Protection against Macromedia JRun 4 Web Server Buffer Overflow Vulnerability

Attack ID:	CPAI-2005-161

Publish Date:

Category:	Remote Code Execution

Vulnerable Systems:	Macromedia JRun 4.0 prior to Updater 5

Source:	iDEFENSE ADVISORY: 12.21.05

Description:	A vulnerability exists in the Macromedia JRun Web server component. Remote exploitation of the vulnerability may allow attackers to execute arbitrary code or cause a denial of service condition. For the attack to be successful, the JRun Web server component must be active.

Severity:

Details:	The vulnerability exists within the JRun 4 Web server, specifically in the handling of long request strings. By supplying a long URL (approximately 64k), a remote attacker can create a stack-based overflow, potentially allowing the execution of arbitrary code.

Attack Detection:	Users of VPN-1 NG with Application Intelligence R54, R55 and R55W and users of VPN-1 NGX R60 should update their SmartDefense by clicking Online Update in the SmartDashboard General window. Attack Name: HTTP Worm Catcher Attack Information: Macromedia JRun 4 Buffer Overflow

Solution:	Users of VPN-1 NG with Application Intelligence R55 & R55W and users of VPN-1 NGX R60 should update their SmartDefense by clicking Online Update (R55 - Update now) in the SmartDashboard General window. To enable the protection: Users of R55W, R60: 1. On the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher. 2. Enable Macromedia JRun 4 Buffer Overflow. Users of R54, R55: 1. On the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher. 2. Enable Macromedia JRun 4 Buffer Overflow.

Industry Reference:	CVE-2005-4472

Additional Information:	This update also includes: - Protection against Microsoft COM vulnerability (MS05-054) - CPAI-2005-158 - Protection against Cisco IOS HTTP Server - CPAI-2005-159 - Protection against Microsoft IIS URI Denial of Service - CPAI-2005-160