JVN#62161191
JavaFX WebEngine does not properly restrict Java method execution
Overview
WebEngine component provided by JavaFX and OpenJFX does not properly restrict Java method execution.
Products Affected
- OracleJDK 8 versions prior to update 251
- JavaFX versions prior to 14.0.1
Description
JavaFX, GUI library for Java applications, is provided with OracleJDK 7 through 10.
Since OracleJDK 11, JavaFX is separately maintained and developed by OpenJFX project under OpenJDK community.
JavaFX WebEngine component is capable of web content rendering, and possible to be configured to allow JavaScript code to execute Java methods.
WebEngine component does not properly restrict Java methods execution(CWE-470).
This vulnerability is similar to CVE-2012-6636 of Android WebView component.
Impact
When a JavaFX application renders crafted web contents, an arbitrary Java code may be executed with the application's privilege.
Solution
Update the software
JavaFX application developers should update their applications with the latest version of JavaFX library.
JavaFX application users should update their Java execution environment to the latest version.
JavaFX library in OracleJDK 8u251 and JavaFX 14.0.1 restrict a number of Java methods callable from JavaScript code.
Please refer to release notes for details.
Vendor Status
| Vendor | Link |
| Oracle | JDK 8u251 Update Release Notes |
| OpenJFX Project | Release Notes for JavaFX 14.0.1 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
ICHIHARA Ryohei of DMM.com LLC reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2020-000047 |