(Oracle Issues Fix for BEA JRockit) Java JNLPAppletLauncher Flaw Lets Remote Users Write Arbitrary Files
|
|
SecurityTracker Alert ID: 1023067 |
|
SecurityTracker URL: http://securitytracker.com/id/1023067
|
|
CVE Reference:
CVE-2009-2676, CVE-2009-3403
(Links to External Site)
|
Date: Oct 21 2009
|
Impact:
Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
A vulnerability was reported in the Java JNLPAppletLauncher. A remote user can write arbitrary files on the target system. Oracle BEA JRockit is affected.
A remote user can create a specially crafted applet that, when loaded by the target user, will invoke a non-current version of the JNLPAppletLauncher to write arbitrary files on the target user's system.
SDK and JRE 1.3.1 are not affected.
John Heasman repored this vulnerability.
|
Impact:
A remote user can write arbitrary files on the target system.
|
Solution:
Oracle has issued a fix for BEA JRockit, which is affected by this vulnerability.
The Oracle advisory is available at:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html
|
Cause:
Not specified
|
Underlying OS:
Linux (Any), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 20 Oct 2009 18:09:09 -0400
Subject: Oracle JRockit
|
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html
Oracle Critical Patch Update Advisory - October 2009
CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2674, CVE-2009-2675, CVE-2009-2676.
CVE-2009-3403 is the cumulative identifier for the above listed Java vulnerabilities.
|
|
