Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Oracle Java 2 Platform Enterprise Edition (J2EE) Vendors:   Sun
Java J2EE PointBase Configuration Flaw Lets Remote Users Execute Arbitrary Binaries
SecurityTracker Alert ID:  1008491
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 16 2003
Impact:   Execution of arbitrary code via network
Vendor Confirmed:  Yes  
Version(s): 1.4 (with PointBase 4.6)
Description:   A vulnerability was reported in the Java J2EE reference implementation when running the included PointBase database. A remote user can inject SQL commands to execute arbitrary binaries on the target system. reported that a remote user can run specially crafted SQL statements to cause arbitrary executables on the target system to be executed.

The vulnerability is due to inadequate security settings and library bugs in the sun.* and org.apache.* packages in jdk 1.4.2_02 when running pointbase without a fine-tuned security manager, according to the report.

A remote user may also be able to cause denial of service conditions or gain information about the target system, the report said.

The vendor was reportedly notified on November 29, 2003.

Impact:   A remote user can cause arbitrary binaries on the target system to be executed.
Solution:   No solution was available at the time of this entry. Accordiing to the report, the vendor has indicated that this is not a flaw in J2EE.

A potential workaround is described in the Source Message.

Vendor URL: (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Tested on Windows XP

Message History:   None.

 Source Message Contents

Subject:  J2EE 1.4 reference implementation: database component allows remote

Hash: SHA1 security advisory i/12-2003 (

J2EE 1.4 reference implementation: database component allows remote code


Product   : J2EE reference implementation (
Component : pointbase 4.6 database component
Version   : 1.4
Vendor    : Sun Microsystems
Impact    : Code injection, DoS, information leakage
Date      : Public Release 12/16/2003, 11am GMT

By using special crafted SQL statements *arbitrary executables*
on the host executing the pointbase 4.6 database bundled with the
j2ee 1.4 reference implementation (j2ee/ri) *can be started*.
The vulnerability has been tested by on
windows xp and the bundled jdk 1.4.2_02 coming with the j2ee/ri.

A possible workaround is to create an adequate policy file
to configure a security manager object for pointbase.
Pointbase bundled with j2ee/ri does not include
a configuration so the policy settings have to evaluated
manually. Simply granting AllPermissions to the
pointbase jar codebase does not solve the problem.
With a proper setting installed the described attack
leads to a security exception thrown by pointbase instead of
starting the exe file which was desired by the attacker.

This text will be also available soon at

J2EE/RI 1.4 (windows version) which is available at
It cannot be ruled out that j2ee versions for other os contain similar

By using a special crafted SQL statement arbitrary executables
on the host executing the pointbase database coming with the
j2ee 1.4 reference implementation (j2ee/ri) can be started.
The exploit code is similar to the jboss/hsqldb exploit
discovered earlier this year. Furthermore this is a typical
case of exploit reuse as the sql statements only needed minor
adjustment from hsqldb function definition syntax to
pointbase function definition. The vulnerability is
resulting from inadequate security settings and library bugs in
sun.* and org.apache.* packages in jdk 1.4.2_02 when running
pointbase without a fine-tuned security manager.

In addition to the possibility of executing arbitrary executables,
denial-of-service attacks as well as information leakage scenarios
have been tested positively.

Proof-Of-concept code
The vendor (Sun) has been provided with proof-of-concept SQL code
executing a notepad.exe on the machine executing the pointbase
database. Another proof-of-concept SQL statement crashes the

There is no fix available until today, as Sun is stating that the
problem "is not a security issuse with J2ee 1.4" functionality. But Sun
states that they "contacted pointbase regarding the issue".

More Information
On RSA Conference 2003 the problem areas in jdk 1.4 were presented
which allow remote code injection. A a report, testing three major
100% pure java databases against these vulnerabilities will be made
public in january. This work is part of my dissertation research and
therefore a non-profit project.

29 Nov 2003 Vendor (Sun) informed
05 Dec 2003 Vendor commits inadequate security manager settings in
            allowing denial-of-service and remote code injection via jdbc
            which comprimising j2ee security
16 Dec 2003 public release

to Johnny Cyberpunk and his S/390, to Dark Tangent still hiding my travel
and parking allowance, g0dzilla, km and halvar the viking

- --

Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous

Version: GnuPG v1.2.3 (AIX)



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC