Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
|
|
SecurityTracker Alert ID: 1021318
|
|
SecurityTracker URL: http://securitytracker.com/id?1021318
|
|
CVE Reference: CVE-2008-2086
, CVE-2008-5339
, CVE-2008-5340
, CVE-2008-5341
, CVE-2008-5342
, CVE-2008-5343
, CVE-2008-5344
(Links to External Site)
|
Updated: Dec 5 2008
|
Original Entry Date: Dec 5 2008
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Host/resource access via network, Modification of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Sun Alert
|
Version(s): JDK and JRE 6 Update 10 and prior; JDK and JRE 5.0 Update 16 and prior; SDK and JRE 1.4.2_18 and prior; SDK and JRE 1.3.1_23 and prior
|
Description: Several vulnerabilities were reported in Java Web Start and Java Plug-in. A remote user can read/write files and execute applications on the target user's system. A remote user can connect to arbitrary hosts via the target user's system.
A remote user can create a specially crafted Java Web Start application that, when loaded by the target user, will establish network
connections to hosts other than the host that the application was downloaded from.
A remote user can create a specially crafted
Java Web Start application that, when loaded by the target user, will will read and write local files or execute applications on
the target system with the privileges of the target user.
A remote user can create a specially crafted Java Web Start application
that, when loaded by the target user, will perform certain trusted operations (e.g., modify system properties).
A remote user
can create a specially crafted Java Web Start application that, when loaded by the target user, will determine the location of the
Java Web Start cache and the username of the user running the Java Web Start application.
A user can cause hidden code on a target
system to make network connections to the target host and to hijack HTTP sessions using cookies stored in the browser.
A remote
user can create a specially crafted applet that, when loaded by the target user, will read arbitrary files on the target system
and establish network connections to hosts other than the host that the applet was loaded from.
A remote user can create a specially
crafted application that, when loaded by the target user, will request local files to be displayed by the target user's browser.
Peter
Csepely via TippingPoint, Virtual Security Research (VSR), Billy Rios of Microsoft, Nate Mcfeters of Ernst and Young, and John Heasman
of NGSSoftware reported these vulnerabilities.
|
Impact: A remote user can read/write files or execute applications on the target user's system or establish network connections to arbitrary hosts.
|
Solution: The vendor has issued the following Java SE and Java SE for Business releases for Solaris, Windows and Linux:
* JDK and JRE
6 Update 11 or later
* JDK and JRE 5.0 Update 17 or later
* SDK and JRE 1.4.2_19 or later
The vendor has issued the
following Java SE releases for Solaris and Windows:
* SDK and JRE 1.3.1_24 or later
The vendor's advisory is available
at:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1
|
Vendor URL: sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1 (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Dec 5 2008
|
(Red Hat Issues Fix) Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
(bugzilla@redhat.com)
Red Hat has released a fix for java-1.5.0-sun for Red Hat Enterprise Linux 4 and 5.
|
|
Dec 5 2008
|
(Red Hat Issues Fix) Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
(bugzilla@redhat.com)
Red Hat has released a fix for java-1.6.0-sun for Red Hat Enterprise Linux 4 and 5.
|
|
Jan 14 2009
|
(Red Hat Issues Fix) Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
(bugzilla@redhat.com)
Red Hat has released a fix for java-1.5.0-ibm for Red Hat Enterprise Linux 4 and 5.
|
|
Jan 14 2009
|
(Red Hat Issues Fix) Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
(bugzilla@redhat.com)
Red Hat has released a fix for java-1.6.0-ibm for Red Hat Enterprise Linux 4 and 5.
|
|
Mar 26 2009
|
(Red Hat Issues Fix) Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
(bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 4 and 5.
|
|
Source Message Contents
|
Date: Thu, 4 Dec 2008 20:59:14 -0500
Subject: http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1
|
CVE-2008-2086
|
|
Go to the Top of This SecurityTracker Archive Page
|
