Vulnerability CVE-2008-3105 - CERT Civis.Net

Vulnerability Name:

CVE-2008-3105 (CCN-43657)

Assigned:

2008-07-08

Published:

2008-07-08

Updated:

2018-10-11

Summary:

Unspecified vulnerability in the JAX-WS client and service in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows remote attackers to access URLs or cause a denial of service via unknown vectors involving "processing of XML data" by a trusted application.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

8.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:C)
6.1 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Complete

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2008-3105

Source: APPLE
Type: UNKNOWN
APPLE-SA-2008-09-24

Source: SUSE
Type: UNKNOWN
SUSE-SA:2008:042

Source: BUGTRAQ
Type: UNKNOWN
20081004 VMSA-2008-0016 VMware Hosted products, VirtualCenter Update 3 and

Source: CCN
Type: RHSA-2008-0594
Critical: java-1.6.0-sun security update

Source: CCN
Type: RHSA-2008-0906
Critical: java-1.6.0-ibm security update

Source: CCN
Type: RHSA-2008-1044
Important: java-1.5.0-bea security update

Source: CCN
Type: RHSA-2008-1045
Important: java-1.6.0-bea security update

Source: CCN
Type: SA31010
Sun Java JDK / JRE Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
31010

Source: SECUNIA
Type: UNKNOWN
31600

Source: CCN
Type: SA32018
Mac OS X Java Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
32018

Source: CCN
Type: SA32179
VMware VirtualCenter Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
32179

Source: CCN
Type: SA32180
VMware ESX Server Sun Java JDK / JRE Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
32180

Source: SECUNIA
Type: UNKNOWN
32436

Source: SECUNIA
Type: UNKNOWN
33237

Source: SECUNIA
Type: UNKNOWN
33238

Source: SECUNIA
Type: UNKNOWN
37386

Source: GENTOO
Type: UNKNOWN
GLSA-200911-02

Source: CCN
Type: SECTRACK ID: 1020457
Java Runtime Environment XML Processing Bug Lets Remote Users Access Resources

Source: CCN
Type: Sun Alert: 238628
Security Vulnerabilities in the Java Runtime Environment related to the processing of XML Data

Source: SUNALERT
Type: Patch
238628

Source: CCN
Type: Apple Web site
About the security content of Java for Mac OS X 10.4, Release 7

Source: CONFIRM
Type: UNKNOWN
http://support.apple.com/kb/HT3179

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2008-299.htm

Source: CCN
Type: ASA-2008-299
Security Vulnerabilities in the Java Runtime Environment related to the processing of XML Data (Sun 238628)

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2008-428.htm

Source: CCN
Type: ASA-2008-428
java-1.6.0-ibm security update (RHSA-2008-0906)

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2008-507.htm

Source: CCN
Type: ASA-2008-507
java-1.5.0-bea security update (RHSA-2008-1044)

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2008-509.htm

Source: CCN
Type: ASA-2008-509
java-1.6.0-bea security update (RHSA-2008-1045)

Source: CCN
Type: NORTEL BULLETIN ID: 2008008988, Rev 1
Nortel Response to Sun Java JDK / JRE Multiple Vulnerabilities

Source: CONFIRM
Type: UNKNOWN
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=751014

Source: CCN
Type: NORTEL BULLETIN ID: 2008008988, Rev 2
Nortel Response to Sun Java JDK / JRE Multiple Vulnerabilities

Source: CONFIRM
Type: UNKNOWN
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=756717

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0594

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0906

Source: REDHAT
Type: UNKNOWN
RHSA-2008:1044

Source: REDHAT
Type: UNKNOWN
RHSA-2008:1045

Source: BUGTRAQ
Type: UNKNOWN
20081004 VMSA-2008-0016 VMware Hosted products, VirtualCenter Update 3 and patches for ESX and ESXi resolve multiple security issues

Source: BID
Type: UNKNOWN
30143

Source: CCN
Type: BID-30143
Sun Java Runtime Environment XML Data Processing Multiple Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1020457

Source: CERT
Type: US Government Resource
TA08-193A

Source: CCN
Type: VMSA-2008-0016
VMware Hosted products, VirtualCenter Update 3 and patches for ESX and ESXi resolve multiple security issues

Source: CONFIRM
Type: UNKNOWN
http://www.vmware.com/security/advisories/VMSA-2008-0016.html

Source: VUPEN
Type: UNKNOWN
ADV-2008-2056

Source: VUPEN
Type: UNKNOWN
ADV-2008-2740

Source: XF
Type: UNKNOWN
sun-jre-jaxws-unauth-access(43654)

Source: XF
Type: UNKNOWN
sun-jre-xml-dos(43657)

Source: XF
Type: UNKNOWN
sun-jre-xml-dos(43657)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:11274

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: SUSE
Type: SUSE-SA:2008:042
Sun Java security update

Vulnerable Configuration:

Configuration 1:

cpe:/a:sun:jdk:6:update_1:*:*:*:*:*:*

OR cpe:/a:sun:jdk:6:update_2:*:*:*:*:*:*

OR cpe:/a:sun:jdk:6:update_3:*:*:*:*:*:*

OR cpe:/a:sun:jdk:6:update_4:*:*:*:*:*:*

OR cpe:/a:sun:jdk:6:update_5:*:*:*:*:*:*

OR cpe:/a:sun:jdk:*:update_6:*:*:*:*:*:* (Version <= 6)

OR cpe:/a:sun:jre:6:update_1:*:*:*:*:*:*

OR cpe:/a:sun:jre:6:update_2:*:*:*:*:*:*

OR cpe:/a:sun:jre:6:update_3:*:*:*:*:*:*

OR cpe:/a:sun:jre:6:update_4:*:*:*:*:*:*

OR cpe:/a:sun:jre:6:update_5:*:*:*:*:*:*

OR cpe:/a:sun:jre:*:update_6:*:*:*:*:*:* (Version <= 6)

Configuration RedHat 1:

cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:sun:jre:1.6.0:update6:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update6:*:*:*:*:*:*

AND

cpe:/o:novell:linux_desktop:9:*:*:*:*:*:*:*

OR cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:5.5.1:*:*:*:*:*:*:*

OR cpe:/o:suse:novell_linux_pos:9:*:*:*:*:*:*:*

OR cpe:/o:vmware:esx:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.0:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.5:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.5:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.5.1:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.5.1:*:*:*:*:*:*:*

OR cpe:/o:vmware:esx:3.0.2:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.5.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:2.0:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.5.2:*:*:*:*:*:*:*

OR cpe:/a:novell:open_enterprise_server:-:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:1.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:5.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:5.5.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:5.5.4:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:10.2:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:10.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:2.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:2.0.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:2.0.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx_server:3.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:5.5.0:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:5.5.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:5.5.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:5.5.6:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:1.0.5:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.1:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.2:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.4:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.5:*:*:*:*:*:*:*

OR cpe:/o:opensuse:opensuse:11.0:*:*:*:*:*:*:*

OR cpe:/o:novell:suse_linux_enterprise_server:10:sp2:itanium_ia64:*:*:*:*:*

OR cpe:/o:apple:mac_os_x_server:10.5.3:*:*:*:*:*:*:*

OR cpe:/o:apple:mac_os_x:10.5.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx_server:3.0.3:*:*:*:*:*:*:*

OR cpe:/a:vmware:server:1.0.6:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:5.5.7:*:*:*:*:*:*:*

OR cpe:/a:vmware:workstation:6.0.4:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:1.0.6:*:*:*:*:*:*:*

OR cpe:/a:vmware:ace:2.0.4:*:*:*:*:*:*:*

OR cpe:/a:vmware:virtualcenter:2.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20083105	V	CVE-2008-3105	2015-11-16
oval:org.mitre.oval:def:22389	P	ELSA-2008:0594: java-1.6.0-sun security update (Critical)	2014-05-26
oval:org.mitre.oval:def:22274	P	ELSA-2008:0906: java-1.6.0-ibm security update (Critical)	2014-05-26
oval:org.mitre.oval:def:11274	V	Unspecified vulnerability in the JAX-WS client and service in Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 6 and earlier allows remote attackers to access URLs or cause a denial of service via unknown vectors involving "processing of XML data" by a trusted application.	2010-09-06
oval:com.redhat.rhsa:def:20080906	P	RHSA-2008:0906: java-1.6.0-ibm security update (Critical)	2008-10-24
oval:com.redhat.rhsa:def:20080594	P	RHSA-2008:0594: java-1.6.0-sun security update (Critical)	2008-07-14