2012/8/31 Konstantin Kolinko <knst.koli...@gmail.com>: > Hi! > > Just noting that Java 6u35, 7u07 were released by Oracle a day ago > http://www.oracle.com/technetwork/java/javase/downloads/ > > Those contain security fixes for issues exploitable when running Java > from within a web browser. (Those running it on server or standalone > are said to be unaffected). > http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html > > BTW, some media wrote that CVE-2012-4681 affects only Java 7, but not Java 6. > Oracle page, linked above, says the update includes fixes for two > other vulnerabilities and affects both Java 6 and Java 7.
Confirming, that CVE-2012-4681 affects those server systems that rely on SecurityManager to secure Tomcat and allow it to run untrusted web applications (e.g. shared hosting environments). The existing proof-of-concept for this issue triggers it by calling some method in AWT implementation classes (sun.*). This method is public in 7u06 and does not check its caller. The method exists in 6u34 as well, but it is private there and thus cannot be called without using reflection API. So Java 6 is unaffected by this specific issue. Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org