|
CVE-2009-2475
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
CVE-2009-2475
by David Wagner-3
::
Rate this Message:
Does anyone know anything more about the Java vulnerability
CVE-2009-2475? The only information I could find (see below) refers to problems with mutable static variables. Would Joe-E have prevented these flaws? (Joe-E bans mutable static variables.) Several, potential information leaks were found in various mutable static variables. These could be exploited in application scenarios that execute untrusted scripting code. https://bugzilla.redhat.com/show_bug.cgi?id=513215 Sun Java SE 5.0 before Update 20 and 6 before Update 15, and OpenJDK, might allow context-dependent attackers to obtain sensitive information via vectors involving static variables that are declared without the final keyword, related to (1) LayoutQueue, (2) Cursor.predefined, (3) AccessibleResourceBundle.getContents, (4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5) ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) the imageio plugins, (7) DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types, (9) AbstractSaslImpl.logger, (10) Synth.Region.uiToRegionMap/lowerCaseNameMap, (11) the Introspector class and a cache of BeanInfo, and (12) JAX-WS, a different vulnerability than CVE-2009-2673. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475 _______________________________________________ e-lang mailing list e-lang@... http://www.eros-os.org/mailman/listinfo/e-lang |
|
|
Re: CVE-2009-2475
by David-Sarah Hopwood-2
::
Rate this Message:
David Wagner wrote:
> Does anyone know anything more about the Java vulnerability > CVE-2009-2475? The only information I could find (see below) > refers to problems with mutable static variables. > > Would Joe-E have prevented these flaws? (Joe-E bans mutable > static variables.) Yes, it would (if the code in question were either Joe-E, or not exposed by taming decisions). > Several, potential information leaks were found in various mutable static > variables. These could be exploited in application scenarios that execute > untrusted scripting code. I'm not sure why this is referred to only as an information leak; it's both an information leak and an integrity issue (since obviously, code using these variables cannot be defensively consistent if they are globally mutable). Any public static non-final variable in a Java API is necessarily a bug. So are static variables that are final but reference mutable objects, when access to those objects is not controlled by some security check. -- David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com _______________________________________________ e-lang mailing list e-lang@... http://www.eros-os.org/mailman/listinfo/e-lang |
| Free embeddable forum powered by Nabble | Forum Help |
