[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-alert] CERT Advisory CA-96.05 - Java (fwd)


>X-POP3-Rcpt: gaetani@napoli
>Date: Wed, 6 Mar 1996 16:43:11 +0100 (MET)
>From: Eugenio Pierno <tomcat@netway.it>
>Reply-To: pierno@netway.it
>To: info@netway.it
>cc: Gaetani Claudio <gaetani@netway.it>, Valente Carlo <carlo@netway.it>
>Subject: [linux-alert] CERT Advisory CA-96.05 - Java (fwd)
>MIME-Version: 1.0
>Tomcat lo sapeva...
>---------- Forwarded message ----------
>Date: Tue, 5 Mar 1996 13:34:09 -0500
>From: CERT Advisory <cert-advisory@cert.org>
>To: cert-advisory@cert.org
>Subject: [linux-alert] CERT Advisory CA-96.05 - Java
>CERT(sm) Advisory CA-96.05
>March 5, 1996
>Topic: Java Implementations Can Allow Connections to an Arbitrary Host
>The CERT Coordination Center has received reports of a vulnerability in
>implementations of the Java Applet Security Manager. This vulnerability is
>present in the Netscape Navigator 2.0 Java implementation and in Release
>1.0 of the Java Developer's Kit from Sun Microsystems, Inc. These
>implementations do not correctly implement the policy that an applet may
>connect only to the host from which the applet was loaded.
>The CERT Coordination Center recommends installing patches from the vendors,
>and using the workaround described in Section III until patches can be
>As we receive additional information relating to this advisory, we
>will place it in
>        ftp://info.cert.org/pub/cert_advisories/CA-96.05.README
>We encourage you to check our README files regularly for updates on
>advisories that relate to your site.
>I.   Description
>     There is a serious security problem with the Netscape Navigator 2.0 Java
>     implementation. The vulnerability is also present in the Java Developer's
>     Kit 1.0 from Sun Microsystems, Inc. The restriction allowing an applet to
>     connect only to the host from which it was loaded is not properly
>     enforced. This vulnerability, combined with the subversion of the DNS
>     system, allows an applet to open a connection to an arbitrary host on the
>     Internet.
>     In these Java implementations, the Applet Security Manager allows an
>     applet to connect to any of the IP addresses associated with the name
>     of the computer from which it came. This is a weaker policy than the
>     stated policy and leads to the vulnerability described herein.
>II.  Impact
>     Java applets can connect to arbitrary hosts on the Internet, including
>     those presumed to be previously inaccessible, such as hosts behind a
>     firewall. Bugs in any TCP/IP-based network service can then be exploited.
>     In addition, services previously thought to be secure by virtue of their
>     location behind a firewall can be attacked.
>III. Solution
>     To fix this problem, the Applet Security Manager must be more strict
>     in deciding which hosts an applet is allowed to connect to. The Java
>     system needs to take note of the actual IP address that the applet truly
>     came from (getting that numerical address from the applet's packets as
>     the applet is being loaded), and thereafter allow the applet to connect
>     only to that same numerical address.
>     We urge you to obtain vendor patches as they become available.
>     Until you can install the patches that implement the more strict
>     applet connection restrictions, you should apply the workarounds
>     described in each section below.
>     A. Netscape users
>        For Netscape Navigator 2.0, use the following URL to learn more about
>        the problem and how to download and install a patch:
>            http://home.netscape.com/newsref/std/java_security.html
>        Until you install the patch, disable Java using the "Security
>        Preferences" dialog box.
>     B. Sun users
>        A patch for Sun's HotJava will be available soon.
>        Until you can install the patch, disable applet downloading by
>        selecting "Options" then "Security...". In the "Enter desired security
>        mode" menu, select the "No access" option.
>        In addition, select the "Apply security mode to applet loading" to
>        disable applet loading entirely, regardless of the source of the
>        applet.
>     C. Both Netscape and Sun users
>        If you operate an HTTP proxy server, you could also disable
>        applets by refusing to fetch Java ".class" files.
>The CERT Coordination Center thanks Drew Dean, Ed Felton, and Dan Wallach of
>Princeton University for providing information for this advisory. We thank
>Netscape Communications Corporation, especially Jeff Truehaft, and Sun
>Microsystems, Inc., especially Marianne Mueller, for their response to this
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident
>Response and Security Teams (FIRST).
>We strongly urge you to encrypt any sensitive information you send by email.
>The CERT Coordination Center can support a shared DES key and PGP. Contact the
>CERT staff for more information.
>Location of CERT PGP key
>         ftp://info.cert.org/pub/CERT_PGP.key
>CERT Contact Information
>Email    cert@cert.org
>Phone    +1 412-268-7090 (24-hour hotline)
>                CERT personnel answer 8:30-5:00 p.m. EST
>                (GMT-5)/EDT(GMT-4), and are on call for
>                emergencies during other hours.
>Fax      +1 412-268-6989
>Postal address
>        CERT Coordination Center
>        Software Engineering Institute
>        Carnegie Mellon University
>        Pittsburgh PA 15213-3890
>        USA
>To be added to our mailing list for CERT advisories and bulletins, send your
>email address to
>        cert-advisory-request@cert.org
>CERT publications, information about FIRST representatives, and other
>security-related information are available for anonymous FTP from
>        ftp://info.cert.org/pub/
>CERT advisories and bulletins are also posted on the USENET newsgroup
>        comp.security.announce
>Copyright 1996 Carnegie Mellon University
>This material may be reproduced and distributed without permission provided it
>is used for noncommercial purposes and the copyright statement is included.
>CERT is a service mark of Carnegie Mellon University.
>Eugenio Pierno                     Phone:   +39 81 7624433
>NETWAY Internet Provider           Fax:     +39 81 7623909
>Via P. Giustino 9/a                E-mail:  pierno@netway.it
>80125 Naples - Italy               Http://www.netway.it

Read You ALL and...

----------------- GET in TOUCH ------------------
                          Claudio V. Gaetani
       --MACINTOSH Power User Since Lisa--


I dreamt of airships darkening the sky,
just when folks were singing and laughing the most.

I dreamnt of airships that shot each other down,
shattering the harmony of the radiant morning.

                                         Silvio Rodriguez (Cuba)

For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/