Synopsis

This is my vulnerability announcement for CVE-2014-2428. This vulnerability allows web hosted java applications launched using jnlp to be executed with older JDKs installed on the machine. There are a number of prompts that are displayed before execution and the application needs to be signed and request full permissions. I believe that these permissions were introduced with Java 7 U45 and that, prior to this release, this vulnerability was much more severe as it didn't require signing and an explicit request for full permissions.

Thanks to Jacques Lemire for creating the jnlp application as well as to Stack8 for providing the great work environment where I noticed this behaviour in another jnlp application and later decided to spend a weekend investigating it. I can now remove finding a CVE from my list of life objectives.

Please contact me if you have any questions at johnf@zioncluster.ca

Timeline

• 2013/11/9 Issue Reported to Oracle
• 2013/11/19 Oracle confirms the issue, will be addressed in future fix
• 2014/04/15 Oracle releases Java 7 Update 55 / Java 8 Update 5 fixing the bug identified as CVE-2014-2428
  
• 2014/11/8 Publication of this announcement including proof of concept code

Issue Report to Oracle

This is the original issue report to Oracle

I've identified a vulnerability in the handling of JNLP files that exists in Java 7 U45 and allows the execution of a program using an insecure older JDK installed on the machine even if a newer version is installed. It is necessary in many corporate environments to have older versions of java installed for specific applications, removal is not always an option.

If a JNLP specification file includes a statement specifying that a prior version of Java should be used to execute the program as follows:

    <j2se version="1.6" java-vm-args="-esa -Xnoclassgc"/>

  <security>
    <all-permissions/>
  </security>

And if the jar file is signed by a trusted CA then, after the user accepts to run the JNLP application it will be run with the requested JDK version. This is in fact the behaviour, as designed, described at the bottom of this page:

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_flow.html#overview

I have tested this vulnerability on with Java 6 U45 and Java 7 U45 installed and validated that it behaves as described above.

While I understand that there are legacy applications that will require the usage of older versions of Java there needs to be a better system in place to prevent casual execution of older versions of Java by uninformed users. I believe that this would be better handled within the Java security policy that accepts this behaviour for specific white listed applications.

You can find a demonstration application here that will open a window with a title of the version of Java being used:

In order to execute this application you will need to install the CA certificate found here to recreate the issue, while it's only used here I do not recommend that you leave this potentially hostile CA installed:

You can see the files involved here including source for the demo application: