OSVDB ID: 86374

Title: Oracle Java SE / JRE Networking Subcomponent (net.dll) Gopher Protocol XXE Tunneling Weakness

Info

Disclosure
Oct 16, 2012

Discovery
Unknown

Dates

Exploit
Unknown

Solution
Oct 16, 2012

Description

 Oracle Java contains a flaw related to the Networking subcomponent (net.dll). The flaw is related to the Gopher protocol, an awesomely named, but mostly deprecated protocol that may allow an attacker to bypass port restrictions. The issue is due to the protocol not sanitizing input to an XML interface, allowing for XML injection. By sending a crafted XML request, an attacker can trick the system into forwarding the request to arbitrary systems and ports (including localhost), effectively bypassing network restrictions. This can be used to reach vulnerable interfaces or services that are presumably protected by firewalls or other screening devices.

Classification

 Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Private
Disclosure: Vendor Verified, Coordinated Disclosure
OSVDB: Authentication Required

Solution

 Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

Products

Oracle Corporation

Java JDK

 7 Update 7
6 Update 35
5.0 Update 36

Java JRE

 7 Update 7
6 Update 35
5.0 Update 36
1.4.2_38

Java SDK

 1.4.2_38

References

Credit

Unknown or Incomplete


Direct URL: http://osvdb.org/86374