[Japanese]

JVNDB-2014-000029

sp mode mail vulnerability where Java methods may be executed

Overview

sp mode mail provided by NTT DOCOMO contains an issue in the processing Deco-mail emoticon POP, which may lead to the execution of arbitrary Java methods that can be executed with the privileges of sp mode mail.

Hironori Tokuta reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None

Affected Products


NTT DOCOMO, INC.
  • sp mode mail rev.5900 through rev.6300 for Android 4.0.X and earlier
  • sp mode mail rev.6000 (initial version) through rev.6620 for Android 4.1 and later

Impact

When a specially crafted email is opened, an arbitrary Java method that can be executed with the privileges of sp mode mail may be executed.
Solution

[Update the software]
Update to the latest version according to the information provided by developer.
Vendor Information

NTT DOCOMO, INC.
CWE (What is CWE?)

  1. No Mapping(CWE-DesignError) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-1979
References

  1. JVN : JVN#89260331
  2. National Vulnerability Database (NVD) : CVE-2014-1979
Revision History

[2014/03/18]
  Web page was published
[2014/03/25]
  References : Content was added