Critical problems were uncovered last week in JAVA file processing (#1) and in several parts of Oracle (#2). The JAVA problems can be used to infect people who simply view a malicious web page or HTML email. Updates are available for both.
@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).
Part I for this issue has been compiled by Rob King and Rohit Dhamankar at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process
Description: Certain editions of the Java platform released by Sun Microsystems contain a vulnerability in the parsing of GIF image files. A specially-crafted GIF image file with an image width value of zero can cause a heap overflow. The flaw can be exploited to execute arbitrary code with the privileges of the current user. Note that applets are automatically downloaded and executed in typical web browser configurations. Hence, the flaw can be exploited by simply viewing a malicious web page or HTML email. Technical details for this vulnerability have been publicly posted. Sun's Java platform is installed on most Microsoft Windows systems, all Mac OS X systems, and most Unix and Unix-like systems.
Status: Sun confirmed, updates available.
Description: Oracle released its January 2007 security update that fixes over 70 vulnerabilities. Most of the issues patched are low-severity security issues (information-disclosure, denial-of-service and locally exploitable flaws) with the exception of the following: 1) The Oracle Notification Service (ONS), installed by default along with several Oracle products, contains a buffer overflow. A specially-crafted ONS message could trigger this buffer overflow, and execute arbitrary code with the privileges of the ONS process. Users are advised to block access to TCP and UDP port 6200 at the network perimeter, if possible. 2) The "SYS.DBMS_AQ_INV" SQL package contains SQL injection vulnerabilities. By sending specially-crafted SQL queries using this SQL package to a server, an authenticated attacker could execute arbitrary SQL commands with elevated privilege, and possibly take control of the database system or execute arbitrary code with the privileges of the database process. 3) The "EmChartBean" component of the Oracle Application Server contains a directory-traversal vulnerability. An unauthenticated attacker could exploit this vulnerability to read any file visible to the Oracle Application Server process, which by default runs with "LocalSystem" privilege. 4) The ORADC ActiveX component contains a buffer overflow vulnerability. A specially-crafted web page that instantiates this component could trigger the buffer overflow, and execute arbitrary code with the privileges of the current user. Users can mitigate this vulnerability by disabling the control via Microsoft's "kill bit" mechanism for GUID "EC4CF635-D196-11CE-9027-02608C4BF3B5". Note that this may adversely affect some applications. A simple proof-of-concept is available for this vulnerability. (This is a different vulnerability than the ones listed in the January 2007 CPU.)
Status: Oracle confirmed, updates available.
Council Site Actions: Most of the reporting council sites are using the affected Oracle products. These sites are in the process of validating and testing updates and plan to roll out during their next regularly scheduled system update process.
Description: Multiple vulnerabilities have been discovered in several BEA products. These vulnerabilities could allow attackers to execute arbitrary code with the privileges of the affected product, disclose sensitive information, bypass security restrictions, or create a denial-of-service condition. Further technical information about most of these vulnerabilities is not publicly available.
Status: BEA confirmed, updates available.
Council Site Actions: The affected software and/or configuration are not in production or widespread use, or are not officially supported at any of the council sites. They reported that no action was necessary.
Description: IBM WebSphere Application Server contains multiple vulnerabilities, which could be exploited by an attacker to obtain the source code to arbitrary Java Server Pages (JSP). Additionally, there is an unspecified security vulnerability reported by the vendor. No technical details are believed to be publicly available for these vulnerabilities.
Status: IBM confirmed, updates available.
Council Site Actions: Only one of the reporting council sites is using WebSphere products. They are investigating exposure to vulnerability with the appropriate support team.
This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 5346 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.
(c) 2007. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.
Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.