Subject: Security Advisory (CVE-2008-3106)

From: Oracle Corporation

Minor Subject: Security Vulnerability in the Java Runtime Environment related to the processing of XML Data may result in information disclosure

Product(s) Affected: Oracle JRockit

A problem was identified that could potentially cause a security vulnerability in certain versions of JRockit. Patches are available to correct this problem (see Section III). Oracle treats potential security problems with a high degree of urgency and endeavors to take appropriate steps to help ensure the security of our customers’ systems. As a result, Oracle strongly suggests the following actions:

1. I. Read the following advisory.
2. II. Apply the suggested action.
3. III. If you know of any additional users interested in future security advisories, please forward them the registration instructions included in this advisory.

I. Description:

A vulnerability in the Java Runtime Environment with processing XML data may allow an untrusted applet or application that is downloaded from a website unauthorized access to certain URL resources (such as some files and web pages).

Note: Description of this vulnerability was provided by Sun Microsystems.

II. Impact and CVSS Ratings:

1. CVSS Severity Score: 4.3 (Medium)
2. Attack Range (AV): Network, Victim must voluntarily interact with attack mechanism
3. Attack Complexity (AC): Medium
4. Authentication Level (Au): None
5. Impact Type: Partial Confidentiality Violation
6. Vulnerability Type: Information Disclosure
7. CVSS Base Score Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
   

1. Online Calculator: http://nvd.nist.gov/cvss.cfm?calculator&version=2

Note: CVSS base score and vector were determined by NVD (National Vulnerability Database).

III. AFFECTED VERSIONS

The following versions of Oracle JRockit are affected by this vulnerability

• JRockit R27.6.0 and earlier, JRE and JDK 5.0
• JRockit R27.6.0 and earlier, JRE and JDK 6

IV. SUGGESTED ACTION

Oracle strongly recommends the following course of actions.

JRockit R27.6.0 or Earlier, using Java 5.0 or Java 6

1. If you are using JRockit release R27.6.0 or earlier, download the appropriate patch from the following location and save the downloaded patch to a temporary directory:

JRockit 5.0 R27.6.0 JDK Linux (x86 - 32 bit):

Download and apply the patch #7825281 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 6 R27.6.0 JDK Linux (x86 - 32 bit):

Download and apply the patch #7825293 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 5.0 R27.6.0 JDK Linux (x86 – 64 bit, Intel EM64T & AMD64 - 64 bit):

Download and apply the patch #7825281 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 6 R27.6.0 JDK Linux (x86 – 64 bit, Intel EM64T & AMD64 - 64 bit):

Download and apply the patch #7825293 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 5.0 R27.6.0 JDK Linux (Intel Itanium - 64-bit):

Download and apply the patch #7825281 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 5.0 R27.6.0 JDK Solaris (SPARC - 64-bit):

Download and apply the patch #7825281 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 6 R27.6.0 JDK Solaris (SPARC - 64-bit):

Download and apply the patch #7825293 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 5.0 R27.6.0 JDK Microsoft Windows (x86 - 32 bit):

Download and apply the patch #7825281 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 6 R27.6.0 JDK Microsoft Windows (x86 - 32 bit):

Download and apply the patch #7825293 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 5.0 R27.6.0 JDK Microsoft Windows (x86 – 64 bit, Intel EM64T & AMD64 - 64 bit):

Download and apply the patch #7825281 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 6 R27.6.0 JDK Microsoft Windows (x86 – 64 bit, Intel EM64T & AMD64 - 64 bit):

Download and apply the patch #7825293 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

JRockit 5.0 R27.6.0 JDK Microsoft Windows (Intel Itanium - 64 bit):

Download and apply the patch #7825281 from OracleMetaLink as per the instructions below:

• Select the Patches and Updates tab after logging in to OracleMetaLink.
• Click Simple Search.
• In the Search By field, select Patch Number from the list.
• Enter the patch number. The patch number may be different for different product releases and platforms.
• Select the platform (or choose generic as applicable)
• Click Go.
• Click Download to download the patch.

Note: Please note that the patches listed here include fixes for CVE2008-3103, CVE2008-3104, CVE2008-3105, CVE2008-3106, CVE2008-3108, CVE2008-3109 and CVE2008-3110.

1. 2. Unpack the patched version of JRockit to the temporary directory.
2. 3. Find the root directory where JRockit is installed. This is usually called “jrockit_150_xx” in your BEA folder.
3. 4. Rename the directory “jrockit_150_xx” to “JRockit_150_xx-Pre-SecAdv-Aug08".
4. 5. Move the unpacked JRockit installation from your temporary directory to where the old version was located.
5. 6. Running “java –version” on the patched version of JRockit should give (example from windows x86 32 bit version):

   java version "1.5.0_15"

   Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_15-b04) BEA JRockit(R) (build R27.6.0-50_o_CR373585-101992-1.5.0_15-20080813-1050-windows-ia32, compiled mode)

Note: It is highly recommended that the original files be saved before updating them with the patched files.