SecurityTracker: Java Runtime Environment Internal Classes Lets Remote Users Access and Execute Files on the Target User's System

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Java Runtime Environment (JRE)

Java Runtime Environment Internal Classes Lets Remote Users Access and Execute Files on the Target User's System

SecurityTracker Alert ID: 1014192

SecurityTracker URL: http://securitytracker.com/id/1014192

CVE Reference: CVE-2005-1974 (Links to External Site)

Updated: Feb 17 2006

Original Entry Date: Jun 14 2005

Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 1.4.2_07 and prior 1.4.2 versions, 5.0, 5.0 Update 1

Description: A vulnerability was reported in Java Runtime Environment. A remote user may be able to gain privileges on the target system.

A remote user can create a specially crafted Java application that, when loaded by the target user, will gain elevated privileges. The application may be able to read and write files or execute applications on the target user's system.

The flaw is related to the accessibility of certain internal classes.

No further details were provided.

The vendor credits Adam Gowdiak with reporting this vulnerability.

Impact: A remote user may be able to read and write files or execute applications on the target user's system with the privileges of the target user.

Solution: Sun has issued fixed versions (J2SE 5.0 Update 2; J2SE 1.4.2_08).

The fix for 5.0 is available at:

http://java.sun.com/j2se/1.5.0/download.jsp and http://java.com

The fix for 1.4.2 is available at:

http://java.sun.com/j2se/1.4.2/download.html

HP has issued a fix for OpenView (which includes the affected JRE package):

www2.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01234

Vendor URL: sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1 (Links to External Site)

Cause: Access control error

Underlying OS: Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)

Message History: This archive entry has one or more follow-up message(s) listed below.

Jul 2 2005	(Vendor Issues Fix for Sun Java Desktop System) Java Runtime Environment Internal Classes Lets Remote Users Access and Execute Files on the Target User's System Sun issues fix for Sun Java Desktop System.
Aug 30 2005	(HP Issues Fix) Java Runtime Environment Internal Classes Lets Remote Users Access and Execute Files on the Target User's System HP has issued a fix for JRE on HP-UX.
Oct 19 2005	(HP Issues Fix for OpenView) Java Runtime Environment Internal Classes Lets Remote Users Access and Execute Files on the Target User's System HP has issued a fix for OpenView Operations and OpenView VantagePoint, which are affected by this JRE vulnerability.

Source Message Contents

Date: Tue, 14 Jun 2005 01:14:15 -0400
Subject: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1



# Sun Alert ID: 101749
# Synopsis: Security Vulnerability With Java Runtime Environment May Allow Untrusted Applet to Elevate Privileges
# Category: Security
#
Product: Java 2 Platform, Standard Edition 5.0 Software
# BugIDs: 6224433, 6224438
# Avoidance: Upgrade
# State: Resolved
# Date Released: 13-Jun-2005
# Date Closed: 13-Jun-2005
# Date Modified:

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC