Sun Jdk vulnerabilities

CVE-2009-1101 [MEDIUM] CVE-2009-1101: Unspecified vulnerability in the lightweight HTTP server implementation in Java SE Development Kit ( Unspecified vulnerability in the lightweight HTTP server implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to cause a denial of service (probably resource consumption) for a JAX-WS service endpoint via a connection without any data, which triggers a file descriptor "leak."

CVE-2009-1093 [MEDIUM] CWE-16 CVE-2009-1093: LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier does not close the connection when initialization fails, which allows remote attackers to cause a denial of service (LDAP service hang).

CVE-2008-5343 [CRITICAL] CVE-2008-5343: Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows remote attackers to make unauthorized network connections and hijack HTTP sessions via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR" and CR 6707535.

CVE-2008-5358 [CRITICAL] CWE-119 CVE-2008-5358: Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier might allow remote attack Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier might allow remote attackers to execute arbitrary code via a crafted GIF file that triggers memory corruption during display of the splash screen, possibly related to splashscreen.dll.

CVE-2008-5359 [CRITICAL] CWE-119 CVE-2008-5359: Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK a Buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code, related to a ConvolveOp operation in the Java AWT library.

CVE-2008-5355 [CRITICAL] CWE-287 CVE-2008-5355: The "Java Update" feature for Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and ear The "Java Update" feature for Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not verify the signature of the JRE that is downloaded, which allows remote attackers to execute arbitrary code via DNS man-in-the-middle attacks.

CVE-2008-5356 [CRITICAL] CWE-119 CVE-2008-5356: Heap-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and ear Heap-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file.

CVE-2008-5354 [CRITICAL] CWE-119 CVE-2008-5354: Stack-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and ea Stack-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows locally-launched and possibly remote untrusted Java applications to execute arbitrary code via a JAR file with a long Main-Class manifest entry.

CVE-2008-5353 [CRITICAL] CVE-2008-5353: The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Upda The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserial

CVE-2008-5352 [CRITICAL] CWE-189 CVE-2008-5352: Integer overflow in the JAR unpacking utility (unpack200) in the unpack library (unpack.dll) in Java Integer overflow in the JAR unpacking utility (unpack200) in the unpack library (unpack.dll) in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows untrusted applications and applets to gain privileges via a Pack200 compressed JAR file that triggers a heap-based buffer overflo

CVE-2008-5357 [CRITICAL] CWE-189 CVE-2008-5357: Integer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK Integer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file, which triggers a heap-based buffer overflow.

CVE-2008-5340 [CRITICAL] CWE-264 CVE-2008-5340: Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted JWS applications to gain privileges to access local files or applications via unknown vectors, aka 6727081.

CVE-2008-2086 [CRITICAL] CWE-94 CVE-2008-2086: Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update Sun Java Web Start and Java Plug-in for JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allow remote attackers to execute arbitrary code via a crafted jnlp file that modifies the (1) java.home, (2) java.ext.dirs, or (3) user.home System Properties, aka "Java Web Start File Inclusion" and

CVE-2008-5349 [HIGH] CVE-2008-5349: Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earl Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows remote attackers to cause a denial of service (CPU consumption) via a crafted RSA public key.

CVE-2008-5348 [HIGH] CVE-2008-5348: Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earl Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier, when using Kerberos authentication, allows remote attackers to cause a denial of service (OS resource consumption) via unknown vectors.

CVE-2008-5351 [HIGH] CWE-264 CVE-2008-5351: Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 1 Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier accepts UTF-8 encodings that are not the "shortest" form, which makes it easier for attackers to bypass protection mechanisms for other applications that rely on shortest-form UTF-8 encodings.

CVE-2008-5345 [HIGH] CVE-2008-5345: Unspecified vulnerability in Java Runtime Environment (JRE) with Sun JDK and JRE 6 Update 10 and ear Unspecified vulnerability in Java Runtime Environment (JRE) with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier allows code that is loaded from a local filesystem to read arbitrary files and make unauthorized connections to localhost via unknown vectors.

CVE-2008-5346 [HIGH] CWE-200 CVE-2008-5346: Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 5.0 Update 16 and ea Unspecified vulnerability in Java Runtime Environment (JRE) for Sun JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 or earlier allows untrusted applets and applications to read arbitrary memory via a crafted ZIP file.

CVE-2008-5347 [HIGH] CWE-264 CVE-2008-5347: Multiple unspecified vulnerabilities in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update Multiple unspecified vulnerabilities in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier allow untrusted applets and applications to gain privileges via vectors related to access to inner classes in the (1) JAX-WS and (2) JAXB packages.

CVE-2008-5344 [HIGH] CVE-2008-5344: Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted applets to read arbitrary files and make unauthorized network connections via unknown vectors related to applet classloading, aka 6716217.