SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   BEA JRockit Vendors:   BEA Systems
(BEA Issues Fix for JRockit) Java Web Start Bugs Let Remote Users Read/Write Files on the Target User's System
SecurityTracker Alert ID:  1019463
SecurityTracker URL:  http://securitytracker.com/id/1019463
CVE Reference:   CVE-2007-5238   (Links to External Site)
Date:  Feb 21 2008
Impact:   Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): R24, R25
Description:   Several vulnerabilities were reported in Java Web Start. A remote user can access files on the target user's system. BEA JRockit is affected.

A remote user can create a specially crafted applet that, when loaded by the target user, can read local files, write to local files, or determine the location of the Java Web Start cache. File access will occur with the privileges of the target user.

Peter Csepely reported these vulnerabilities.

Impact:   A remote user can create an applet that, when loaded by the target user, can read local files, write to local files, or determine the location of the Java Web Start cache.
Solution:   BEA JRockit R24 and BEA JRockit R25 are affected. An update is available at:

http://commerce.bea.com/products/weblogicjrockit/jrockit_prod_fam.jsp

The BEA advisory is available at:

http://dev2dev.bea.com/pub/advisory/272

Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 4 2007 Java Web Start Bugs Let Remote Users Read/Write Files on the Target User's System



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC