CVE-2005-3583

Vulnerability

The vulnerability resides in the deserialization of font objects within the Java Runtime Environment (JRE) and Software Development Kit (SDK) versions 1.4.2_08, 1.4.2_09, and 1.5.0_05, and possibly other versions [1][2]. A specially crafted serialized object, such as a font object containing malformed ICC profile data, triggers an infinite loop or crash in the JVM when deserialized. The code path is reachable in any application that deserializes untrusted serialized objects, notably the JBoss application server's JMXInvokerServlet, which accepts serialized objects over HTTP without authentication [2].

Exploitation

An attacker can remotely exploit this vulnerability by sending a POST request to the JBoss JMXInvokerServlet endpoint (e.g., http://host:8080/invoker/JMXInvokerServlet) with a crafted serialized font object [2]. No authentication is required. The attacker constructs the malicious object by fuzzing values in a GRAY.pf font file and serializing it. The deserialization of this object then crashes the underlying JVM [2]. The exploit was demonstrated against JBoss 4.0.2 on Windows, but the underlying JVM bug affects all platforms [2].

Impact

Successful exploitation causes the JVM to become unresponsive or crash, resulting in a denial of service (DoS). The attacker does not gain code execution, data access, or any privilege escalation; only availability is compromised. The crash is platform-independent, as noted by the researcher: "write once, crash everywhere" [2].

Mitigation

Sun was aware of the bug at the time of disclosure [2]. The fix was included in subsequent releases: upgrade to JRE/SDK 1.4.2_10 or later, or 1.5.0_06 or later. As a workaround, restrict network access to the JMXInvokerServlet or disable deserialization of untrusted objects in the application. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.