Multiple Java Runtime Implementations UTF-8 Input Validation Vulnerability

BID:30633

Info

Multiple Java Runtime Implementations UTF-8 Input Validation Vulnerability

Bugtraq ID: 30633
Class: Input Validation Error
CVE: CVE-2008-2938
Remote: Yes
Local: No
Published: Aug 11 2008 12:00AM
Updated: Apr 13 2015 10:13PM
Credit: Simon Ryeo and William A. Rowe, Jr.
Vulnerable: WiKID Systems WiKID Server 3.0.4
SuSE SUSE Linux Enterprise Server 10 SP2
Sun Solaris 10
Sun JRE (Windows Production Release) 1.5 _06
Sun JRE (Windows Production Release) 1.5 _05
Sun JRE (Windows Production Release) 1.5 _04
Sun JRE (Windows Production Release) 1.5 _03
Sun JRE (Windows Production Release) 1.5 _02
Sun JRE (Windows Production Release) 1.5 _01
Sun JRE (Windows Production Release) 1.5
Sun JRE (Windows Production Release) 1.4.2 _10
Sun JRE (Windows Production Release) 1.4.2 _09
Sun JRE (Windows Production Release) 1.4.2 _08
Sun JRE (Windows Production Release) 1.4.2 _07
Sun JRE (Windows Production Release) 1.4.2 _06
Sun JRE (Windows Production Release) 1.4.2 _05
Sun JRE (Windows Production Release) 1.4.2 _04
Sun JRE (Windows Production Release) 1.4.2 _03
Sun JRE (Windows Production Release) 1.4.2 _02
Sun JRE (Windows Production Release) 1.4.2 _01
Sun JRE (Windows Production Release) 1.4.2
Sun JRE (Windows Production Release) 1.6.0_2
Sun JRE (Windows Production Release) 1.6.0_03
Sun JRE (Windows Production Release) 1.6.0_02
Sun JRE (Windows Production Release) 1.6.0_01
Sun JRE (Windows Production Release) 1.5.0_14
Sun JRE (Windows Production Release) 1.5.0_13
Sun JRE (Windows Production Release) 1.5.0_12
Sun JRE (Windows Production Release) 1.5.0_11
Sun JRE (Windows Production Release) 1.5.0_10
Sun JRE (Windows Production Release) 1.5.0.0_09
Sun JRE (Windows Production Release) 1.5.0.0_08
Sun JRE (Windows Production Release) 1.5.0.0_07
Sun JRE (Windows Production Release) 1.4.2_18
Sun JRE (Windows Production Release) 1.4.2_17
Sun JRE (Windows Production Release) 1.4.2_16
Sun JRE (Windows Production Release) 1.4.2_15
Sun JRE (Windows Production Release) 1.4.2_14
Sun JRE (Windows Production Release) 1.4.2_13
Sun JRE (Windows Production Release) 1.4.2_12
Sun JRE (Windows Production Release) 1.4.2_11
Sun JRE (Solaris Production Release) 1.5 _06
Sun JRE (Solaris Production Release) 1.5 _05
Sun JRE (Solaris Production Release) 1.5 _04
Sun JRE (Solaris Production Release) 1.5 _03
Sun JRE (Solaris Production Release) 1.5 _02
Sun JRE (Solaris Production Release) 1.5 _01
Sun JRE (Solaris Production Release) 1.5
Sun JRE (Solaris Production Release) 1.4.2 _10
Sun JRE (Solaris Production Release) 1.4.2 _09
Sun JRE (Solaris Production Release) 1.4.2 _08
Sun JRE (Solaris Production Release) 1.4.2 _07
Sun JRE (Solaris Production Release) 1.4.2 _06
Sun JRE (Solaris Production Release) 1.4.2 _05
Sun JRE (Solaris Production Release) 1.4.2 _04
Sun JRE (Solaris Production Release) 1.4.2 _03
Sun JRE (Solaris Production Release) 1.4.2 _02
Sun JRE (Solaris Production Release) 1.4.2 _01
Sun JRE (Solaris Production Release) 1.4.2
Sun JRE (Solaris Production Release) 1.6.0_2
Sun JRE (Solaris Production Release) 1.6.0_03
Sun JRE (Solaris Production Release) 1.6.0_02
Sun JRE (Solaris Production Release) 1.6.0_01
Sun JRE (Solaris Production Release) 1.5.0_14
Sun JRE (Solaris Production Release) 1.5.0_13
Sun JRE (Solaris Production Release) 1.5.0_12
Sun JRE (Solaris Production Release) 1.5.0_11
Sun JRE (Solaris Production Release) 1.5.0_10
Sun JRE (Solaris Production Release) 1.5.0.0_09
Sun JRE (Solaris Production Release) 1.5.0.0_08
Sun JRE (Solaris Production Release) 1.5.0.0_07
Sun JRE (Solaris Production Release) 1.4.2_18
Sun JRE (Solaris Production Release) 1.4.2_17
Sun JRE (Solaris Production Release) 1.4.2_16
Sun JRE (Solaris Production Release) 1.4.2_15
Sun JRE (Solaris Production Release) 1.4.2_14
Sun JRE (Solaris Production Release) 1.4.2_13
Sun JRE (Solaris Production Release) 1.4.2_12
Sun JRE (Solaris Production Release) 1.4.2_11
Sun JRE (Linux Production Release) 1.5 _07
Sun JRE (Linux Production Release) 1.5 _06
Sun JRE (Linux Production Release) 1.5 _05
Sun JRE (Linux Production Release) 1.5 _04
Sun JRE (Linux Production Release) 1.5 _03
Sun JRE (Linux Production Release) 1.5 _02
Sun JRE (Linux Production Release) 1.5 _01
Sun JRE (Linux Production Release) 1.5 .0 beta
Sun JRE (Linux Production Release) 1.5
Sun JRE (Linux Production Release) 1.4.2 _10-b03
Sun JRE (Linux Production Release) 1.4.2 _10
Sun JRE (Linux Production Release) 1.4.2 _09
Sun JRE (Linux Production Release) 1.4.2 _08
Sun JRE (Linux Production Release) 1.4.2 _07
Sun JRE (Linux Production Release) 1.4.2 _06
Sun JRE (Linux Production Release) 1.4.2 _05
Sun JRE (Linux Production Release) 1.4.2 _04
Sun JRE (Linux Production Release) 1.4.2 _03
Sun JRE (Linux Production Release) 1.4.2 _02
Sun JRE (Linux Production Release) 1.4.2 _01
Sun JRE (Linux Production Release) 1.4.2
Sun JRE (Linux Production Release) 1.6.0_03
Sun JRE (Linux Production Release) 1.6.0_02
Sun JRE (Linux Production Release) 1.6.0_01
Sun JRE (Linux Production Release) 1.5.0_14
Sun JRE (Linux Production Release) 1.5.0_13
Sun JRE (Linux Production Release) 1.5.0_12
Sun JRE (Linux Production Release) 1.5.0_11
Sun JRE (Linux Production Release) 1.5.0_10
Sun JRE (Linux Production Release) 1.5.0_09
Sun JRE (Linux Production Release) 1.5.0_08
Sun JRE (Linux Production Release) 1.4.2_18
Sun JRE (Linux Production Release) 1.4.2_17
Sun JRE (Linux Production Release) 1.4.2_16
Sun JRE (Linux Production Release) 1.4.2_15
Sun JRE (Linux Production Release) 1.4.2_14
Sun JRE (Linux Production Release) 1.4.2_13
Sun JRE (Linux Production Release) 1.4.2_12
Sun JRE (Linux Production Release) 1.4.2_11
S.u.S.E. openSUSE 11.0
S.u.S.E. openSUSE 10.3
S.u.S.E. openSUSE 10.2
Redhat Red Hat Network Satellite Server 5.0.1
Redhat Red Hat Network Satellite Server 5.0
Redhat Red Hat Network Satellite (for RHEL 4) 5.1
Redhat JBoss Enterprise Application Platform 4.2 EL5
Redhat JBoss Enterprise Application Platform 4.2 EL4
Redhat JBoss Enterprise Application Platform 4.2 .CP03
Redhat JBoss Enterprise Application Platform 4.2
Redhat Enterprise Linux Desktop Workstation 5 client
Redhat Enterprise Linux Desktop 5 client
Redhat Enterprise Linux 5 Server
Redhat Developer Suite AS4 3
Redhat Application Server WS4 2
Redhat Application Server ES4 2
Redhat Application Server AS4 2
Oracle Oracle10g Application Server 10.1.3 .1.0
OpenJDK java 1.6
Novell ZENworks Linux Management 7.3
Mandriva Linux Mandrake 2008.1 x86_64
Mandriva Linux Mandrake 2008.1
Mandriva Linux Mandrake 2008.0 x86_64
Mandriva Linux Mandrake 2008.0
HP HP-UX B.11.31
HP HP-UX B.11.23
HP HP-UX B.11.11
Fujitsu INTERSTAGE Studio Standard-J Edition 9.1
Fujitsu INTERSTAGE Studio Standard-J Edition 9.0
Fujitsu INTERSTAGE Studio Standard-J Edition 8.0.1
Fujitsu INTERSTAGE Studio Standard-J Edition 9.1.0 B
Fujitsu INTERSTAGE Studio Enterprise Edition 9.1
Fujitsu INTERSTAGE Studio Enterprise Edition 9.0
Fujitsu INTERSTAGE Studio Enterprise Edition 8.0.1
Fujitsu INTERSTAGE Studio Enterprise Edition 9.1.0 B
Fujitsu INTERSTAGE Job Workload Server 8.1
Fujitsu INTERSTAGE Business Application Server Enterprise 8.0.0
Fujitsu INTERSTAGE Apworks Modelers-J Edition 7.0
Fujitsu INTERSTAGE Apworks Modelers-J Edition 6.0A
Fujitsu INTERSTAGE Apworks Modelers-J Edition 6.0
Fujitsu INTERSTAGE Application Server Standard-J Edition 9.1
Fujitsu INTERSTAGE Application Server Standard-J Edition 9.0 A
Fujitsu INTERSTAGE Application Server Standard-J Edition 9.0
Fujitsu INTERSTAGE Application Server Standard-J Edition 8.0.2
Fujitsu INTERSTAGE Application Server Standard-J Edition 8.0
Fujitsu INTERSTAGE Application Server Standard-J Edition 9.1.0B
Fujitsu INTERSTAGE Application Server Plus Developer 7.0
Fujitsu INTERSTAGE Application Server Plus Developer 6.0
Fujitsu Interstage Application Server Plus 7.0.1
Fujitsu Interstage Application Server Plus 7.0
Fujitsu Interstage Application Server Plus 6.0
Fujitsu INTERSTAGE Application Server Enterprise Edition 9.1
Fujitsu INTERSTAGE Application Server Enterprise Edition 9.0 A
Fujitsu INTERSTAGE Application Server Enterprise Edition 9.0
Fujitsu INTERSTAGE Application Server Enterprise Edition 8.0.2
Fujitsu INTERSTAGE Application Server Enterprise Edition 8.0
Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0.1
Fujitsu INTERSTAGE Application Server Enterprise Edition 9.1.0B
Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0
Fujitsu INTERSTAGE Application Server Enterprise Edition 6.0
Avaya Meeting Exchange - Enterprise Edition
Avaya Meeting Exchange 5.0 .0.52
Avaya Meeting Exchange 5.0
Avaya Aura Application Enablement Services 4.2.1
Avaya Aura Application Enablement Services 4.0.1
Avaya Aura Application Enablement Services 3.1.6
Avaya Aura Application Enablement Services 3.1.5
Avaya Aura Application Enablement Services 3.1.4
Avaya Aura Application Enablement Services 3.1.3
Avaya Aura Application Enablement Services 4.2
Avaya Aura Application Enablement Services 4.1
Avaya Aura Application Enablement Services 4.0
Avaya Aura Application Enablement Services 3.1
Avaya Aura Application Enablement Services 3.0
Apple Mac OS X Server 10.5.5
Apache Tomcat 6.0.16
Apache Tomcat 6.0.15
Apache Tomcat 6.0.14
Apache Tomcat 6.0.13
Apache Tomcat 6.0.12
Apache Tomcat 6.0.11
Apache Tomcat 6.0.10
Apache Tomcat 6.0.9
Apache Tomcat 6.0.8
Apache Tomcat 6.0.7
Apache Tomcat 6.0.6
Apache Tomcat 6.0.5
Apache Tomcat 6.0.4
Apache Tomcat 6.0.3
Apache Tomcat 6.0.2
Apache Tomcat 6.0.1
Apache Tomcat 6.0
Apache Tomcat 5.5.26
Apache Tomcat 5.5.25
Apache Tomcat 5.5.24
Apache Tomcat 5.5.23
Apache Tomcat 5.5.22
Apache Tomcat 5.5.21
Apache Tomcat 5.5.20
Apache Tomcat 5.5.19
Apache Tomcat 5.5.18
Apache Tomcat 5.5.17
Apache Tomcat 5.5.16
Apache Tomcat 5.5.15
Apache Tomcat 5.5.14
Apache Tomcat 5.5.13
Apache Tomcat 5.5.12
Apache Tomcat 5.5.11
Apache Tomcat 5.5.10
Apache Tomcat 5.5.9
Apache Tomcat 5.5.8
Apache Tomcat 5.5.7
Apache Tomcat 5.5.6
Apache Tomcat 5.5.5
Apache Tomcat 5.5.4
Apache Tomcat 5.5.3
Apache Tomcat 5.5.2
Apache Tomcat 5.5.1
Apache Tomcat 5.5
Apache Tomcat 4.1.37
Apache Tomcat 4.1.36
Apache Tomcat 4.1.34
Apache Tomcat 4.1.32
Apache Tomcat 4.1.31
Apache Tomcat 4.1.30
Apache Tomcat 4.1.29
Apache Tomcat 4.1.28
Apache Tomcat 4.1.24
Apache Tomcat 4.1.12
Apache Tomcat 4.1.10
Apache Tomcat 4.1.9 beta
Apache Tomcat 4.1.3 beta
Apache Tomcat 4.1.3
Apache Tomcat 4.1
- BSDI BSD/OS 4.0
- Caldera OpenLinux 2.4
- Debian Linux 2.3
- Debian Linux 2.2
- Debian Linux 2.1
- Digital UNIX 4.0
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.5
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - Redhat Linux 6.2 i386
 - Redhat Linux 6.1 i386
 - SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 3.3
- Sun Solaris 8_sparc
 - Sun Solaris 7.0
 Apache Harmony 5.0 M8
Apache Harmony 5.0 M7
Not Vulnerable: WiKID Systems WiKID Server 3.0.5
Sun JRE (Windows Production Release) 1.6.0_11
Sun JRE (Windows Production Release) 1.5.0_17
Sun JRE (Windows Production Release) 1.4.2_19
Sun JRE (Solaris Production Release) 1.6.0_11
Sun JRE (Solaris Production Release) 1.5.0_17
Sun JRE (Solaris Production Release) 1.4.2_19
Sun JRE (Linux Production Release) 1.6.0_11
Sun JRE (Linux Production Release) 1.5.0_17
Sun JRE (Linux Production Release) 1.4.2_19
Redhat JBoss Enterprise Application Platform 4.2 .CP04
Apache Tomcat 6.0.18
Apache Tomcat 5.5.27
Apache Tomcat 4.1.39

Discussion

Multiple Java Runtime Implementations UTF-8 Input Validation Vulnerability

Multiple Java runtime implementations are prone to a vulnerability because the applications fail to sufficiently sanitize user-supplied input.

Exploiting this issue in Apache Tomcat will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks. Other attacks may also be possible.

Exploiting this issue in other applications will depend on the individual application. Successful exploits may result in a bypass of intended security filters. This may have various security impacts. We will update this BID pending further investigation.

UPDATE (December, 18, 2008): Reports indicate that this issue may affect additional, unspecified Java Virtual Machine (JVM) implementations distributed by Sun, HP, IBM, Apple, and Apache. We will update this BID as more information becomes available.

UPDATE (January 9, 2009): This BID previously documented an issue in Apache Tomcat. Further reports indicate that the underlying issue is in various Java runtime implementations.

Exploit / POC

Multiple Java Runtime Implementations UTF-8 Input Validation Vulnerability

An attacker can exploit this issue via a browser.

The following example URIs and exploit for Apache Tomcat are available:

http://www.example.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar
http://www.example.com/contextpath/%c0%ae%c0%ae/WEB-INF/web.xml

Solution / Fix

Multiple Java Runtime Implementations UTF-8 Input Validation Vulnerability

Solution:
Vendor updates are available. Please see the references for more information.


Mandriva Linux Mandrake 2008.0

Apple Mac OS X Server 10.5.5

Apache Tomcat 4.1.37

References

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report