Sun JRE multiple unspecified applet security bypass

sun-java-applet-security-bypass (31003) The risk level is classified as MediumMedium Risk

Description:

Sun Java Runtime Environment (JRE) could allow a remote attacker to bypass security restrictions, caused by multiple unspecified vulnerabilities when handling applets. A remote attacker could exploit these vulnerabilities using a malicious applet to bypass security restrictions and access data in other remote or local applets.

Platforms Affected:

  • Gentoo, Linux
  • Novell, Linux Desktop 9
  • Novell, Linux POS 9
  • Novell, Open Enterprise Server
  • Novell, Open Enterprise Server
  • Novell, OpenSUSE 10.2
  • Novell, SLE SDK 10 SP1
  • Novell, SUSE Linux Enterprise Desktop 10 SP1
  • Novell, SUSE Linux Enterprise Server 10
  • Novell, SUSE Linux Enterprise Server 10 SP1
  • Novell, UnitedLinux 1.0
  • RedHat, Enterprise Linux 2.1 WS
  • RedHat, Enterprise Linux 2.1 ES
  • RedHat, Enterprise Linux 2.1 AS
  • RedHat, Linux Advanced Workstation 2.1 Itanium
  • RedHat, RHEL Extras 3
  • RedHat, RHEL Extras 4
  • Sun, JDK 1.5.0 Update3
  • Sun, JDK 1.5.0 Update2
  • Sun, JDK 1.5.0 Update1
  • Sun, JDK 1.5.0
  • Sun, JDK 1.5.0 Update4
  • Sun, JDK 1.5.0 Update6
  • Sun, JDK 1.5.0 Update5
  • Sun, JRE 1.3.1 Update1
  • Sun, JRE 1.3.1 Update17
  • Sun, JRE 1.3.1 Update16
  • Sun, JRE 1.3.1 Update18
  • Sun, JRE 1.3.1 Update1a
  • Sun, JRE 1.3.1 Update4
  • Sun, JRE 1.3.1 Update8
  • Sun, JRE 1.3.1
  • Sun, JRE 1.3.1 Update2
  • Sun, JRE 1.3.1 Update3
  • Sun, JRE 1.3.1 Update5
  • Sun, JRE 1.3.1 Update6
  • Sun, JRE 1.3.1 Update7
  • Sun, JRE 1.3.1 Update9
  • Sun, JRE 1.3.1 Update10
  • Sun, JRE 1.3.1 Update11
  • Sun, JRE 1.3.1 Update12
  • Sun, JRE 1.3.1 Update14
  • Sun, JRE 1.3.1 Update13
  • Sun, JRE 1.3.1 Update15
  • Sun, JRE 1.4.2
  • Sun, JRE 1.4.2 Update1
  • Sun, JRE 1.4.2 Update10
  • Sun, JRE 1.4.2 Update11
  • Sun, JRE 1.4.2 Update12
  • Sun, JRE 1.4.2 Update2
  • Sun, JRE 1.4.2 Update3
  • Sun, JRE 1.4.2 Update4
  • Sun, JRE 1.4.2 Update5
  • Sun, JRE 1.4.2 Update6
  • Sun, JRE 1.4.2 Update7
  • Sun, JRE 1.4.2 Update8
  • Sun, JRE 1.4.2 Update9
  • Sun, JRE 1.5.0 Update1
  • Sun, JRE 1.5.0 Update3
  • Sun, JRE 1.5.0
  • Sun, JRE 1.5.0 Update2
  • Sun, JRE 1.5.0 Update4
  • Sun, JRE 1.5.0 Update5
  • Sun, JRE 1.5.0 Update6
  • Sun, SDK 1.3.1_01
  • Sun, SDK 1.3.1_01a
  • Sun, SDK 1.3.1_02
  • Sun, SDK 1.3.1_03
  • Sun, SDK 1.3.1_04
  • Sun, SDK 1.3.1_05
  • Sun, SDK 1.3.1_06
  • Sun, SDK 1.3.1_07
  • Sun, SDK 1.3.1_08
  • Sun, SDK 1.3.1_09
  • Sun, SDK 1.3.1_10
  • Sun, SDK 1.3.1_11
  • Sun, SDK 1.3.1_12
  • Sun, SDK 1.3.1_13
  • Sun, SDK 1.3.1_14
  • Sun, SDK 1.3.1_15
  • Sun, SDK 1.3.1_16
  • Sun, SDK 1.3.1_17
  • Sun, SDK 1.3.1_18
  • Sun, SDK 1.4.2
  • Sun, SDK 1.4.2_01
  • Sun, SDK 1.4.2_02
  • Sun, SDK 1.4.2_03
  • Sun, SDK 1.4.2_04
  • Sun, SDK 1.4.2_05
  • Sun, SDK 1.4.2_06
  • Sun, SDK 1.4.2_07
  • Sun, SDK 1.4.2_08
  • Sun, SDK 1.4.2_09
  • Sun, SDK 1.4.2_10
  • Sun, SDK 1.4.2_11
  • Sun, SDK 1.4.2_12
  • SuSE, SLE SDK 10
  • SuSE, SuSE Linux 10.0
  • SuSE, SuSE Linux 10.1
  • SuSE, SuSE Linux 9.3
  • SuSE, SuSE Linux Desktop 1.0
  • SuSE, SuSE Linux Enterprise Server 8.0
  • SuSE, SuSE Linux Enterprise Server 9.0
  • SuSE, SuSE Linux OpenExchange Server 4
  • SuSE, SuSE Linux Retail Solution 8
  • SuSE, SuSE Linux School Server
  • SuSE, SuSE Linux Standard Server 8
  • SuSE, SuSE SLED 10
  • SuSE, SuSE SLES 10
  • SuSE, SuSE SLES 9

Remedy:

Refer to Sun Alert ID: 102732 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE SUSE-SA:2007:010 Security Announcement for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 200702-08 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (Blackdown):
Refer to Gentoo Linux Security Announcement GLSA 200705-20 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux (solaris):
Refer to SUSE-SA:2007:003 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (java-ibm):
Refer to RHSA-2007:0073-2 or RHSA-2007:0062 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux (IBMJava2-JRE):
Refer to RHSA-2007:0072-2 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Bypass Security

References:

  • Apple Web site, About the security content of Java Release 6 for Mac OS X 10.4 at http://docs.info.apple.com/article.html?artnum=307177.
  • Sun Alert ID: 102732, Security Vulnerabilities in the Java Runtime Environment may Allow an Untrusted Applet to Access Data in Other Applets at http://sunsolve.sun.com/search/document.do?assetkey=1-26-102732-1.
  • ASA-2007-023: Security Vulnerabilities in the Java Runtime Environment may Allow an Untrusted Applet to Access Data in Other Applets (Sun 102732)
  • ASA-2007-090: IBMJava2 security update (RHSA-2007-0072)
  • ASA-2007-091: java-1.4.2-ibm security update (RHSA-2007-0062)
  • ASA-2007-093: java-1.5.0-ibm security update (RHSA-2007-0073)
  • BID-21674: Sun Java Runtime Environment Information Disclosure Vulnerabilities
  • CVE-2006-6736: Unspecified vulnerability in Sun Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 6 and earlier, Java System Development Kit (SDK) and JRE 1.4.2_12 and earlier 1.4.x versions, and SDK and JRE 1.3.1_18 and earlier allows attackers to use untrusted applets to access data in other applets
  • CVE-2006-6737: Unspecified vulnerability in Sun Java Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 5 and earlier, Java System Development Kit (SDK) and JRE 1.4.2_10 and earlier 1.4.x versions, and SDK and JRE 1.3.1_18 and earlier allows attackers to use untrusted applets to access data in other applets
  • FrSIRT/ADV-2006-5075: Sun Java Runtime Environment Applets Handling Information Disclosure Vulnerabilities
  • FrSIRT/ADV-2007-4224: Apple Security Update Fixes Multiple Java for Mac OS X Vulnerabilities
  • GLSA-200701-15: Sun JDK/JRE: Multiple vulnerabilities
  • GLSA-200702-08: AMD64 x86 emulation Sun's J2SE Development Kit: Multiple vulnerabilities
  • GLSA-200705-20: Blackdown Java: Applet privilege escalation
  • RHSA-2007-0062: Critical: java-1.4.2-ibm security update
  • RHSA-2007-0072: Critical: IBMJava2 security update
  • RHSA-2007-0073: Critical: java-1.5.0-ibm security update
  • SA23398: Sun Java JRE Applet Security Bypass
  • SA25404: Gentoo blackdown-jdk and blackdown-jre Vulnerabilities
  • SA28115: Mac OS X Java Multiple Vulnerabilities
  • SECTRACK ID: 1017427: Java Runtime Environment Discloses Applet Information to Remote Users
  • SUSE-SA:2007:003: Sun Java security update
  • SUSE-SA:2007:010: IBMJava security update
  • SUSE-SA:2007:045: IBM and Sun Java security problems

Reported:

Dec 19, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page