SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Java Web Start Vendors:  Sun
Java Web Start Incorrect Use of System Classes Lets Users Gain Elevated Privileges
SecurityTracker Alert ID:  1017986
SecurityTracker URL:  http://securitytracker.com/id?1017986
CVE Reference:  CVE-2007-2435   (Links to External Site)
Updated:  Aug 6 2007
Original Entry Date:  May 1 2007
Impact:  Disclosure of system information, Disclosure of user information, Modification of user information
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Sun Alert
Description:  A vulnerability was reported in Java Web Start. A user can obtain elevated privileges on the target system.

The system does not properly use system classes. A Java application may be able to read and write local files with the privileges of the user running the Java Web Start application.

Java Web Start in JDK and JRE 5.0 Update 10 and earlier and in SDK and JRE 1.4.2_13 and earlier are affected.

Sun credits the Fujitsu security team with reporting this vulnerability.
Impact:  A Java application can obtain privileges of the target user.
Solution:  Sun has issued the following fixes.

* Java Web Start in JDK and JRE 5.0 Update 11 or later
* Java Web Start in SDK and JRE 1.4.2_14 or later

J2SE 5.0 is available for download at the following links:

* http://java.sun.com/j2se/1.5.0/download.jsp

J2SE 5.0 Update 11 for Solaris is available in the following patches:

* J2SE 5.0: update 11 (as delivered in patch 118666-11 or later)
* J2SE 5.0: update 11 (as delivered in patch 118667-11 or later (64bit))
* J2SE 5.0_x86: update 11 (as delivered in patch 118668-11 or later)
* J2SE 5.0_x86: update 11 (as delivered in patch 118669-11 or later (64bit))

J2SE 1.4.2 is available for download at the following link:

* http://java.sun.com/j2se/1.4.2/download.html

The Sun advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102881-1
Vendor URL:  sunsolve.sun.com/search/document.do?assetkey=1-26-102881-1 (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 6 2007 (Red Hat Issues Fix) Java Web Start Incorrect Use of System Classes Lets Users Gain Elevated Privileges   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux Extras 3, 4, and 5.
Aug 8 2007 (Red Hat Issues Fix for java-ibm) Java Web Start Incorrect Use of System Classes Lets Users Gain Elevated Privileges   (bugzilla@redhat.com)
Red Hat has released a fix for java-1.5.0-ibm on Red Hat Enterprise Linux Extras 4 and 5.


 Source Message Contents
Date:  Tue, 1 May 2007 08:01:06 -0400
Subject:  Security Vulnerability With Java Web Start Related to Incorrect Use of System Classes

 
 
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102881-1


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC