Vulnerabilidad en el componente ImageIO en Oracle Java SE y Java for Business (CVE-2010-0841)
Gravedad CVSS v2.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
01/04/2010
Última modificación:
11/04/2025
Descripción
Vulnerabilidad no especificada en el componente ImageIO en Oracle Java SE y Java para Business 6 Update 18, 5.0 Update 23 y 1.4.2_25 permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a través de vectores desconocidos. NOTA: la información previa fue obtenida de la CPU Marzo 2010. Oracle no ha comentado sobre alegaciones de un investigador confiable de que esto es un desbordamiento de entero en Java Runtime Environment que permite a atacantes remotos ejecutar código arbitrario a través de una imagen JPEG que contiene dimensiones de la submuestra con valores grandes, relacionado con JPEGImageReader y "stepX".
Impacto
Puntuación base 2.0
7.50
Gravedad 2.0
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:sun:jre:*:update_18:*:*:*:*:*:* | 1.6.0 (incluyendo) | |
| cpe:2.3:a:sun:jre:1.6.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_17:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:* | ||
| cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751
- http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751
- http://lists.apple.com/archives/security-announce/2010//May/msg00001.html
- http://lists.apple.com/archives/security-announce/2010//May/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
- http://marc.info/?l=bugtraq&m=127557596201693&w=2
- http://marc.info/?l=bugtraq&m=127557596201693&w=2
- http://marc.info/?l=bugtraq&m=134254866602253&w=2
- http://secunia.com/advisories/39317
- http://secunia.com/advisories/39659
- http://secunia.com/advisories/39819
- http://secunia.com/advisories/40211
- http://secunia.com/advisories/40545
- http://secunia.com/advisories/43308
- http://support.apple.com/kb/HT4170
- http://support.apple.com/kb/HT4171
- http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
- http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html
- http://www.redhat.com/support/errata/RHSA-2010-0337.html
- http://www.redhat.com/support/errata/RHSA-2010-0338.html
- http://www.redhat.com/support/errata/RHSA-2010-0383.html
- http://www.redhat.com/support/errata/RHSA-2010-0471.html
- http://www.redhat.com/support/errata/RHSA-2010-0489.html
- http://www.securityfocus.com/archive/1/510531/100/0/threaded
- http://www.securityfocus.com/archive/1/516397/100/0/threaded
- http://www.securityfocus.com/bid/39067
- http://www.vmware.com/security/advisories/VMSA-2011-0003.html
- http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html
- http://www.vupen.com/english/advisories/2010/1191
- http://www.vupen.com/english/advisories/2010/1454
- http://www.vupen.com/english/advisories/2010/1523
- http://www.vupen.com/english/advisories/2010/1793
- http://www.zerodayinitiative.com/advisories/ZDI-10-054/
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14144
- http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751
- http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751
- http://lists.apple.com/archives/security-announce/2010//May/msg00001.html
- http://lists.apple.com/archives/security-announce/2010//May/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.html
- http://marc.info/?l=bugtraq&m=127557596201693&w=2
- http://marc.info/?l=bugtraq&m=127557596201693&w=2
- http://marc.info/?l=bugtraq&m=134254866602253&w=2
- http://secunia.com/advisories/39317
- http://secunia.com/advisories/39659
- http://secunia.com/advisories/39819
- http://secunia.com/advisories/40211
- http://secunia.com/advisories/40545
- http://secunia.com/advisories/43308
- http://support.apple.com/kb/HT4170
- http://support.apple.com/kb/HT4171
- http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
- http://www.oracle.com/technetwork/topics/security/javacpumar2010-083341.html
- http://www.redhat.com/support/errata/RHSA-2010-0337.html
- http://www.redhat.com/support/errata/RHSA-2010-0338.html
- http://www.redhat.com/support/errata/RHSA-2010-0383.html
- http://www.redhat.com/support/errata/RHSA-2010-0471.html
- http://www.redhat.com/support/errata/RHSA-2010-0489.html
- http://www.securityfocus.com/archive/1/510531/100/0/threaded
- http://www.securityfocus.com/archive/1/516397/100/0/threaded
- http://www.securityfocus.com/bid/39067
- http://www.vmware.com/security/advisories/VMSA-2011-0003.html
- http://www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html
- http://www.vupen.com/english/advisories/2010/1191
- http://www.vupen.com/english/advisories/2010/1454
- http://www.vupen.com/english/advisories/2010/1523
- http://www.vupen.com/english/advisories/2010/1793
- http://www.zerodayinitiative.com/advisories/ZDI-10-054/
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14144