[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[linux-alert] CERT Advisory CA-96.05 - Java (fwd)
CLAUDIO KNOWS IT TOO!.....
>X-POP3-Rcpt: gaetani@napoli
>Date: Wed, 6 Mar 1996 16:43:11 +0100 (MET)
>From: Eugenio Pierno <tomcat@netway.it>
>Reply-To: pierno@netway.it
>To: info@netway.it
>cc: Gaetani Claudio <gaetani@netway.it>, Valente Carlo <carlo@netway.it>
>Subject: [linux-alert] CERT Advisory CA-96.05 - Java (fwd)
>MIME-Version: 1.0
>
>
>Tomcat lo sapeva...
>
>---------- Forwarded message ----------
>Date: Tue, 5 Mar 1996 13:34:09 -0500
>From: CERT Advisory <cert-advisory@cert.org>
>To: cert-advisory@cert.org
>Subject: [linux-alert] CERT Advisory CA-96.05 - Java
>
>=============================================================================
>CERT(sm) Advisory CA-96.05
>March 5, 1996
>
>Topic: Java Implementations Can Allow Connections to an Arbitrary Host
>
>-----------------------------------------------------------------------------
>
>The CERT Coordination Center has received reports of a vulnerability in
>implementations of the Java Applet Security Manager. This vulnerability is
>present in the Netscape Navigator 2.0 Java implementation and in Release
>1.0 of the Java Developer's Kit from Sun Microsystems, Inc. These
>implementations do not correctly implement the policy that an applet may
>connect only to the host from which the applet was loaded.
>
>The CERT Coordination Center recommends installing patches from the vendors,
>and using the workaround described in Section III until patches can be
>installed.
>
>As we receive additional information relating to this advisory, we
>will place it in
>
> ftp://info.cert.org/pub/cert_advisories/CA-96.05.README
>
>We encourage you to check our README files regularly for updates on
>advisories that relate to your site.
>
>-----------------------------------------------------------------------------
>
>I. Description
>
> There is a serious security problem with the Netscape Navigator 2.0 Java
> implementation. The vulnerability is also present in the Java Developer's
> Kit 1.0 from Sun Microsystems, Inc. The restriction allowing an applet to
> connect only to the host from which it was loaded is not properly
> enforced. This vulnerability, combined with the subversion of the DNS
> system, allows an applet to open a connection to an arbitrary host on the
> Internet.
>
> In these Java implementations, the Applet Security Manager allows an
> applet to connect to any of the IP addresses associated with the name
> of the computer from which it came. This is a weaker policy than the
> stated policy and leads to the vulnerability described herein.
>
>II. Impact
>
> Java applets can connect to arbitrary hosts on the Internet, including
> those presumed to be previously inaccessible, such as hosts behind a
> firewall. Bugs in any TCP/IP-based network service can then be exploited.
> In addition, services previously thought to be secure by virtue of their
> location behind a firewall can be attacked.
>
>III. Solution
>
> To fix this problem, the Applet Security Manager must be more strict
> in deciding which hosts an applet is allowed to connect to. The Java
> system needs to take note of the actual IP address that the applet truly
> came from (getting that numerical address from the applet's packets as
> the applet is being loaded), and thereafter allow the applet to connect
> only to that same numerical address.
>
> We urge you to obtain vendor patches as they become available.
> Until you can install the patches that implement the more strict
> applet connection restrictions, you should apply the workarounds
> described in each section below.
>
> A. Netscape users
>
> For Netscape Navigator 2.0, use the following URL to learn more about
> the problem and how to download and install a patch:
>
> http://home.netscape.com/newsref/std/java_security.html
>
> Until you install the patch, disable Java using the "Security
> Preferences" dialog box.
>
>
> B. Sun users
>
> A patch for Sun's HotJava will be available soon.
>
> Until you can install the patch, disable applet downloading by
> selecting "Options" then "Security...". In the "Enter desired security
> mode" menu, select the "No access" option.
>
> In addition, select the "Apply security mode to applet loading" to
> disable applet loading entirely, regardless of the source of the
> applet.
>
>
> C. Both Netscape and Sun users
>
> If you operate an HTTP proxy server, you could also disable
> applets by refusing to fetch Java ".class" files.
>
>
>---------------------------------------------------------------------------
>The CERT Coordination Center thanks Drew Dean, Ed Felton, and Dan Wallach of
>Princeton University for providing information for this advisory. We thank
>Netscape Communications Corporation, especially Jeff Truehaft, and Sun
>Microsystems, Inc., especially Marianne Mueller, for their response to this
>problem.
>---------------------------------------------------------------------------
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident
>Response and Security Teams (FIRST).
>
>We strongly urge you to encrypt any sensitive information you send by email.
>The CERT Coordination Center can support a shared DES key and PGP. Contact the
>CERT staff for more information.
>
>Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
>CERT Contact Information
>------------------------
>Email cert@cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST
> (GMT-5)/EDT(GMT-4), and are on call for
> emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>To be added to our mailing list for CERT advisories and bulletins, send your
>email address to
> cert-advisory-request@cert.org
>
>CERT publications, information about FIRST representatives, and other
>security-related information are available for anonymous FTP from
> ftp://info.cert.org/pub/
>
>CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
>
>Copyright 1996 Carnegie Mellon University
>This material may be reproduced and distributed without permission provided it
>is used for noncommercial purposes and the copyright statement is included.
>
>CERT is a service mark of Carnegie Mellon University.
>
>
>
>
>--------------------------------------------------------------------
>Eugenio Pierno Phone: +39 81 7624433
>NETWAY Internet Provider Fax: +39 81 7623909
>Via P. Giustino 9/a E-mail: pierno@netway.it
>80125 Naples - Italy Http://www.netway.it
>--------------------------------------------------------------------
>
Read You ALL and...
***********************************
----------------- GET in TOUCH ------------------
***********************************
Claudio V. Gaetani
--MACINTOSH Power User Since Lisa--
gaetani@netway.it
http://www.netway.it/~gaetani/
________________________________________
*I*I*I*I*I*I*I*I*I*I*I*I*I*I*I*I*I*I*I*I*I*I*I*I*
===I'M SURE THERE IS NOTHING LIKE A MAC!===
I dreamt of airships darkening the sky,
just when folks were singing and laughing the most.
I dreamnt of airships that shot each other down,
shattering the harmony of the radiant morning.
Silvio Rodriguez (Cuba)
--------------------------------------------------------------------
For help about the list, please send a message to 'majordomo@obscure.org'
with the message body 'help'. To unsubscribe, send a message to
'majordomo@obscure.org' with the message body 'unsubscribe javascript'.
List archives and pointer to FAQ: http://www.obscure.org/javascript/