Executive Summary
| Summary | |
|---|---|
| Title | Sun Alert 254609 A Security Vulnerability in the Java Runtime Environment (JRE) HTTP Server Implementation May Allow a Denial of Service (DoS) Condition on a JAX-WS Service Endpoint |
| Informations | |||
|---|---|---|---|
| Name | SUN-254609 | First vendor Publication | 2009-03-24 |
| Vendor | Sun | Last vendor Modification | 2009-03-24 |
| Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Product: Java Platform, Standard Edition (Java SE) A security vulnerability in the Java Runtime Environment (JRE) HTTP server implementation may allow a remote unprivileged user to create a Denial of Service (DoS) condition on a JAX-WS service endpoint that runs on the JRE. State: Resolved First released: 24-Mar-2009 |
Original Source
| Url : http://blogs.sun.com/security/entry/sun_alert_254609_a_security |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:10152 | |||
| Oval ID: | oval:org.mitre.oval:def:10152 | ||
| Title: | Unspecified vulnerability in the lightweight HTTP server implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to cause a denial of service (probably resource consumption) for a JAX-WS service endpoint via a connection without any data, which triggers a file descriptor "leak." | ||
| Description: | Unspecified vulnerability in the lightweight HTTP server implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to cause a denial of service (probably resource consumption) for a JAX-WS service endpoint via a connection without any data, which triggers a file descriptor "leak." | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2009-1101 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:13469 | |||
| Oval ID: | oval:org.mitre.oval:def:13469 | ||
| Title: | DSA-1769-1 openjdk-6 -- several | ||
| Description: | Several vulnerabilities have been identified in OpenJDK, an implementation of the Java SE platform. Creation of large, temporary fonts could use up available disk space, leading to a denial of service condition. Several vulnerabilities existed in the embedded LittleCMS library, exploitable through crafted images: a memory leak, resulting in a denial of service condition, heap-based buffer overflows, potentially allowing arbitrary code execution, and a null-pointer dereference, leading to denial of service. The LDAP server implementation did not properly close sockets if an error was encountered, leading to a denial-of-service condition. The LDAP client implementation allowed malicious LDAP servers to execute arbitrary code on the client. The HTTP server implementation contained an unspecified denial of service vulnerability. Several issues in Java Web Start have been addressed. The Debian packages currently do not support Java Web Start, so these issues are not directly exploitable, but the relevant code has been updated nevertheless. For the stable distribution, these problems have been fixed in version 9.1+lenny2. We recommend that you upgrade your openjdk-6 packages. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1769-1 CVE-2006-2426 CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 CVE-2009-0793 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1101 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | openjdk-6 |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:6412 | |||
| Oval ID: | oval:org.mitre.oval:def:6412 | ||
| Title: | Java Runtime Environment (JRE) HTTP Server Bug Lets Remote Users Deny Service | ||
| Description: | Unspecified vulnerability in the lightweight HTTP server implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to cause a denial of service (probably resource consumption) for a JAX-WS service endpoint via a connection without any data, which triggers a file descriptor "leak." | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2009-1101 | Version: | 3 |
| Platform(s): | VMWare ESX Server 3.5 VMWare ESX Server 4.0 | Product(s): | |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:8037 | |||
| Oval ID: | oval:org.mitre.oval:def:8037 | ||
| Title: | DSA-1769 openjdk-6 -- several vulnerabilities | ||
| Description: | Several vulnerabilities have been identified in OpenJDK, an implementation of the Java SE platform. Creation of large, temporary fonts could use up available disk space, leading to a denial of service condition. Several vulnerabilities existed in the embedded LittleCMS library, exploitable through crafted images: a memory leak, resulting in a denial of service condition (CVE-2009-0581), heap-based buffer overflows, potentially allowing arbitrary code execution (CVE-2009-0723, CVE-2009-0733), and a null-pointer dereference, leading to denial of service (CVE-2009-0793). The LDAP server implementation (in com.sun.jdni.ldap) did not properly close sockets if an error was encountered, leading to a denial-of-service condition. The LDAP client implementation (in com.sun.jdni.ldap) allowed malicious LDAP servers to execute arbitrary code on the client. The HTTP server implementation (sun.net.httpserver) contained an unspecified denial of service vulnerability. Several issues in Java Web Start have been addressed. The Debian packages currently do not support Java Web Start, so these issues are not directly exploitable, but the relevant code has been updated | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1769 CVE-2006-2426 CVE-2009-0581 CVE-2009-0723 CVE-2009-0733 CVE-2009-0793 CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1101 | Version: | 3 |
| Platform(s): | Debian GNU/Linux 5.0 | Product(s): | openjdk-6 |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2011-08-09 | Name : CentOS Update for java CESA-2009:0377 centos5 i386 File : nvt/gb_CESA-2009_0377_java_centos5_i386.nasl |
| 2010-05-28 | Name : Java for Mac OS X 10.5 Update 4 File : nvt/macosx_java_for_10_5_upd_4.nasl |
| 2009-10-11 | Name : SLES11: Security update for IBM Java 1.6.0 File : nvt/sles11_java-1_6_0-ibm0.nasl |
| 2009-08-17 | Name : RedHat Security Advisory RHSA-2009:1198 File : nvt/RHSA_2009_1198.nasl |
| 2009-08-17 | Name : Mandrake Security Advisory MDVSA-2009:162 (java-1.6.0-openjdk) File : nvt/mdksa_2009_162.nasl |
| 2009-06-23 | Name : Mandrake Security Advisory MDVSA-2009:137 (java-1.6.0-openjdk) File : nvt/mdksa_2009_137.nasl |
| 2009-06-05 | Name : Ubuntu USN-744-1 (lcms) File : nvt/ubuntu_744_1.nasl |
| 2009-06-05 | Name : Ubuntu USN-743-1 (gs-gpl) File : nvt/ubuntu_743_1.nasl |
| 2009-06-01 | Name : HP-UX Update for Java HPSBUX02429 File : nvt/gb_hp_ux_HPSBUX02429.nasl |
| 2009-05-20 | Name : RedHat Security Advisory RHSA-2009:1038 File : nvt/RHSA_2009_1038.nasl |
| 2009-04-23 | Name : Sun Java JDK/JRE Multiple Vulnerabilities (Win) File : nvt/gb_sun_java_jre_dos_vuln_win.nasl |
| 2009-04-23 | Name : Sun Java JRE Multiple Vulnerabilities (Linux) File : nvt/gb_sun_java_jre_dos_vuln_lin.nasl |
| 2009-04-15 | Name : CentOS Security Advisory CESA-2009:0377 (java-1.6.0-openjdk) File : nvt/ovcesa2009_0377.nasl |
| 2009-04-15 | Name : Debian Security Advisory DSA 1769-1 (openjdk-6) File : nvt/deb_1769_1.nasl |
| 2009-04-15 | Name : RedHat Security Advisory RHSA-2009:0377 File : nvt/RHSA_2009_0377.nasl |
| 2009-04-06 | Name : Ubuntu USN-748-1 (openjdk-6) File : nvt/ubuntu_748_1.nasl |
| 2009-04-06 | Name : Ubuntu USN-747-1 (icu) File : nvt/ubuntu_747_1.nasl |
| 2009-04-06 | Name : Ubuntu USN-746-1 (xine-lib) File : nvt/ubuntu_746_1.nasl |
| 2009-04-06 | Name : SuSE Security Advisory SUSE-SA:2009:016 (Sun Java 5 and 6) File : nvt/suse_sa_2009_016.nasl |
| 2009-03-31 | Name : RedHat Security Advisory RHSA-2009:0392 File : nvt/RHSA_2009_0392.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 53172 | Sun Java JDK / JRE Lightweight HTTP Server Implementation JAX-WS Service Endp... |
Information Assurance Vulnerability Management (IAVM)
| Date | Description |
|---|---|
| 2009-10-22 | IAVM : 2009-A-0105 - Multiple Vulnerabilities in VMware Products Severity : Category I - VMSKEY : V0021867 |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2016-03-08 | Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2010-0002_remote.nasl - Type : ACT_GATHER_INFO |
| 2016-03-03 | Name : The remote host is missing a security-related patch. File : vmware_VMSA-2009-0014_remote.nasl - Type : ACT_GATHER_INFO |
| 2016-03-03 | Name : The remote host is missing a security-related patch. File : vmware_VMSA-2009-0016_remote.nasl - Type : ACT_GATHER_INFO |
| 2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-0377.nasl - Type : ACT_GATHER_INFO |
| 2013-02-22 | Name : The remote Unix host contains a runtime environment that is affected by multi... File : sun_java_jre_254569_unix.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090326_java__jdk_1_6_0__on_SL4_x.nasl - Type : ACT_GATHER_INFO |
| 2010-03-31 | Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2010-0002.nasl - Type : ACT_GATHER_INFO |
| 2010-01-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0043.nasl - Type : ACT_GATHER_INFO |
| 2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-0377.nasl - Type : ACT_GATHER_INFO |
| 2009-11-23 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2009-0016.nasl - Type : ACT_GATHER_INFO |
| 2009-11-18 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200911-02.nasl - Type : ACT_GATHER_INFO |
| 2009-10-19 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2009-0014.nasl - Type : ACT_GATHER_INFO |
| 2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_6_0-ibm-090629.nasl - Type : ACT_GATHER_INFO |
| 2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_6_0-sun-090327.nasl - Type : ACT_GATHER_INFO |
| 2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0394.nasl - Type : ACT_GATHER_INFO |
| 2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1038.nasl - Type : ACT_GATHER_INFO |
| 2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1198.nasl - Type : ACT_GATHER_INFO |
| 2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0392.nasl - Type : ACT_GATHER_INFO |
| 2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_6_0-sun-090327.nasl - Type : ACT_GATHER_INFO |
| 2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-sun-090328.nasl - Type : ACT_GATHER_INFO |
| 2009-07-09 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_rel9.nasl - Type : ACT_GATHER_INFO |
| 2009-06-21 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-137.nasl - Type : ACT_GATHER_INFO |
| 2009-06-17 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_10_5_update4.nasl - Type : ACT_GATHER_INFO |
| 2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-748-1.nasl - Type : ACT_GATHER_INFO |
| 2009-04-13 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1769.nasl - Type : ACT_GATHER_INFO |
| 2009-04-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0377.nasl - Type : ACT_GATHER_INFO |
| 2009-04-01 | Name : The remote openSUSE host is missing a security update. File : suse_java-1_6_0-sun-6128.nasl - Type : ACT_GATHER_INFO |
| 2009-03-27 | Name : The remote Windows host contains a runtime environment that is affected by mu... File : sun_java_jre_254569.nasl - Type : ACT_GATHER_INFO |
| 2007-10-12 | Name : The remote host is missing Sun Security Patch number 125137-97 File : solaris9_125137.nasl - Type : ACT_GATHER_INFO |
| 2007-10-12 | Name : The remote host is missing Sun Security Patch number 125137-97 File : solaris8_125137.nasl - Type : ACT_GATHER_INFO |
| 2007-10-12 | Name : The remote host is missing Sun Security Patch number 125137-97 File : solaris10_125137.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2016-06-28 20:10:38 |
|
