CVE-2008-3111

CVSS V2 High 10 CVSS V3 None

Description

Multiple buffer overflows in Sun Java Web Start in JDK and JRE 6 before Update 4, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allow context-dependent attackers to gain privileges via an untrusted application, as demonstrated by (a) an application that grants itself privileges to (1) read local files, (2) write to local files, or (3) execute local programs; and as demonstrated by (b) a long value associated with a java-vm-args attribute in a j2se tag in a JNLP file, which triggers a stack-based buffer overflow in the GetVMArgsOption function; aka CR 6557220.

Overview

CVE ID
CVE-2008-3111

Assigner
cve@mitre.org

Vulnerability Status
Modified

Published Version
2008-07-09T23:41:00

Last Modified Date
2018-10-30T16:26:24

Weakness Enumerations

CWE	URL
CWE-119	http://cwe.mitre.org/data/definitions/119.html

CPE Configuration (Product)

CPE	Vulnerable	Operator
cpe:2.3:a:sun:jdk:5.0:update_1::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_10::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_11::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_12::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_13::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_14::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_15::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_2::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_3::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_4::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_5::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_6::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_7::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_8::::::	1	OR
cpe:2.3:a:sun:jdk:5.0:update_9::::::	1	OR
cpe:2.3:a:sun:jdk:6:update_1::::::	1	OR
cpe:2.3:a:sun:jdk:6:update_2::::::	1	OR
cpe:2.3:a:sun:jdk:6:update_3::::::	1	OR
cpe:2.3:a:sun:jre:1.4:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_01:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_02:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_03:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_04:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_05:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_06:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_07:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_8:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_9:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_10:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_11:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_12:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_13:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_14:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_15:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_16:::::::*	1	OR
cpe:2.3:a:sun:jre:1.4.2_17:::::::*	1	OR
cpe:2.3:a:sun:jre:5.0:update_1::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_10::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_11::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_12::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_13::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_14::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_15::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_2::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_3::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_4::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_5::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_6::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_7::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_8::::::	1	OR
cpe:2.3:a:sun:jre:5.0:update_9::::::	1	OR
cpe:2.3:a:sun:jre:6:update_1::::::	1	OR
cpe:2.3:a:sun:jre:6:update_2::::::	1	OR
cpe:2.3:a:sun:jre:6:update_3::::::	1	OR
cpe:2.3:a:sun:sdk:1.4:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_01:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_02:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_03:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_04:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_05:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_06:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_07:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_08:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_09:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_10:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_11:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_12:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_13:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_14:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_15:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_16:::::::*	1	OR
cpe:2.3:a:sun:sdk:1.4.2_17:::::::*	1	OR

CVSS Version 2

Version
2.0

Vector String
AV:N/AC:L/Au:N/C:C/I:C/A:C

Access Vector
NETWORK

Access Compatibility
LOW

Authentication
NONE

Confidentiality Impact
COMPLETE

Integrity Impact
COMPLETE

Availability Impact
COMPLETE

Base Score
10

Severity
HIGH

Exploitability Score
10

Impact Score
10

References

Reference URL	Reference Tags
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238905-1	Patch
http://secunia.com/advisories/31010	Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2008-0595.html
http://secunia.com/advisories/31600	Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2008-0790.html
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00000.html
http://secunia.com/advisories/31055	Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00005.html
http://www.zerodayinitiative.com/advisories/ZDI-08-043/
http://www.securityfocus.com/bid/30148
http://secunia.com/advisories/31497	Vendor Advisory
http://secunia.com/advisories/31320	Vendor Advisory
http://www.us-cert.gov/cas/techalerts/TA08-193A.html	US Government Resource
http://support.apple.com/kb/HT3179
http://secunia.com/advisories/32018	Vendor Advisory
http://lists.apple.com/archives/security-announce//2008/Sep/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00002.html
http://support.apple.com/kb/HT3178
http://secunia.com/advisories/32180	Vendor Advisory
http://www.vmware.com/security/advisories/VMSA-2008-0016.html
http://marc.info/?l=bugtraq&m=122331139823057&w=2
http://secunia.com/advisories/32179	Vendor Advisory
http://www.securitytracker.com/id?1020452
http://security.gentoo.org/glsa/glsa-200911-02.xml
http://secunia.com/advisories/37386	Vendor Advisory
http://www.vupen.com/english/advisories/2008/2056/references	Vendor Advisory
http://www.vupen.com/english/advisories/2008/2740	Vendor Advisory
http://secunia.com/advisories/31736
https://exchange.xforce.ibmcloud.com/vulnerabilities/43664
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10541
http://www.securityfocus.com/archive/1/497041/100/0/threaded
http://www.securityfocus.com/archive/1/494505/100/0/threaded

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2008-3111
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3111

History

Created	Old Value	New Value	Data Type	Notes
2022-05-10 17:58:25				Added to TrackCVE