[SECURITY] Java Runtime Environment May Allow Untrusted Applet to Elevate Privileges

Tue, 14 Jun 2005 12:41:32 -0700 

_______________________________________________________________________________

                Blackdown Java-Linux Security Advisory

        Advisory number: Blackdown-SA-2005-02
        Issue date: 2005, June 14
        Synopsis: Java Runtime Environment May Allow Untrusted Applet to 
Elevate Privileges

_______________________________________________________________________________


1. Problem

   A vulnerability in the Java Runtime Environment may allow an
   untrusted applet to elevate its privileges. For example, an applet
   may grant itself permissions to read and write local files or
   execute local applications that are accessible to the user running
   the untrusted applet.


2. Vulnerable Versions

   Blackdown J2SE 1.4.2-01 and earlier 1.4 releases.  1.3.1 releases
   are not affected.


3. Solution

   Upgrade to J2SE v1.4.2-02


4. Location of fixed packages:

   Java 2 Runtime Environment v1.4.2-02:

        amd64:  
ftp://ftp.tux.org/java/JDK-1.4.2/amd64/02/j2re-1.4.2-02-linux-amd64.bin
                dc4d79332f7fc5a1a729415584ab0f22
        x86:    
ftp://ftp.tux.org/java/JDK-1.4.2/i386/02/j2re-1.4.2-02-linux-i586.bin
                c209c959ce4ab0188e77d065ec57901a

   Java 2 SDK v1.4.2-02

        amd64:  
ftp://ftp.tux.org/java/JDK-1.4.2/amd64/02/j2sdk-1.4.2-02-linux-amd64.bin
                71a00fbf52e39987790c3216a219c281
        x86:    
ftp://ftp.tux.org/java/JDK-1.4.2/i386/02/j2sdk-1.4.2-02-linux-i586.bin
                a65733528562794b7838407084cabd9a

   Debian packages are available at ftp://ftp.tux.org/java/debian/


5. References

   http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1


_______________________________________________________________________________

   The information in this advisory may be distributed or reproduced,
   provided that the advisory is not modified in any way. In
   particular, it is desired that the cleartext signature shows proof
   of the authenticity of the text.

   Blackdown Java-Linux makes no warranties of any kind whatsoever
   with respect to the information contained in this security
   advisory.
_______________________________________________________________________________


-- 
Juergen Kreileder, Blackdown Java-Linux Team
http://blog.blackdown.de/

Attachment: pgpKGGdRlm2UA.pgp
Description: PGP signature

Reply via email to