※ 本文转录自 [Lan] 信箱 作者: [email protected] (TWCERT/CC Fellows) 标题: 【TWCERT/CC安全通报】TW-CA-2005-028-[Sun(sm) A 时间: Thu Mar 10 16:32:41 2005 -----BEGIN PGP SIGNED MESSAGE----- TW-CA-2005-028-[Sun(sm) Alert Notification #57707: Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability] ──────────────────────────────────────── TWCERT/CC发布日期：2005-03-10 原漏洞发布日期：2004-12-20 原漏洞最新更新日期：2004-01-07 通用安全漏洞编号： 分类：Dos, 来源参考：Sun(sm) Alert Notification #57707 ──── 简述 ───────────────────────────────── ──── 说明 ───────────────────────────────── Java Runtime Environment (JRE) 在object deserialization (物件读取)中存在一个安全 弱点。攻击者可利用此弱点进行远端攻击，进而造成 Java 虚拟机器变成无回应的状态，这 是一种阻断服务攻击。 本安全议题会影响正在执行接收不可靠来源 serialized data 的 JRE。 ──── 影响平台 ─────────────────────────────── 此议题可能影响下列发行版本： Windows, Sloaris 与 Linux 的 SDK 和 JRE 1.4.2_05 以前的版本，以及所有 1.4.1 至 1.4.2 的版本 注意：JDK 与 JRE 5.0 的版本和 1.4 以前的版本不受本议题影响。 要确认系统中使用的 Java 之版本，可依下列指令进行确认： % java -fullversion java full version "1.4.1_06-b01" ──── 修正方式 ─────────────────────────────── 暂时解决方法： 无暂时性解决方法，请参阅 "解决方法"。 解决方法： 此议题已於下列版本中解决： Windows, Sloaris 与 Linux 的 SDK 和 JRE 1.4.2_06 以及更新的版本 最新的J2SE可以下列网址取得： ．J2SE 5.0 网址http://java.sun.com/j2se/1.5.0/download.jsp ．J2SE 1.4.2_06 网址http://java.sun.com/j2se/1.4.2/download.html 以及 　http://java.com/ ──── 影响结果 ─────────────────────────────── Java Runtime Environment (JRE)会变成无回应的状态。 ──── 联络TWCERT/CC ───────────────────────────── Tel: 886-7-5250211 FAX: 886-7-5250212 886-2-23563303 886-2-23924082 Email: [email protected] URL: http://www.cert.org.tw/ PGP key: http://www.cert.org.tw/eng/pgp.htm ──────────────────────────────────────── 附件：[Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability] ──── 原文 ───────────────────────────────── Sun(sm) Alert Notification Sun Alert ID: 57707 Synopsis: Java Runtime Environment Remote Denial-of-Service (DoS) Vulnerability Category: Security Product: Java SDK and JRE BugIDs: 5037001 Avoidance: Upgrade State: Resolved Date Released: 20-Dec-2004 Date Closed: 20-Dec-2004 Date Modified: 1. Impact A vulnerability in the Java Runtime Environment (JRE) involving object deserialization could be exploited remotely to cause the Java Virtual Machine to become unresponsive, which is a type of Denial-of-Service (DoS). This issue can affect the JRE if an application that runs on it accepts serialized data from an untrusted source. Sun acknowledges with thanks, Marc Schoenefeld, for bringing this issue to our attention. 2. Contributing Factors This issue can occur in the following releases: SDK and JRE 1.4.2_05 and earlier, and all 1.4.1 and 1.4.0 releases for Windows, Solaris and Linux Note: JDK and JRE 5.0 and releases prior to SDK and JRE 1.4 are not affected by this issue. To determine the version of Java on a system, the following command can be run: % java -fullversion java full version "1.4.1_06-b01" 3. Symptoms The Java Runtime Environment (JRE) is unresponsive. Solution Summary Top 4. Relief/Workaround There is no workaround. Please see the "Resolution" section below. 5. Resolution This issue is addressed in the following releases: SDK and JRE 1.4.2_06 and later for Windows, Solaris, and Linux J2SE releases are available for download at: J2SE 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp J2SE 1.4.2_06 at http://java.sun.com/j2se/1.4.2/download.html and http://java.com/ Note: It is recommended that affected versions be removed from your system. For more information, please see the installation notes on the respective java.sun.com download pages. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. ──────────────────────────────────────── -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQEVAwUBQjAESqcyQYefg2/NAQGbnQf/TashP+rsphnrTEXBL/Y450DKbIiIy4It 1XInNitXbLoFphMGFYVZ3Bu/l+oNenZi1oSwLFBu+biFaw23OCQMrMIxt2lBb2ec 6X0d60CaGs7Qir6UJk+ejbrSZ+yCgwxdlsrVk/tE+K6WO44RO+Ce58g3bQzqp3d4 xVJ1qFY4z9Cb8aP9ahz/RCgwMkTezRT4flONx682d/KrhumI1Z62bQYPQ74SONSP w+0ua093IBeLlWqdfPJxh32LUtyWTLF0iTbkGeN2nQ7C61qZIyFMCGMERvCAYxV/ E/NbWCHVHCQY+/WYSEAs3Cxb5QElnHggldYAJ07URDSrMCT6y/OGsw== =eG7Y -----END PGP SIGNATURE----- -- Taiwan Computer Emergency Response Team Security Advisory mailing list. Mail to : [email protected] and include a line "subscribe advisory". Please visit http://www.cert.org.tw/. PGP key : http://www.cert.org.tw/eng/pgp.htm