Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   Netscape Vendors:   America Online, Inc.
(Netscape Issues Fix for Netscape Browser) Re: Sun Java Runtime Environment (JRE) Bytecode Verifier Casting Bug Lets Arbitrary Code Execute Outside of the Java Security Sandbox
SecurityTracker Alert ID:  1003880
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2002
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 6.2.2
Description:   Sun reported a vulnerability in their Java Runtime Environment (JRE) bytecode verifier. An untrusted Java applet may be able to gain elevated privileges on the system.

The vulnerability reportedly exists in the processing to convert types via casting operations. A flaw reportedly exists in the security checks on casting operations. A remote user could exploit this flaw to execute code outside of the security sandbox. This code would execute in the security context of the target (victim) user. The flaw only affects Java applets, not Java applications. No further technical details were provided.

Netscape reports that the Netscape browser is vulnerable.

Impact:   A remote user can create a Java applet that, when executed on another user's host, will cause arbitrary code to be executed on that other user's host. The arbitrary code can circumvent the Java sandbox security restrictions.
Solution:   Netscape has released a fixed version (6.2.2), available at:

Cause:   Access control error
Underlying OS:  Java, Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Mar 19 2002 Sun Java Runtime Environment (JRE) Bytecode Verifier Casting Bug Lets Arbitrary Code Execute Outside of the Java Security Sandbox

 Source Message Contents

Subject:  Netscape: Sun JRE (Java Runtime Environment) Issue

Sun JRE (Java Runtime Environment) Issue

Sun Microsystems has warned users of a potential issue affecting the Sun
Java Runtime
Environment Bytecode Verifier and has made the remedy available to its
Java technology licensees. Netscape is not aware of any instances of
this flaw being exploited. Netscape will incorporate a fix for this
issue and encourages Netscape Communicator users as well as Netscape 6.x
users to upgrade to the latest Netscape browser software that includes
this fix, which will be made available for download in the next several
days at: Meanwhile, users
can also obtain the remedy directly from the Sun website at (JRE version 1.3.1_02).


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC