(Java Security Problem) CERT(sm) Advisory CA-96.05
Bob Craigmile
librlc at emory.edu
Fri May 17 14:51:22 EDT 1996
FYI on Java from CERT
>=============================================================================
>CERT(sm) Advisory CA-96.05
>March 5, 1996
>
>Topic: Java Implementations Can Allow Connections to an Arbitrary Host
>
>-----------------------------------------------------------------------------
>
>The CERT Coordination Center has received reports of a vulnerability in
>implementations of the Java Applet Security Manager. This vulnerability is
>present in the Netscape Navigator 2.0 Java implementation and in Release
>1.0 of the Java Developer's Kit from Sun Microsystems, Inc. These
>implementations do not correctly implement the policy that an applet may
>connect only to the host from which the applet was loaded.
>
>The CERT Coordination Center recommends installing patches from the vendors,
>and using the workaround described in Section III until patches can be
>installed.
>
>As we receive additional information relating to this advisory, we
>will place it in
>
> ftp://info.cert.org/pub/cert_advisories/CA-96.05.README
>
>We encourage you to check our README files regularly for updates on
>advisories that relate to your site.
>
>-----------------------------------------------------------------------------
>
>I. Description
>
> There is a serious security problem with the Netscape Navigator 2.0 Java
> implementation. The vulnerability is also present in the Java Developer's
> Kit 1.0 from Sun Microsystems, Inc. The restriction allowing an applet to
> connect only to the host from which it was loaded is not properly
> enforced. This vulnerability, combined with the subversion of the DNS
> system, allows an applet to open a connection to an arbitrary host on the
> Internet.
>
> In these Java implementations, the Applet Security Manager allows an
> applet to connect to any of the IP addresses associated with the name
> of the computer from which it came. This is a weaker policy than the
> stated policy and leads to the vulnerability described herein.
>
>II. Impact
>
> Java applets can connect to arbitrary hosts on the Internet, including
> those presumed to be previously inaccessible, such as hosts behind a
> firewall. Bugs in any TCP/IP-based network service can then be exploited.
> In addition, services previously thought to be secure by virtue of their
> location behind a firewall can be attacked.
>
>III. Solution
>
> To fix this problem, the Applet Security Manager must be more strict
> in deciding which hosts an applet is allowed to connect to. The Java
> system needs to take note of the actual IP address that the applet truly
> came from (getting that numerical address from the applet's packets as
> the applet is being loaded), and thereafter allow the applet to connect
> only to that same numerical address.
>
> We urge you to obtain vendor patches as they become available.
> Until you can install the patches that implement the more strict
> applet connection restrictions, you should apply the workarounds
> described in each section below.
>
> A. Netscape users
>
> For Netscape Navigator 2.0, use the following URL to learn more about
> the problem and how to download and install a patch:
>
> http://home.netscape.com/newsref/std/java_security.html
>
> Until you install the patch, disable Java using the "Security
> Preferences" dialog box.
>
>
> B. Sun users
>
> A patch for Sun's HotJava will be available soon.
>
> Until you can install the patch, disable applet downloading by
> selecting "Options" then "Security...". In the "Enter desired security
> mode" menu, select the "No access" option.
>
> In addition, select the "Apply security mode to applet loading" to
> disable applet loading entirely, regardless of the source of the
> applet.
>
>
> C. Both Netscape and Sun users
>
> If you operate an HTTP proxy server, you could also disable
> applets by refusing to fetch Java ".class" files.
>
>
>---------------------------------------------------------------------------
>The CERT Coordination Center thanks Drew Dean, Ed Felton, and Dan Wallach of
>Princeton University for providing information for this advisory. We thank
>Netscape Communications Corporation, especially Jeff Truehaft, and Sun
>Microsystems, Inc., especially Marianne Mueller, for their response to this
>problem.
>---------------------------------------------------------------------------
>
>If you believe that your system has been compromised, contact the CERT
>Coordination Center or your representative in the Forum of Incident
>Response and Security Teams (FIRST).
>
>We strongly urge you to encrypt any sensitive information you send by email.
>The CERT Coordination Center can support a shared DES key and PGP. Contact the
>CERT staff for more information.
>
>Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
>CERT Contact Information
>------------------------
>Email cert at cert.org
>
>Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST
> (GMT-5)/EDT(GMT-4), and are on call for
> emergencies during other hours.
>
>Fax +1 412-268-6989
>
>Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
>To be added to our mailing list for CERT advisories and bulletins, send your
>email address to
> cert-advisory-request at cert.org
>
>CERT publications, information about FIRST representatives, and other
>security-related information are available for anonymous FTP from
> ftp://info.cert.org/pub/
>
>CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
>
>Copyright 1996 Carnegie Mellon University
>This material may be reproduced and distributed without permission provided it
>is used for noncommercial purposes and the copyright statement is included.
>
>CERT is a service mark of Carnegie Mellon University.
>
>
>
>ÿÿ (Java Security Problem) CERT(sm) Advisory CA-96.05
>
>
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Bob Craigmile, Reference Librarian
Pitts Theology Library, Emory University
librlc at emory.edu | http://www.pitts.emory.edu/bob/bob.html
404.727.1221 (w) 404.378.6388 (h)
More information about the Web4lib
mailing list