July 25, 2008

Java Web Start is a framework developed by Sun Microsystems. Unlike Java applets, Web Start applications do not run inside the browser, which allows an application to implement richer functionality while still preserving sandbox-level security. Java Network Launching Protocol (JNLP) is an XML-based protocol that specifies how Java Web Start applications are launched.

There exists a stack based buffer overflow vulnerability in Sun Java Web Start. The vulnerability, which has been assigned CVE-2008-3111, is due to improper handling of attributes of the j2se element within a JNLP file. More specifically, the vulnerable code copies the values of “initial-heap-size” and “max-heap-size” using a sprintf() function without validating the size of those values. A remote attacker can exploit this vulnerability by enticing the target user to open a crafted JNLP file, potentially causing arbitrary code to be injected and executed in the context of the current user.

SonicWALL has developed 2 IPS signatures for this vulnerability:

• 5120 Java Web Start JNLP File initial-heap-size BO Attempt
• 5121 Java Web Start JNLP File max-heap-size BO Attempt

These signatures detect and prevent malicious JNLP files from reaching the internal network.