(BEA Issues Fix for JRockit) Java Web Start Bugs Let Remote Users Read/Write Files on the Target User's System
|
|
SecurityTracker Alert ID: 1019463 |
|
SecurityTracker URL: http://securitytracker.com/id/1019463
|
|
CVE Reference:
CVE-2007-5238
(Links to External Site)
|
Date: Feb 21 2008
|
Impact:
Disclosure of user information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): R24, R25
|
Description:
Several vulnerabilities were reported in Java Web Start. A remote user can access files on the target user's system. BEA JRockit is affected.
A remote user can create a specially crafted applet that, when loaded by the target user, can read local files, write to local files, or determine the location of the Java Web Start cache. File access will occur with the privileges of the target user.
Peter Csepely reported these vulnerabilities.
|
Impact:
A remote user can create an applet that, when loaded by the target user, can read local files, write to local files, or determine the location of the Java Web Start cache.
|
Solution:
BEA JRockit R24 and BEA JRockit R25 are affected. An update is available at:
http://commerce.bea.com/products/weblogicjrockit/jrockit_prod_fam.jsp
The BEA advisory is available at:
http://dev2dev.bea.com/pub/advisory/272
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 20 Feb 2008 21:23:35 -0500
Subject: http://dev2dev.bea.com/pub/advisory/272
|
CVE-2007-5238
|
|
