Public Vulnerability Reports

Oracle Java Runtime Environment Memory Corruption Vulnerability

14.02.12

BACKGROUND

Oracle's JRE is a platform that supports the execution of programs developed using the Java programming language. It is available for multiple platforms, including Windows, Linux and MacOS. The JRE platform also supports Java Applets, which can be loaded from Web pages.

DESCRIPTION

Remote exploitation of a heap buffer overflow vulnerability in Oracle Corp.'s Java Runtime Environment (JRE) could allow an attacker to execute arbitrary code with the privileges of the current user.

A graphics rendering object is created and used in conjunction with an associated rendering surfaceData object. If a certain value is used to set the size of the surface and a member function is overridden to return a null value, the creation of an additional rendering object may result in a rendering object of a different type being created and the surfaceData object being re-validated. This situation results in a type confusion vulnerability where the new rendering object is treating the surfaceData object as a different type of surfaceData object. This condition may allow a remote attacker to subvert execution control and execute arbitrary code.

ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the current user. In order to exploit this vulnerability, a user must load a Web page containing a specially crafted Java applet. An attacker typically accomplishes this via social engineering or injecting content into compromised, trusted sites. Typical social engineering attacks will pass URLs as part of instant messages or electronic mail.

DETECTION

Java SE 7 update 2 and prior, and 6 update 30 and prior are affected.

WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VENDOR RESPONSE

Oracle Corp. has released a patch which addresses this issue. For more information, consult their advisory at the following URL.

https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1404863.1

CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2012-0497 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org/), which standardizes names for security problems.

DISCLOSURE TIMELINE

10/05/2011 Initial Vendor Notification
10/05/2011 Initial Vendor Reply
02/14/2012 Coordinated Public Disclosure

CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

LEGAL NOTICES

Copyright © 2012 Verisign, Inc.

Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.