擬機器變成無回應的狀態，這是一種阻斷服務攻擊。本安全議題會影響正在執行接收不可靠來源 serialized data 的 JRE。 ──── 影響平台 ─────────────────────────────── 此議題可能影響下列發行版本： Windows, Sloaris 與 Linux 的 SDK 和 JRE 1.4.2_05 以前的版本，以及所有 1.4.1 至 1.4.2 的版本注意：JDK 與 JRE 5.0 的版本和 1.4 以前的版本不受本議題影響。要確認系統中使用的 Java 之版本，可依下列指令進行確認： % java -fullversion java full version "1.4.1_06-b01" ──── 修正方式 ─────────────────────────────── 暫時解決方法：無暫時性解決方法，請參閱 "解決方法"。解決方法：此議題已於下列版本中解決： Windows, Sloaris 與 Linux 的 SDK 和 JRE 1.4.2_06 以及更新的版本最新的J2SE可以下列網址取得：．J2SE 5.0 網址http://java.sun.com/j2se/1.5.0/download.jsp ．J2SE 1.4.2_06 網址http://java.sun.com/j2se/1.4.2/download.html 以及　http://java.com/ ──── 影響結果 ─────────────────────────────── Java Runtime Environment (JRE)會變成無回應的狀態。 ──── 聯絡TWCERT/CC ───────────────────────────── Tel: 886-7-5250211 FAX: 886-7-5250212 886-2-23563303 886-2-23924082 Email: twcert@cert.org.tw URL: http://www.cert.org.tw/ PGP key: http://www.cert.org.tw/eng/pgp.htm ──────────────────────────────────────── 附件：[Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability] ──── 原文 ───────────────────────────────── Sun(sm) Alert Notification Sun Alert ID: 57707 Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability Category: Security Product: Java SDK and JRE BugIDs: 5037001 Avoidance: Upgrade State: Resolved Date Released: 20-Dec-2004 Date Closed: 20-Dec-2004 Date Modified: 1. Impact A vulnerability in the Java Runtime Environment (JRE) involving object deserialization could be exploited remotely to cause the Java Virtual Machine to become unresponsive, which is a type of Denial-of-Service (DoS). This issue can affect the JRE if an application that runs on it accepts serialized data from an untrusted source. Sun acknowledges with thanks, Marc Schoenefeld, for bringing this issue to our attention. 2. Contributing Factors This issue can occur in the following releases: SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases for Windows, Solaris and Linux Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not affected by this issue. To determine the version of Java on a system, the following command can be run: % java -fullversion java full version "1.4.1_06-b01" 3. Symptoms The Java Runtime Environment (JRE) is unresponsive. Solution Summary Top 4. Relief/Workaround There is no workaround. Please see the "Resolution" section below. 5. Resolution This issue is addressed in the following releases: SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux J2SE releases are available for download at: J2SE 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp J2SE 1.4.2_06 at http://java.sun.com/j2se/1.4.2/download.html and http://java.com/ Note: It is recommended that affected versions be removed from your system. For more information, please see the installation notes on the respective java.sun.com download pages. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. ──────────────────────────────────────── -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQEVAwUBQjAESqcyQYefg2/NAQGbnQf/TashP+rsphnrTEXBL/Y450DKbIiIy4It 1XInNitXbLoFphMGFYVZ3Bu/l+oNenZi1oSwLFBu+biFaw23OCQMrMIxt2lBb2ec 6X0d60CaGs7Qir6UJk+ejbrSZ+yCgwxdlsrVk/tE+K6WO44RO+Ce58g3bQzqp3d4 xVJ1qFY4z9Cb8aP9ahz/RCgwMkTezRT4flONx682d/KrhumI1Z62bQYPQ74SONSP w+0ua093IBeLlWqdfPJxh32LUtyWTLF0iTbkGeN2nQ7C61qZIyFMCGMERvCAYxV/ E/NbWCHVHCQY+/WYSEAs3Cxb5QElnHggldYAJ07URDSrMCT6y/OGsw== =eG7Y -----END PGP SIGNATURE----- -- Taiwan Computer Emergency Response Team Security Advisory mailing list. Mail to : Majordomo@cert.org.tw and include a line "subscribe advisory". Please visit http://www.cert.org.tw/. PGP key : http://www.cert.org.tw/eng/pgp.htm