NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Cyber Security (OCS) and is
intended for State government entities. The information may or may not be applicable to the
general public and accordingly, the State does not warrant its use for any specific purposes.

OCS ADVISORY NUMBER:
2011-080

DATE(S) ISSUED:
12/14/2011

SUBJECT:
Multiple Vulnerabilities in Oracle JRE Java Platform

OVERVIEW:

Multiple vulnerabilities have been discovered in the Oracle Java (formerly known as Sun Java) Runtime Environment (JRE) that could impede proper operations. The Java Runtime Environment is used to enhance the user experience when visiting web sites and is installed on most desktops and servers. These vulnerabilities may be exploited if a user visits or is redirected to a specifically crafted web page, or opens a specially crafted file.

Please note that this update is not part of the Oracle Quarterly Critical Patch Update.  The last quarter update was in October 2011.  The next update is scheduled for January 10, 2012.

SYSTEMS AFFECTED:

  • Oracle Java JRE 1.6.0_29 and prior
  • Oracle Java JRE 1.5.0_32 and prior
  • Oracle Java JRE 1.4.2_35 and prior

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
Multiple vulnerabilities have been discovered in the Oracle Java (formerly known as Sun Java) Runtime Environment (JRE) that could impede proper operations.

Many bugs/vulnerabilities were fixed in this Oracle Java JRE release; the most notable was a vulnerability impacting the establishment of TLS/SSL connections. The previous release of Oracle Java JRE introduced a bug that prevented the proper establishment of TLS/SSL connections when certain parameters were used. This bug resulted in applications hanging due to Java incorrectly throwing an IndexOutOfBoundsException or sending an unexpected extra TLS/SSL packet in communications between the server and the client.

As of this writing, only connections using TLS_DH_anon_WITH_AES_128_CBC_SHA have been confirmed to be affected by this particular vulnerability.

Please note that this update is not part of the Oracle Quarterly Critical Patch Update.  The last quarter update was in October 2011.  The next update is scheduled for January 10, 2012.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Upgrade to the latest Oracle Java JRE version supported on your platform.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. 

REFERENCES:
Oracle:
http://www.oracle.com/technetwork/java/javase/2col/6u30bugfixes-1394936.html
http://www.oracle.com/technetwork/java/javase/6u30-relnotes-1394870.html
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7103725
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7105007 
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6761678
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6670868
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7041800
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6682380