-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2011-0016 Title: Oracle Java SE CVE-2011-3545 Remote Java Runtime Environment Vulnerability Version history: 18.11.2011 Initial publication Summary ======= Oracle Java SE is prone to a remote vulnerability in Java Runtime Environment [1] A commercial exploit is available through VUPEN Security; urgency raised. CVE-2011-3544(Candidate) Severity Level[3]: CVSS2 Base 10 Remote Yes Local No Credibility Vendor Confirmed Ease Exploit Available Authentication Not Required Potential impact ================ An attacker can exploit this issue to execute arbitrary code in the context of the current user. 1. An attacker constructs a malicious Java application designed to leverage this issue. 2. The attacker distributes the application or hosts it an entices an unsuspecting victim to run it. 3. When the application is run, attacker-supplied code executes on the victim's computer. Vulnerable Systems ================== Among others: Apple Mac OS X 10.6.8 and earlier Apple Mac Os X 10.7 Apple Mac Os X 10.7.1 Apple Mac Os X 10.7.2 Apple Mac Os X Server 10.6.8 and earlier Apple Mac Os X Server 10.7 Apple Mac Os X Server 10.7.1 Apple Mac Os X Server 10.7.2 Avaya Aura Conferencing 6.0 Standard Avaya Aura Conferencing 6.0.0 Standard Gentoo Linux Oracle JRockit R27.x.x Oracle JRockit R28.0.0 Oracle JRockit R28.0.1 Oracle JRockit R28.1.1 Oracle JRockit R28.1.3 Oracle JRockit R28.1.4 Panda Antivirus 1.4.2_x Panda Antivirus 1.5.0 Update14 to update 25 Panda Antivirus 1.6.0 Update 1 to update 21 Red Hat Desktop Extras 4 Red Hat Enterprise Linux AS Extras 4 Red Hat Enterprise Linux Desktop Supplementary 5 client Red Hat Enterprise Linux Desktop Supplementary 6 Red Hat Enterprise Linux ES Extras 4 Red Hat Enterprise Linux Extras 4 Red Hat Enterprise Linux HPC Node Supplementary 6 Red Hat Enterprise Linux Server Supplementary 6 Red Hat Enterprise Linux Supplementary 5 server Red Hat Enterprise Linux Workstation Supplementary 6 Red Hat Enterprise Linux WS Extras 4 Sun JDK (Linux Production Release) 1.5.0 Update13 to update25 cpe:/a:sun:jdk:1.6.0:update_7 NVD Sun JDK (Linux Production Release) 1.4.2 Sun JDK (Linux Production Release) 1.5.x Sun JDK (Linux Production Release) 1.6.x Sun JDK (Solaris Production Release) 1.4.2 Sun JDK (Solaris Production Release) 1.5.x .0_03 Sun JDK (Solaris Production Release) 1.6.x Sun JDK (Windows Production Release) 1.4.2 Sun JDK (Windows Production Release) 1.5.x Sun JDK (Windows Production Release) 1.6.x Sun JRE (Linux Production Release) 1.4.2 Sun JRE (Solaris Production Release) 1.4.2 Sun JRE (Windows Production Release) 1.4.2 Sun JRE (Linux Production Release) 1.4.2 _01 Sun JRE (Linux Production Release) 1.4.2 _01 Sun JRE (Solaris Production Release) 1.4.2 _01 Sun JRE (Windows Production Release) 1.4.2 _01 Sun JRE (Linux Production Release) 1.4.2 _02 Sun JRE (Linux Production Release) 1.4.2 _02 Sun JRE (Solaris Production Release) 1.4.2 _02 Sun JRE (Windows Production Release) 1.4.2 _02 Oracle Oracle10g Application Server 10.1.0 .0.2 Oracle Oracle10g Enterprise Edition 10.1.0 .0.2 Oracle Oracle10g Personal Edition 10.1.0 .0.2 Oracle Oracle10g Standard Edition 10.1.0 .0.2 Sun JRE (Linux Production Release) 1.4.2 _03 Sun JRE (Solaris Production Release) 1.4.2 _03 Sun JRE (Windows Production Release) 1.4.2 _03 Opera Software Opera Web Browser 7.54.0 Sun JRE (Linux Production Release) 1.4.2 _04 Sun JRE (Solaris Production Release) 1.4.2 _04 Sun JRE (Windows Production Release) 1.4.2 _04 Microsoft Windows 2000 Professional Microsoft Windows 98SE Microsoft Windows NT 4.0 Sun JRE (Linux Production Release) 1.4.2 _05 Sun JRE (Solaris Production Release) 1.4.2 _05 Sun Solaris 2.6 Sun Solaris 2.6 _x86 Sun Solaris 7.0 Sun Solaris 7.0 _x86 Sun Solaris 8 _x86 Sun Solaris 8_sparc Sun JRE (Linux Production Release) 1.4.2 _x Sun JRE (Solaris Production Release) 1.4.2 _x Sun JRE (Windows Production Release) 1.4.2 _x Sun JRE (Linux Production Release) 1.5.0_x Sun JRE (Solaris Production Release) 1.5.0_x Sun JRE (Windows Production Release) 1.5.0_x Sun JRE (Linux Production Release) 1.6.0_x Sun JRE (Solaris Production Release) 1.4.2_x Sun JRE (Solaris Production Release) 1.5.0_x Sun JRE (Solaris Production Release) 1.6.0_x Sun JRE (Windows Production Release) 1.4.2_x Sun JRE (Windows Production Release) 1.5.0_x Sun JRE (Windows Production Release) 1.6.0_x Sun SDK (Linux Production Release) 1.4.2_x Sun SDK (Solaris Production Release) 1.4.2_x Sun SDK (Windows Production Release) 1.4.2 _x Non-Vulnerable Systems - - ---------------------- Sun JDK (Linux Production Release) 1.5.0_32 Sun JDK (Linux Production Release) 1.6.0_28 cpe:/a:sun:jdk:1.6.0:linux:28 Sun JDK (Solaris Production Release) 1.5.0_32 Sun JDK (Solaris Production Release) 1.6.0_28 Sun JDK (Windows Production Release) 1.5.0_32 Sun JDK (Windows Production Release) 1.6.0_28 Sun JRE (Linux Production Release) 1.5.0_32 Sun JRE (Linux Production Release) 1.6.0_28 Sun JRE (Solaris Production Release) 1.5.0_32 Sun JRE (Solaris Production Release) 1.6.0_28 Sun JRE (Windows Production Release) 1.5.0_32 Sun JRE (Windows Production Release) 1.6.0_28 What can you do? ================ Solutions: Fixes are available [2]. Work-arounds: Block external access at the network boundary, unless external parties require service. Filter access to the affected computer at the network boundary if global access isn't needed. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit. Deploy network intrusion detection systems to monitor network traffic for malicious activity. Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity including unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from successful exploits. Do not follow links provided by unknown or untrusted sources. Web users should be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users. Set web browser security to disable the execution of script code or active content. Disabling the execution of script code in the browser may limit exposure to this and other latent vulnerabilities. Run all software as a nonprivileged user with minimal access rights. To limit the impact of latent vulnerabilities, configure applications to run as a nonadministrative user with minimal access rights. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources users and to be aware not to click on the link in suspicious emails; to immediately forward the email to the respective IT security officer / contact in your institution. More information ================ [1] http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html [2] http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html [3] CVSS details: CVSS Version 2 Scores CVSS2 Base 10 CVSS2 Temporal 8.3 CVSS2 Base Vector AV:N/AC:L/Au:N/C:C/I:C/A:C CVSS2 Temporal VectorE:F/RL:OF/RC:C More information about CVSS is available at: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJOxmMVOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4M0zg//dK7Pnt9v KE4n/pMlIjWwEmzQ6xOUkOSfdF9QPGmYj5XSjopl0xhOT4AQNvUjTgnjre/ysEQ+ RzHNO1OKNGrOOyVA3KU/6bdb6kg75xWEe1PktjVYEKuXf3AQ5/wW6J5Gwca87jii Uo3RolBTLI3Bns85OGlN+EXUx4Ardx92ygxqfxXEZ8Kqlj/KIiaF2K88lXq6Lo7F 9TgYnnvVPy8EJ54OLjDYqr09TL9y4wnIcxqo2w0jG37MGBdW4IheFwzutFL85P0V 3+Wluua8IlLrxPcvQl1eTft7PXLS+JfX4j8k+6tk0fSmvPaSLwIbq/cTOgS88ZMG KjqICw/DTKHsO/LJ3WSQZBY9iMkCqqg2cPZMbYKCM3qjxOHsu1vQvjNkD7N71RQ5 FCB3V1Yny/2hQBiarOUPPQKYr7sziyAPkZ/+11toAJ8sktN/ppdBENe4Xnz2/SnZ +RG8rSU70dQdOpYDuPpABuQ45WHesFieGbE7X3xVFmF4CRP8ruH+w/wYCfSUrlyQ dITKmCr4H4UEEXid3zXUiDiyMVjTyQF8AWI71tlctCpCvC/+J5vrROKnIXATR8KP i4oKPbtEfbowYN3SwLRsrTQeodk1fXbfdTxnBTVliCf5xuf+AHmnNzQ8p1x4Keta 37bLynXgRNp6Oqc3l9y8Aww6WCaOq8YGV0o= =xEYK -----END PGP SIGNATURE-----