Sun Java Runtime Environment Multiple Weaknesses
BID:25918
Info
Sun Java Runtime Environment Multiple Weaknesses
| Bugtraq ID: | 25918 |
| Class: | Unknown |
| CVE: |
CVE-2007-5274 CVE-2007-5273 CVE-2007-5240 CVE-2007-5232 |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 03 2007 12:00AM |
| Updated: | Sep 08 2008 09:11PM |
| Credit: | Sun credits Billy Rios, Dan Boneh, Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, David Byrne and Giorgio Maone with discovery of these issues. |
| Vulnerable: |
VMWare VirtualCenter Management Server 2 VMWare ESX Server 3.0.2 VMWare ESX Server 3.0.1 VMWare ESX Server 3.5 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise Server 10.SP1 SuSE SUSE Linux Enterprise Server 10 SP2 SuSE SUSE Linux Enterprise Server 10 SP1 SuSE SUSE Linux Enterprise SDK 10.SP1 SuSE SUSE Linux Enterprise Desktop 10.SP1 SuSE SUSE Linux Enterprise Desktop 10 SP1 SuSE openSUSE 10.3 SuSE openSUSE 10.2 SuSE Linux Desktop 1.0 Sun SDK (Linux Production Release) 1.4.2 _07 Sun SDK (Linux Production Release) 1.4.2 _06 Sun SDK (Linux Production Release) 1.3.1 _19 Sun JRE (Linux Production Release) 1.4.2 _09 Sun JRE (Linux Production Release) 1.4.2 _08 Sun JRE (Linux Production Release) 1.4.2 _07 Sun JDK (Linux Production Release) 1.5 _02 Sun JDK (Linux Production Release) 1.5 _01 Sun JDK 6.0 Update 2 Sun JDK 5.0 Update 9 Sun JDK 5.0 Update 8 Sun JDK 5.0 Update 7 Sun JDK 5.0 Update 6 Sun JDK 5.0 Update 5 Sun JDK 5.0 Update 4 Sun JDK 5.0 Update 3 Sun JDK 5.0 Update 12 Sun JDK 5.0 Update 11 Sun JDK 5.0 Update 10 Sun Java 2 Standard Edition SDK 1.4.2 _15 Sun Java 2 Standard Edition SDK 1.4.2 _14 Sun Java 2 Standard Edition SDK 1.4.2 _13 Sun Java 2 Standard Edition SDK 1.4.2 _12 Sun Java 2 Standard Edition SDK 1.4.2 _12 Sun Java 2 Standard Edition SDK 1.4.2 _11 Sun Java 2 Standard Edition SDK 1.4.2 _10 Sun Java 2 Standard Edition SDK 1.4.2 _09 Sun Java 2 Standard Edition SDK 1.4.2 _08 Sun Java 2 Standard Edition SDK 1.4.2 _05 Sun Java 2 Standard Edition SDK 1.4.2 _04 Sun Java 2 Standard Edition SDK 1.4.2 _03 Sun Java 2 Standard Edition SDK 1.4.2 _02 Sun Java 2 Standard Edition SDK 1.4.2 _01 Sun Java 2 Standard Edition SDK 1.4.2 Sun Java 2 Runtime Environment 1.4.2 _15 Sun Java 2 Runtime Environment 1.4.2 _13 Sun Java 2 Runtime Environment 1.4.2 _12 Sun Java 2 Runtime Environment 1.4.2 _11 Sun Java 2 Runtime Environment 1.4.2 _10 Sun Java 2 Runtime Environment 1.4.2 _06 Sun Java 2 Runtime Environment 1.4.2 _05 Sun Java 2 Runtime Environment 1.4.2 _04 Sun Java 2 Runtime Environment 1.4.2 _03 Sun Java 2 Runtime Environment 1.4.2 _02 Sun Java 2 Runtime Environment 1.4.2 _01 Sun Java 2 Runtime Environment 1.3.1 _20 Sun Java 2 Runtime Environment 1.3.1 _08 Sun Java 2 Runtime Environment 1.3.1 _01 Sun Java 2 Runtime Environment 6.0 Update 2 Sun Java 2 Runtime Environment 6.0 Update 1 Sun Java 2 Runtime Environment 5.0.Update 9 Sun Java 2 Runtime Environment 5.0.Update 12 Sun Java 2 Runtime Environment 5.0.Update 10 Sun Java 2 Runtime Environment 5.0 Update 8 Sun Java 2 Runtime Environment 5.0 Update 7 Sun Java 2 Runtime Environment 5.0 Update 6 Sun Java 2 Runtime Environment 5.0 Update 5 Sun Java 2 Runtime Environment 5.0 Update 4 Sun Java 2 Runtime Environment 5.0 Update 3 Sun Java 2 Runtime Environment 5.0 Update 2 Sun Java 2 Runtime Environment 5.0 Update 11 Sun Java 2 Runtime Environment 5.0 Update 1 Sun Java 2 Runtime Environment 5.0 Sun Java 2 Runtime Environment 1.4.2_14 S.u.S.E. Open-Enterprise-Server 0 S.u.S.E. Novell Linux POS 9 S.u.S.E. Linux Enterprise Server 9 S.u.S.E. Linux 10.1 S.u.S.E. CORE 9 RedHat Enterprise Linux Extras 4 RedHat Enterprise Linux Extras 3 RedHat Enterprise Linux ES 4 RedHat Enterprise Linux ES 3 Red Hat Enterprise Linux Supplementary 5 server Red Hat Enterprise Linux Desktop Supplementary 5 client Novell Open Enterprise Server (OES) 0 Novell Linux POS 9 Novell Linux Desktop 9 Nortel Networks Self-Service Peri Application 0 Nortel Networks Self-Service MPS 500 0 Nortel Networks Self-Service MPS 1000 0 Nortel Networks Self-Service CCXML 0 Nortel Networks Self Service VoiceXML 0 Nortel Networks Enterprise NMS 0 Nortel Networks Contact Center - CCT 0 HP HP-UX B.11.31 HP HP-UX B.11.23 HP HP-UX B.11.11 Gentoo Linux Gentoo dev-java/ibm-jre-bin 1.5.0.6 Gentoo dev-java/ibm-jre-bin 1.4.2.10 Gentoo dev-java/ibm-jdk-bin 1.5.0.6 Gentoo dev-java/ibm-jdk-bin 1.4.2.10 Foresight Linux Foresight Linux 1.1 BEA Systems JRockit 1.5 BEA Systems JRockit 1.4.2 07 BEA Systems JRockit 1.5.0_03 BEA Systems JRockit 1.4.2_08 BEA Systems JRockit 1.4.2_05 BEA Systems JRockit 1.4.2_04 Avaya Interactive Response 1.3 Avaya Interactive Response 3.0 Avaya Interactive Response 2.0 Apple Mac OS X Server 10.4.11 Apple Mac OS X Server 10.4.10 Apple Mac OS X 10.4.11 Apple Mac OS X 10.4.10 |
| Not Vulnerable: |
Sun JDK 6.0 Update 3 Sun JDK 5.0 Update 13 Sun Java 2 Standard Edition SDK 1.4.2 _16 Sun Java 2 Standard Edition SDK 1.3.1_21 Sun Java 2 Runtime Environment 1.4.2 _16 Sun Java 2 Runtime Environment 1.3.1 _21 Sun Java 2 Runtime Environment 6.0 Update 3 Sun Java 2 Runtime Environment 5.0.Update 13 Gentoo dev-java/ibm-jre-bin 1.5.0.7 Gentoo dev-java/ibm-jre-bin 1.4.2.11 Gentoo dev-java/ibm-jdk-bin 1.5.0.7 Gentoo dev-java/ibm-jdk-bin 1.4.2.11 |
Discussion
Sun Java Runtime Environment Multiple Weaknesses
Sun Java Runtime Environment is prone to multiple weaknesses that may allow JavaScript code or applets to connect to resources other than the one the scripts or applets were downloaded from. One of the weaknesses may allow an attacker to obscure a Java warning about an untrusted applet from the user.
These issues affect the following packages for Windows, Solaris, and Linux:
JDK and JRE 6 Update 2 and earlier
JDK and JRE 5.0 Update 12 and earlier
SDK and JRE 1.4.2_15 and earlier
SDK and JRE 1.3.1_20 and earlier
Sun Java Runtime Environment is prone to multiple weaknesses that may allow JavaScript code or applets to connect to resources other than the one the scripts or applets were downloaded from. One of the weaknesses may allow an attacker to obscure a Java warning about an untrusted applet from the user.
These issues affect the following packages for Windows, Solaris, and Linux:
JDK and JRE 6 Update 2 and earlier
JDK and JRE 5.0 Update 12 and earlier
SDK and JRE 1.4.2_15 and earlier
SDK and JRE 1.3.1_20 and earlier
Exploit / POC
Sun Java Runtime Environment Multiple Weaknesses
Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Sun Java Runtime Environment Multiple Weaknesses
Solution:
Fixes are available. Please see the referenced advisories for more information.
Sun Java 2 Runtime Environment 5.0 Update 1
Sun Java 2 Runtime Environment 5.0 Update 3
Sun JDK 6.0 Update 2
Sun JDK 5.0 Update 8
Sun JDK 5.0 Update 4
Sun Java 2 Runtime Environment 5.0 Update 2
Sun JDK 5.0 Update 6
Sun Java 2 Runtime Environment 5.0 Update 7
Sun JDK 5.0 Update 12
Sun Java 2 Runtime Environment 5.0.Update 10
Sun JDK 5.0 Update 5
Sun JDK 5.0 Update 7
Sun Java 2 Runtime Environment 6.0 Update 1
Sun Java 2 Runtime Environment 5.0 Update 5
Sun Java 2 Runtime Environment 5.0 Update 6
Sun Java 2 Runtime Environment 5.0.Update 12
Sun Java 2 Runtime Environment 5.0 Update 8
Sun Java 2 Runtime Environment 5.0 Update 11
Sun Java 2 Runtime Environment 1.3.1 _08
Sun SDK (Linux Production Release) 1.3.1 _19
Sun Java 2 Runtime Environment 1.3.1 _01
Sun Java 2 Runtime Environment 1.4.2 _13
Sun Java 2 Runtime Environment 1.4.2 _11
Sun Java 2 Runtime Environment 1.4.2 _12
Sun Java 2 Runtime Environment 1.4.2 _15
Sun Java 2 Standard Edition SDK 1.4.2 _11
Sun Java 2 Standard Edition SDK 1.4.2 _12
Sun Java 2 Runtime Environment 1.4.2 _03
Sun Java 2 Standard Edition SDK 1.4.2 _02
Sun Java 2 Standard Edition SDK 1.4.2 _09
Sun JRE (Linux Production Release) 1.4.2 _09
Sun JRE (Linux Production Release) 1.4.2 _08
Sun Java 2 Standard Edition SDK 1.4.2 _05
Sun Java 2 Standard Edition SDK 1.4.2 _10
Sun Java 2 Standard Edition SDK 1.4.2 _08
Sun JRE (Linux Production Release) 1.4.2 _07
Sun Java 2 Standard Edition SDK 1.4.2 _13
Sun Java 2 Runtime Environment 1.4.2 _02
Sun JDK (Linux Production Release) 1.5 _02
Apple Mac OS X 10.4.10
Apple Mac OS X Server 10.4.10
Apple Mac OS X 10.4.11
Apple Mac OS X Server 10.4.11
Solution:
Fixes are available. Please see the referenced advisories for more information.
Sun Java 2 Runtime Environment 5.0 Update 1
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun Java 2 Runtime Environment 5.0 Update 3
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun JDK 6.0 Update 2
-
Sun JDK and JRE 6 Update 3
http://java.sun.com/javase/downloads/index.jsp
Sun JDK 5.0 Update 8
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun JDK 5.0 Update 4
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun Java 2 Runtime Environment 5.0 Update 2
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun JDK 5.0 Update 6
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun Java 2 Runtime Environment 5.0 Update 7
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun JDK 5.0 Update 12
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun Java 2 Runtime Environment 5.0.Update 10
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun JDK 5.0 Update 5
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun JDK 5.0 Update 7
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun Java 2 Runtime Environment 6.0 Update 1
-
Sun JDK and JRE 6 Update 3
http://java.sun.com/javase/downloads/index.jsp
Sun Java 2 Runtime Environment 5.0 Update 5
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun Java 2 Runtime Environment 5.0 Update 6
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun Java 2 Runtime Environment 5.0.Update 12
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun Java 2 Runtime Environment 5.0 Update 8
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun Java 2 Runtime Environment 5.0 Update 11
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Sun Java 2 Runtime Environment 1.3.1 _08
-
Sun SDK and JRE 1.3.1 for Solaris
http://java.sun.com/j2se/1.3/download.html
Sun SDK (Linux Production Release) 1.3.1 _19
-
Sun SDK and JRE 1.3.1 for Solaris
http://java.sun.com/j2se/1.3/download.html
Sun Java 2 Runtime Environment 1.3.1 _01
-
Sun SDK and JRE 1.3.1 for Solaris
http://java.sun.com/j2se/1.3/download.html
Sun Java 2 Runtime Environment 1.4.2 _13
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Runtime Environment 1.4.2 _11
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Runtime Environment 1.4.2 _12
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Runtime Environment 1.4.2 _15
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Standard Edition SDK 1.4.2 _11
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Standard Edition SDK 1.4.2 _12
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Runtime Environment 1.4.2 _03
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Standard Edition SDK 1.4.2 _02
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Standard Edition SDK 1.4.2 _09
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun JRE (Linux Production Release) 1.4.2 _09
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun JRE (Linux Production Release) 1.4.2 _08
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Standard Edition SDK 1.4.2 _05
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Standard Edition SDK 1.4.2 _10
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Standard Edition SDK 1.4.2 _08
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun JRE (Linux Production Release) 1.4.2 _07
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Standard Edition SDK 1.4.2 _13
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun Java 2 Runtime Environment 1.4.2 _02
-
Sun SDK and JRE 1.4.2_16
http://java.sun.com/j2se/1.4.2/download.html
Sun JDK (Linux Production Release) 1.5 _02
-
Sun JDK and JRE 5.0 Update 13
http://java.sun.com/javase/downloads/index_jdk5.jsp
Apple Mac OS X 10.4.10
-
Apple Java for Mac OS X 10.4, Release 6
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16540&cat= 1&platform=osx&method=sa/JavaForMacOSX10.4Release6.dmg
Apple Mac OS X Server 10.4.10
-
Apple Java for Mac OS X 10.4, Release 6
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16540&cat= 1&platform=osx&method=sa/JavaForMacOSX10.4Release6.dmg
Apple Mac OS X 10.4.11
-
Apple Java for Mac OS X 10.4, Release 6
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16540&cat= 1&platform=osx&method=sa/JavaForMacOSX10.4Release6.dmg
Apple Mac OS X Server 10.4.11
-
Apple Java for Mac OS X 10.4, Release 6
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16540&cat= 1&platform=osx&method=sa/JavaForMacOSX10.4Release6.dmg
References
Sun Java Runtime Environment Multiple Weaknesses
References:
References:
- CVE Request: python-rsa signature forgery (Filippo Valsorda )
- Java Homepage (Sun)
- Security update for IBMJava5-JRE,IBMJava5-SDK (SUSE)
- Sun Alert ID: 103071 (Sun)
- Sun Alert ID: 103078 (Sun)
- Sun Alert ID: 103079 (Sun)
- ASA-2007-453 Java Runtime Environment (JRE) May Allow Untrusted Applets or Appli (Avaya)
- Avaya Security Advisory ASA-2007-433 (Avaya)
- Avaya Security Advisory ASA-2007-434 (Avaya)
- IBM Java 1.4.2 20080723 (Novell)
- IBM Java2 JRE and SDK 20080723 (Novell)
- Nortel Response to Sun Java/JRE Multiple Vulnerabilities (Nortel)
- RHSA-2007:0963-5 - java-1.5.0-sun security update (RedHat)
- RHSA-2007:1041-6 - java-1.5.0-ibm security update (Red Hat)
- RHSA-2008:0100-4 java-1.4.2-bea security update (Red Hat)
- RHSA-2008:0132-4 - java-1.4.2-ibm security update (Red Hat)
- RHSA-2008:0156-1 - java-1.5.0-bea security update (Red Hat)
- Security Advisory (BEA08-198.00) (BEA Systems)
- Solution 200041: Security Vulnerabilities in Java Runtime Environment May Allow (Sun Microsystems)
- Solution 201519: Security Vulnerability in Java Runtime Environment With Applet (Sun Microsystems)
- Vulnerability Note VU#336105 Sun Java JRE vulnerable to unauthorized network acc (US-CERT)