Sun Java Runtime Environment Font.createFont() denial of service

sun-java-fontcreatefont-dos (26493) The risk level is classified as MediumMedium Risk

Description:

Sun Java Runtime Environment (JRE) is vulnerable to a denial of service caused by a vulnerability in the Font.createFont() method. The Font.createFont() method could create an overly large temporary file in the %temp% directory that could consume all available disk space.


Consequences:

Denial of Service

Remedy:

Apply the appropriate patch for your system. See References.

References:

  • BugTraq Mailing List, Sat May 13 2006 - 20:57:51 CDT: JDK 1.4.2_11, 1.5.0_06, unsigned applets consuming all free harddisk space.
  • ASA-2009-108: java-1.6.0-sun security update (RHSA-2009-0392)
  • ASA-2009-109: java-1.5.0-sun security update (RHSA-2009-0394)
  • BID-17981: Sun Java Applet Font.createFont Remote Denial Of Service Vulnerability
  • CVE-2006-2426: Sun Java Runtime Environment (JRE) 1.5.0_6 and earlier, JDK 1.5.0_6 and earlier, and SDK 1.5.0_6 and earlier allows remote attackers to cause a denial of service (disk consumption) by using the Font.createFont function to create temporary files of arbitrary size in the %temp% directory.
  • DSA-1769: openjdk-6 -- several vulnerabilities
  • OSVDB ID: 25561: Sun Java JRE Font.createFont() Method Disk Space Saturation DoS
  • RHSA-2009-0377: Important: java-1.6.0-openjdk security update
  • RHSA-2009-0392: Critical: java-1.6.0-sun security update
  • RHSA-2009-0394: Critical: java-1.5.0-sun security update
  • RHSA-2009-1662: Low: Red Hat Network Satellite Server Sun Java Runtime security update
  • SA20132: Sun Java JRE Large Temporary File Creation Vulnerability
  • SUSE-SR:2006:012: SUSE Security Summary Report
  • USN-748-1: OpenJDK vulnerabilities
  • VUPEN/ADV-2006-1824: Sun Java Runtime Environment Temporary File Creation Remote DoS Vulnerability

Platforms Affected:

  • Canonical Ubuntu 8.10
  • Debian Debian Linux 5.0
  • RedHat Enterprise Linux 5
  • RedHat Enterprise Linux 5 Client
  • RedHat Enterprise Linux 5.3.z EUS
  • RedHat Enterprise Linux Long Life 5.3
  • RedHat Network Satellite Server 5.1
  • RedHat Red Hat Enterprise Linux 4.7.z Extras
  • RedHat RHEL Desktop Supplementary 5 Client
  • RedHat RHEL Extras 4
  • RedHat RHEL Supplementary 5 Server
  • RedHat RHEL Supplementary 5.3.z EUS
  • Sun JDK 1.5.0 Update6
  • Sun JDK 1.5.0 Update5
  • Sun JDK 1.5.0 Update4
  • Sun JDK 1.5.0 Update3
  • Sun JDK 1.5.0 Update2
  • Sun JDK 1.5.0
  • Sun JDK 1.5.0 Update1
  • Sun JRE 1.4.2 Update3
  • Sun JRE 1.4.2 Update2
  • Sun JRE 1.4.2 Update5
  • Sun JRE 1.4.2 Update7
  • Sun JRE 1.4.2 Update8
  • Sun JRE 1.4.2 Update9
  • Sun JRE 1.4.2 Update4
  • Sun JRE 1.4.2
  • Sun JRE 1.4.2 Update6
  • Sun JRE 1.4.2 Update1
  • Sun JRE 1.4.2 Update10
  • Sun JRE 1.4.2 Update11
  • Sun JRE 1.5.0 Update2
  • Sun JRE 1.5.0 Update6
  • Sun JRE 1.5.0 Update5
  • Sun JRE 1.5.0 Update4
  • Sun JRE 1.5.0
  • Sun JRE 1.5.0 Update3
  • Sun JRE 1.5.0 Update1
  • Sun SDK 1.4.2
  • Sun SDK 1.4.2_01
  • Sun SDK 1.4.2_02
  • Sun SDK 1.4.2_03
  • Sun SDK 1.4.2_04
  • Sun SDK 1.4.2_05
  • Sun SDK 1.4.2_06
  • Sun SDK 1.4.2_07
  • Sun SDK 1.4.2_08
  • Sun SDK 1.4.2_09
  • Sun SDK 1.4.2_10
  • Sun SDK 1.4.2_11

Reported:

May 13, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page