Oracle Java Remote DNS Poisoning via Port Exhausion #2

Aleph Research Advisory

Identifier

CVE-2011-3552

Severity

High

Product

Oracle Java

Vulnerable Version

Oracle Java before version 1.6u29

Mitigation

Upgrade to Oracle Java 1.6u29.

Technical Details

The patch for CVE-2010-4448 mitigated the Port Exhaustion vulnerability by limiting the number of ports per JVM to 1024. However, this patch can be bypassed by hosting multiple JVMs. Therefore a new patch was released with a lower limit of 50 ports per JVM, making the multiple VMs attack infeasible.

Timeline

01-Mar-17
: Added as ALEPH-2011004.
18-Oct-11
: Public disclosure.

Credit

Roee Hay (@roeehay) of Aleph Research, HCL Technologies
Yair Amit (@yairamit)

External References

Paper: DNS Poisoning via Port Exhaustion