SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java Web Start Vendors:   Sun
Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
SecurityTracker Alert ID:  1021318
SecurityTracker URL:  http://securitytracker.com/id/1021318
CVE Reference:   CVE-2008-2086, CVE-2008-5339, CVE-2008-5340, CVE-2008-5341, CVE-2008-5342, CVE-2008-5343, CVE-2008-5344   (Links to External Site)
Updated:  Dec 5 2008
Original Entry Date:  Dec 5 2008
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Host/resource access via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): JDK and JRE 6 Update 10 and prior; JDK and JRE 5.0 Update 16 and prior; SDK and JRE 1.4.2_18 and prior; SDK and JRE 1.3.1_23 and prior
Description:   Several vulnerabilities were reported in Java Web Start and Java Plug-in. A remote user can read/write files and execute applications on the target user's system. A remote user can connect to arbitrary hosts via the target user's system.

A remote user can create a specially crafted Java Web Start application that, when loaded by the target user, will establish network connections to hosts other than the host that the application was downloaded from.

A remote user can create a specially crafted Java Web Start application that, when loaded by the target user, will will read and write local files or execute applications on the target system with the privileges of the target user.

A remote user can create a specially crafted Java Web Start application that, when loaded by the target user, will perform certain trusted operations (e.g., modify system properties).

A remote user can create a specially crafted Java Web Start application that, when loaded by the target user, will determine the location of the Java Web Start cache and the username of the user running the Java Web Start application.

A user can cause hidden code on a target system to make network connections to the target host and to hijack HTTP sessions using cookies stored in the browser.

A remote user can create a specially crafted applet that, when loaded by the target user, will read arbitrary files on the target system and establish network connections to hosts other than the host that the applet was loaded from.

A remote user can create a specially crafted application that, when loaded by the target user, will request local files to be displayed by the target user's browser.

Peter Csepely via TippingPoint, Virtual Security Research (VSR), Billy Rios of Microsoft, Nate Mcfeters of Ernst and Young, and John Heasman of NGSSoftware reported these vulnerabilities.

Impact:   A remote user can read/write files or execute applications on the target user's system or establish network connections to arbitrary hosts.
Solution:   The vendor has issued the following Java SE and Java SE for Business releases for Solaris, Windows and Linux:

* JDK and JRE 6 Update 11 or later
* JDK and JRE 5.0 Update 17 or later
* SDK and JRE 1.4.2_19 or later

The vendor has issued the following Java SE releases for Solaris and Windows:

* SDK and JRE 1.3.1_24 or later

The vendor's advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1

Vendor URL:  sunsolve.sun.com/search/document.do?assetkey=1-66-244988-1 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 5 2008 (Red Hat Issues Fix) Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
Red Hat has released a fix for java-1.5.0-sun for Red Hat Enterprise Linux 4 and 5.
Dec 5 2008 (Red Hat Issues Fix) Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
Red Hat has released a fix for java-1.6.0-sun for Red Hat Enterprise Linux 4 and 5.
Jan 14 2009 (Red Hat Issues Fix) Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
Red Hat has released a fix for java-1.5.0-ibm for Red Hat Enterprise Linux 4 and 5.
Jan 14 2009 (Red Hat Issues Fix) Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
Red Hat has released a fix for java-1.6.0-ibm for Red Hat Enterprise Linux 4 and 5.
Mar 26 2009 (Red Hat Issues Fix) Java Web Start Bugs Let Remote Users Read/Write Files, Execute Arbitrary Code, and Establish Network Connections
Red Hat has released a fix for Red Hat Enterprise Linux 4 and 5.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC