Contact | Site en Français               

 


 

Vulnerabilities & Threats
 
  VUPEN Security Advisories
  Linux Security Advisories

  Malware Advisories
  Security Research
  Threat Watch Blog
  Zero-Day Monitor
  Search Engine
  Mailing List & RSS
 
   

>> Sun Java Command Execution and Information Disclosure Vulnerabilities

Title : Sun Java Command Execution and Information Disclosure Vulnerabilities
VUPEN ID : VUPEN/ADV-2007-3350
CVE ID : CVE-2007-5232 - CVE-2007-5236 - CVE-2007-5237 - CVE-2007-5238 - CVE-2007-5239 - CVE-2007-5273 - CVE-2007-5274
Rated as : Critical 
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-10-04

Technical Description    Receive VUPEN Security alerts in a Text format  Receive VUPEN Security alerts in a PDF format  Receive VUPEN Security alerts in an XML format  Receive VUPEN Security notifications by SMS 

Multiple vulnerabilities have been identified in Sun JRE, JDK and SDK, which could be exploited by attackers to bypass security restrictions, disclose sensitive information, or take complete control of an affected system.

The first issue is caused by an unspecified error in the Java Runtime Environment, which may allow an untrusted Java Web Start application or Java applet to move or copy arbitrary files on the system that the application or applet runs on, by tricking a user to drag a file from the application or applet window to a desktop application that has permissions to accept and write files on the system.

The second vulnerability is caused by unspecified errors in Java Web Start, which could allow an untrusted application to determine the location of the Java Web Start cache, or read and write local files that are accessible to the user running the untrusted application.

The third issue is caused by unspecified errors in the Java Runtime Environment, which could be exploited by a malicious applet or web page to make network connections to network services on arbitrary systems.

Affected Products

Sun JDK version 6 Update 2 and prior
Sun JRE version 6 Update 2 and prior
Sun JDK version 5.0 Update 12 and prior
Sun JRE version 5.0 Update 12 and prior
Sun SDK version 1.4.2_15 and prior
Sun JRE version 1.4.2_15 and prior
Sun SDK version 1.3.1_20 and prior
Sun JRE version 1.3.1_20 and prior

Solution

Upgrade to JDK and JRE 6 Update 3 or later, JDK and JRE 5.0 Update 13 or later, SDK and JRE 1.4.2_16 or later, or SDK and JRE 1.3.1_21 or later :
http://www.java.com

References

http://www.vupen.com/english/advisories/2007/3350
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1

Credits

Vulnerabilities reported by Peter Csepely, Dan Boneh, Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, David Byrne and Billy Rios.

ChangeLog

2007-10-04 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.
 

Vulnerability Alerting

Free 14-Day Trial
 
  Latest News

 

  >> 2009-06-10

     

  VUPEN Security Research
  Discovered Critical Flaws
  in Adobe Acrobat and MS
  Office Word


  >> 2009-06-02

     

  VUPEN Security Research
  Discovered Critical Flaws
  in ACDSee Products


  >> 2009-05-22

     

  VUPEN Discovered Two
  Critical Vulnerabilities in
  Novell GroupWise 8 / 7


  >> 2009-05-12

     

  Microsoft Patched 14
  Office PowerPoint Flaws

 

  >> 2009-04-28

     

  Adobe Reader / Acrobat
  Vulnerabilities Disclosed

 

 

More Informations    
    








Copyright 2003-2009 © VUPEN.COM - Privacy Policy