9.3- CVE-2008-5357

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Informations
Name	CVE-2008-5357	First vendor Publication	2008-12-05
Vendor	Cve	Last vendor Modification	2011-03-07

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Integer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file, which triggers a heap-based buffer overflow.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5357

CWE : Common Weakness Enumeration

id	Name
CWE-189	Numeric Errors (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:6505

Oval ID:	oval:org.mitre.oval:def:6505
Title:	Sun Java Runtime Environment TrueType font integer overflow
Description:	Integer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file, which triggers a heap-based buffer overflow.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2008-5357	Version:	1
Platform(s):	VMWare ESX Server 3.5	Product(s):
Definition Synopsis:
IF VMware ESX Server 3.5.0 is installed AND Patch ESX350-200910403-SG is not installed

CPE : Common Platform Enumeration

Type	Description	Count
Application	Sun Jdk cpe:/a:sun:jdk:6:update_3 cpe:/a:sun:jdk:6:update_7 cpe:/a:sun:jdk:6:update_1 cpe:/a:sun:jdk:6:update_2 cpe:/a:sun:jdk:6:update_9 cpe:/a:sun:jdk:6:update_10 cpe:/a:sun:jdk:6 cpe:/a:sun:jdk:6:update_4 cpe:/a:sun:jdk:6:update_8 cpe:/a:sun:jdk:6:update_5 cpe:/a:sun:jdk:6:update_6 cpe:/a:sun:jdk:5.0:update_11 cpe:/a:sun:jdk:5.0:update_13 cpe:/a:sun:jdk:5.0:update_14 cpe:/a:sun:jdk:5.0:update_3 cpe:/a:sun:jdk:5.0:update_15 cpe:/a:sun:jdk:5.0:update_6 cpe:/a:sun:jdk:5.0:update_9 cpe:/a:sun:jdk:5.0:update_8 cpe:/a:sun:jdk:5.0:update_10 cpe:/a:sun:jdk:5.0:update_1 cpe:/a:sun:jdk:5.0:update_5 cpe:/a:sun:jdk:5.0:update_16 cpe:/a:sun:jdk:5.0:update_12 cpe:/a:sun:jdk:5.0:update_4 cpe:/a:sun:jdk:5.0:update_7 cpe:/a:sun:jdk:5.0:update_2	27
Application	Sun Jre cpe:/a:sun:jre:6:update_10 cpe:/a:sun:jre:6:update_5 cpe:/a:sun:jre:6:update_1 cpe:/a:sun:jre:6:update_8 cpe:/a:sun:jre:6:update_6 cpe:/a:sun:jre:6:update_7 cpe:/a:sun:jre:6:update_9 cpe:/a:sun:jre:6:update_4 cpe:/a:sun:jre:6 cpe:/a:sun:jre:6:update_2 cpe:/a:sun:jre:6:update_3 cpe:/a:sun:jre:5.0:update_11 cpe:/a:sun:jre:5.0:update_15 cpe:/a:sun:jre:5.0:update_16 cpe:/a:sun:jre:5.0:update_6 cpe:/a:sun:jre:5.0:update_1 cpe:/a:sun:jre:5.0:update_5 cpe:/a:sun:jre:5.0:update_2 cpe:/a:sun:jre:5.0:update_14 cpe:/a:sun:jre:5.0:update_3 cpe:/a:sun:jre:5.0:update_9 cpe:/a:sun:jre:5.0:update_13 cpe:/a:sun:jre:5.0 cpe:/a:sun:jre:5.0:update_7 cpe:/a:sun:jre:5.0:update_10 cpe:/a:sun:jre:5.0:update_8 cpe:/a:sun:jre:5.0:update_4 cpe:/a:sun:jre:5.0:update_12 cpe:/a:sun:jre:1.4.2_9 cpe:/a:sun:jre:1.4.2_8 cpe:/a:sun:jre:1.4.2_7 cpe:/a:sun:jre:1.4.2_6 cpe:/a:sun:jre:1.4.2_5 cpe:/a:sun:jre:1.4.2_4 cpe:/a:sun:jre:1.4.2_3 cpe:/a:sun:jre:1.4.2_2 cpe:/a:sun:jre:1.4.2_18 cpe:/a:sun:jre:1.4.2_17 cpe:/a:sun:jre:1.4.2_16 cpe:/a:sun:jre:1.4.2_15 cpe:/a:sun:jre:1.4.2_14 cpe:/a:sun:jre:1.4.2_13 cpe:/a:sun:jre:1.4.2_12 cpe:/a:sun:jre:1.4.2_11 cpe:/a:sun:jre:1.4.2_10 cpe:/a:sun:jre:1.4.2_1 cpe:/a:sun:jre:1.3.1_9 cpe:/a:sun:jre:1.3.1_8 cpe:/a:sun:jre:1.3.1_7 cpe:/a:sun:jre:1.3.1_6 cpe:/a:sun:jre:1.3.1_5 cpe:/a:sun:jre:1.3.1_4 cpe:/a:sun:jre:1.3.1_3 cpe:/a:sun:jre:1.3.1_23 cpe:/a:sun:jre:1.3.1_22 cpe:/a:sun:jre:1.3.1_21 cpe:/a:sun:jre:1.3.1_20 cpe:/a:sun:jre:1.3.1_2 cpe:/a:sun:jre:1.3.1_19 cpe:/a:sun:jre:1.3.1_18 cpe:/a:sun:jre:1.3.1_17 cpe:/a:sun:jre:1.3.1_16 cpe:/a:sun:jre:1.3.1_15 cpe:/a:sun:jre:1.3.1_14 cpe:/a:sun:jre:1.3.1_13 cpe:/a:sun:jre:1.3.1_12 cpe:/a:sun:jre:1.3.1_11 cpe:/a:sun:jre:1.3.1_10 cpe:/a:sun:jre:1.3.1_1	69
Application	Sun Sdk cpe:/a:sun:sdk:1.4.2_9 cpe:/a:sun:sdk:1.4.2_8 cpe:/a:sun:sdk:1.4.2_7 cpe:/a:sun:sdk:1.4.2_6 cpe:/a:sun:sdk:1.4.2_5 cpe:/a:sun:sdk:1.4.2_4 cpe:/a:sun:sdk:1.4.2_3 cpe:/a:sun:sdk:1.4.2_2 cpe:/a:sun:sdk:1.4.2_18 cpe:/a:sun:sdk:1.4.2_17 cpe:/a:sun:sdk:1.4.2_16 cpe:/a:sun:sdk:1.4.2_15 cpe:/a:sun:sdk:1.4.2_14 cpe:/a:sun:sdk:1.4.2_13 cpe:/a:sun:sdk:1.4.2_12 cpe:/a:sun:sdk:1.4.2_11 cpe:/a:sun:sdk:1.4.2_10 cpe:/a:sun:sdk:1.4.2_1 cpe:/a:sun:sdk:1.3.1_9 cpe:/a:sun:sdk:1.3.1_8 cpe:/a:sun:sdk:1.3.1_7 cpe:/a:sun:sdk:1.3.1_6 cpe:/a:sun:sdk:1.3.1_5 cpe:/a:sun:sdk:1.3.1_4 cpe:/a:sun:sdk:1.3.1_3 cpe:/a:sun:sdk:1.3.1_23 cpe:/a:sun:sdk:1.3.1_22 cpe:/a:sun:sdk:1.3.1_21 cpe:/a:sun:sdk:1.3.1_20 cpe:/a:sun:sdk:1.3.1_2 cpe:/a:sun:sdk:1.3.1_19 cpe:/a:sun:sdk:1.3.1_18 cpe:/a:sun:sdk:1.3.1_17 cpe:/a:sun:sdk:1.3.1_16 cpe:/a:sun:sdk:1.3.1_15 cpe:/a:sun:sdk:1.3.1_14 cpe:/a:sun:sdk:1.3.1_13 cpe:/a:sun:sdk:1.3.1_12 cpe:/a:sun:sdk:1.3.1_11 cpe:/a:sun:sdk:1.3.1_10 cpe:/a:sun:sdk:1.3.1_1	41

OpenVAS Exploits

Date	Description
2010-05-28	Name : Java for Mac OS X 10.5 Update 4 File : nvt/macosx_java_for_10_5_upd_4.nasl
2009-11-23	Name : Gentoo Security Advisory GLSA 200911-02 (sun-jre-bin sun-jdk emul-linux-x86-j... File : nvt/glsa_200911_02.nasl
2009-10-13	Name : SLES10: Security update for IBM Java 1.4.2 File : nvt/sles10_java-1_4_2-ibm0.nasl
2009-10-13	Name : SLES10: Security update for Sun Java 1.4.2 File : nvt/sles10_java-1_4_2-sun.nasl
2009-10-13	Name : SLES10: Security update for IBM Java 1.5.0 File : nvt/sles10_java-1_5_0-ibm2.nasl
2009-10-11	Name : SLES11: Security update for IBM Java 1.4.2 File : nvt/sles11_java-1_4_2-ibm.nasl
2009-10-11	Name : SLES11: Security update for IBM Java 1.6.0 File : nvt/sles11_java-1_6_0-ibm.nasl
2009-10-10	Name : SLES9: Security update for Sun Java File : nvt/sles9p5040565.nasl
2009-10-10	Name : SLES9: Security update for IBM Java5 JRE and SDK File : nvt/sles9p5041763.nasl
2009-10-10	Name : SLES9: Security update for IBM Java2 JRE and SDK File : nvt/sles9p5046860.nasl
2009-05-20	Name : SuSE Security Summary SUSE-SR:2009:010 File : nvt/suse_sr_2009_010.nasl
2009-05-05	Name : HP-UX Update for Java HPSBUX02411 File : nvt/gb_hp_ux_HPSBUX02411.nasl
2009-03-31	Name : RedHat Security Advisory RHSA-2009:0369 File : nvt/RHSA_2009_0369.nasl
2009-03-13	Name : Ubuntu USN-731-1 (apache2) File : nvt/ubuntu_731_1.nasl
2009-03-13	Name : Ubuntu USN-732-1 (dash) File : nvt/ubuntu_732_1.nasl
2009-03-13	Name : SuSE Security Summary SUSE-SR:2009:006 File : nvt/suse_sr_2009_006.nasl
2009-02-16	Name : Fedora Update for java-1.6.0-openjdk FEDORA-2008-10860 File : nvt/gb_fedora_2008_10860_java-1.6.0-openjdk_fc9.nasl
2009-02-16	Name : Fedora Update for java-1.6.0-openjdk FEDORA-2008-10913 File : nvt/gb_fedora_2008_10913_java-1.6.0-openjdk_fc10.nasl
2009-01-20	Name : RedHat Security Advisory RHSA-2009:0016 File : nvt/RHSA_2009_0016.nasl
2009-01-13	Name : SuSE Security Advisory SUSE-SA:2009:001 (Sun Java) File : nvt/suse_sa_2009_001.nasl

Open Source Vulnerability Database (OSVDB)

id	Description
50517	Sun Java JDK / JRE TrueType Font Processing Integer Overflow

Information Assurance Vulnerability Management (IAVM)

Date	Description
2009-10-22	IAVM : 2009-A-0105 - Multiple Vulnerabilities in VMware Products Severity : Category I - VMSKEY : V0021867

Nessus® Vulnerability Scanner

Date	Description
2014-11-26	Name : The remote OracleVM host is missing one or more security updates. File : oraclevm_OVMSA-2009-0014.nasl - Type : ACT_GATHER_INFO
2013-02-22	Name : The remote Unix host contains a runtime environment that is affected by multi... File : sun_java_jre_244986_unix.nasl - Type : ACT_GATHER_INFO
2010-01-10	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0466.nasl - Type : ACT_GATHER_INFO
2009-12-14	Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_40374.nasl - Type : ACT_GATHER_INFO
2009-12-14	Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_40375.nasl - Type : ACT_GATHER_INFO
2009-11-18	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200911-02.nasl - Type : ACT_GATHER_INFO
2009-10-19	Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2009-0014.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12321.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12336.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12387.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_4_2-ibm-090405.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_6_0-ibm-090405.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_java-1_4_2-sun-5852.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_java-1_5_0-ibm-5960.nasl - Type : ACT_GATHER_INFO
2009-08-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-1018.nasl - Type : ACT_GATHER_INFO
2009-08-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-1025.nasl - Type : ACT_GATHER_INFO
2009-08-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0016.nasl - Type : ACT_GATHER_INFO
2009-08-24	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0369.nasl - Type : ACT_GATHER_INFO
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_5_0-sun-081217.nasl - Type : ACT_GATHER_INFO
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-openjdk-090303.nasl - Type : ACT_GATHER_INFO
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-sun-081217.nasl - Type : ACT_GATHER_INFO
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_5_0-sun-081217.nasl - Type : ACT_GATHER_INFO
2009-07-21	Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_6_0-sun-081217.nasl - Type : ACT_GATHER_INFO
2009-07-09	Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_rel9.nasl - Type : ACT_GATHER_INFO
2009-06-17	Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_10_5_update4.nasl - Type : ACT_GATHER_INFO
2009-04-23	Name : The remote Fedora host is missing a security update. File : fedora_2008-10913.nasl - Type : ACT_GATHER_INFO
2009-01-07	Name : The remote openSUSE host is missing a security update. File : suse_java-1_5_0-sun-5875.nasl - Type : ACT_GATHER_INFO
2009-01-07	Name : The remote openSUSE host is missing a security update. File : suse_java-1_6_0-sun-5876.nasl - Type : ACT_GATHER_INFO
2008-12-08	Name : The remote Fedora host is missing a security update. File : fedora_2008-10860.nasl - Type : ACT_GATHER_INFO
2008-12-04	Name : The remote Windows host contains a runtime environment that is affected by mu... File : sun_java_jre_244986.nasl - Type : ACT_GATHER_INFO

Internal Sources (Detail)

Source	Url
BID	http://www.securityfocus.com/bid/32608
CERT	http://www.us-cert.gov/cas/techalerts/TA08-340A.html
CONFIRM	http://support.avaya.com/elmodocs2/security/ASA-2008-485.htm http://support.avaya.com/elmodocs2/security/ASA-2009-012.htm http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=829914... http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/03/024431-01.pdf
GENTOO	http://security.gentoo.org/glsa/glsa-200911-02.xml
HP	http://marc.info/?l=bugtraq&m=123678756409861&w=2 http://marc.info/?l=bugtraq&m=123678756409861&w=2
IDEFENSE	http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=760
OSVDB	http://osvdb.org/50517
REDHAT	http://rhn.redhat.com/errata/RHSA-2008-1018.html http://rhn.redhat.com/errata/RHSA-2008-1025.html http://www.redhat.com/support/errata/RHSA-2009-0016.html http://www.redhat.com/support/errata/RHSA-2009-0369.html https://rhn.redhat.com/errata/RHSA-2009-0466.html
SECUNIA	http://secunia.com/advisories/32991 http://secunia.com/advisories/33015 http://secunia.com/advisories/33187 http://secunia.com/advisories/33710 http://secunia.com/advisories/34233 http://secunia.com/advisories/34259 http://secunia.com/advisories/34447 http://secunia.com/advisories/34605 http://secunia.com/advisories/34972 http://secunia.com/advisories/35065 http://secunia.com/advisories/37386 http://secunia.com/advisories/38539
SUNALERT	http://sunsolve.sun.com/search/document.do?assetkey=1-26-244987-1
SUSE	http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00009.html http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html
VUPEN	http://www.vupen.com/english/advisories/2008/3339 http://www.vupen.com/english/advisories/2009/0672
XF	http://xforce.iss.net/xforce/xfdb/47050

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-02-17 10:47:30	Multiple Updates
2013-11-11 12:38:08	Multiple Updates
2013-05-11 00:31:46	Multiple Updates

Global Informations

Crosslinks (click on circle)


Try vDNA Crosslinks

Type	Count
CWE ID(s)	1
Oval ID(s)	1
CPE ID(s)	137
Sources(s)	36
osvdb(s)	1
Openvas Exploit(s)	20
IAVM(s)	1
Nessus® Exploit(s)	30

Related	Severity
VMSA-2009-0014	(Critical)
TA08-340A	(Critical)
RHSA-2009:0369	(Critical)
RHSA-2009:0016	(Critical)
RHSA-2008:1025	(Critical)
RHSA-2008:1018	(Critical)
HPSBUX02411 SSR...	(Critical)
HPSBMA02486 SSR...	(Critical)
GLSA-200911-02	(Critical)
SUN-244987	(Critical)

Same Subject	Severity
Login to view 113 more Alert(s)