ISS X-Force Database: sun-javawarning-weak-security(36942): Sun Java Runtime Environment (JRE) warning banner weak security

Sun Java Runtime Environment (JRE) warning banner weak security

sun-javawarning-weak-security (36942)

Low Risk

Description:

Sun Java Runtime Environment (JRE) could provide weaker than expected security, caused by a flaw in the way warning banners are displayed. A remote attacker could exploit this vulnerability by persuading a victim to download a specially-crafted applet or application that displays an oversized window to hide warning messages.

Platforms Affected:

HP, HP-UX B.11.11
HP, HP-UX B.11.23
HP, HP-UX B.11.31
Novell, Linux Desktop 9
Novell, Linux POS 9
Novell, Open Enterprise Server
Novell, Open Enterprise Server
Novell, OpenSUSE 10.2
Novell, OpenSUSE 10.3
Novell, SLE SDK 10 SP1
Novell, SUSE Linux Enterprise Desktop 10 SP1
Novell, SUSE Linux Enterprise Server 10 SP1
Novell, SUSE Linux Enterprise Server 10
RedHat, RHEL Desktop Supplementary 5 Client
RedHat, RHEL Extras 3
RedHat, RHEL Extras 4
RedHat, RHEL Supplementary 5 Server
Sun, JDK 1.5.0 Update7
Sun, JDK 1.5.0 Update5
Sun, JDK 1.5.0 Update4
Sun, JDK 1.5.0 Update3
Sun, JDK 1.5.0 Update2
Sun, JDK 1.5.0 Update8
Sun, JDK 1.5.0 Update9
Sun, JDK 1.5.0 Update11
Sun, JDK 1.5.0 Update1
Sun, JDK 1.5.0 Update10
Sun, JDK 1.5.0 Update12
Sun, JDK 1.6.0 Update1
Sun, JDK 1.6.0 Update2
Sun, JRE 1.3.0 Update5
Sun, JRE 1.3.0
Sun, JRE 1.3.1 Update19
Sun, JRE 1.3.1 Update18
Sun, JRE 1.3.1 Update16
Sun, JRE 1.3.1 Update1
Sun, JRE 1.3.1 Update1a
Sun, JRE 1.3.1 Update20
Sun, JRE 1.4.0
Sun, JRE 1.4.1 Update3
Sun, JRE 1.4.2
Sun, JRE 1.4.2 Update3
Sun, JRE 1.4.2 Update15
Sun, JRE 1.4.2 Update14
Sun, JRE 1.4.2 Update9
Sun, JRE 1.4.2 Update12
Sun, JRE 1.4.2 Update11
Sun, JRE 1.4.2 Update10
Sun, JRE 1.4.2 Update1
Sun, JRE 1.4.2 Update8
Sun, JRE 1.4.2 Update13
Sun, JRE 1.5.0 Update12
Sun, JRE 1.5.0 Update1
Sun, JRE 1.5.0 Update10
Sun, JRE 1.5.0 Update3
Sun, JRE 1.5.0 Update4
Sun, JRE 1.5.0 Update5
Sun, JRE 1.5.0 Update6
Sun, JRE 1.5.0 Update7
Sun, JRE 1.5.0 Update8
Sun, JRE 1.5.0 Update9
Sun, JRE 1.5.0 Update11
Sun, JRE 1.5.0 Update2
Sun, JRE 1.6.0 Update1
Sun, JRE 1.6.0 Update2
Sun, SDK 1.3.1_01
Sun, SDK 1.3.1_01a
Sun, SDK 1.3.1_16
Sun, SDK 1.3.1_18
Sun, SDK 1.3.1_19
Sun, SDK 1.3.1_20
Sun, SDK 1.4.2
Sun, SDK 1.4.2_03
Sun, SDK 1.4.2_08
Sun, SDK 1.4.2_09
Sun, SDK 1.4.2_10
Sun, SDK 1.4.2_11
Sun, SDK 1.4.2_12
Sun, SDK 1.4.2_13
Sun, SDK 1.4.2_14
Sun, SDK 1.4.2_15
SuSE, SLE SDK 10
SuSE, SuSE Linux 10.0
SuSE, SuSE Linux 10.1
SuSE, SuSE SLES 9
VMware, ESX Server 3.5

Remedy:

Refer to Sun Alert ID: 103071 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Other

References:

BEA08-198.00, Multiple Security Vulnerabilities in Java Web Start and the Java Plug-in for browsers at https://support.bea.com/application_content/product_portlets/securityadvisories/272.html.
HPSBUX02284 SSRT071483 rev.3, HP-UX Running Java JRE and JDK, Remote Unauthorized Access at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01234533.
Sun Alert ID: 103071, Java Runtime Environment (JRE) May Allow Untrusted Applets or Applications to Display An Oversized Window so that the Warning Banner is Not Visible to User at http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1.
VMSA-2008-0010, Updated Tomcat and Java JRE packages for VMware ESX 3.5 at http://www.vmware.com/security/advisories/VMSA-2008-0010.html.
ASA-2007-428: java-1.5.0-sun security update (RHSA-2007-0963)
ASA-2007-453: Java Runtime Environment (JRE) May Allow Untrusted Applets or Applications to Display An Oversized Window so that the Warning Banner is Not Visible to User (SUN 103071)
ASA-2007-495: java-1.5.0-ibm security update (RHSA-2007-1041)
ASA-2008-049: HP-UX Running Java JRE and JDK Remote Unauthorized Access (HPSBUX02284)
ASA-2008-104: java-1.5.0-bea security update (RHSA-2008-0156)
ASA-2008-116: java-1.4.2-bea security update (RHSA-2008-0100)
BID-25918: Sun Java Runtime Environment Multiple Weaknesses
CVE-2007-5240: Visual truncation vulnerability in the Java Runtime Environment in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows remote attackers to circumvent display of the untrusted-code warning banner by creating a window larger than the workstation screen.
FrSIRT/ADV-2007-3895: HP-UX Security Update Fixes Multiple Java Code Execution Vulnerabilities
FrSIRT/ADV-2008-0609: BEA JRockit Multiple Code Execution and Security Bypass Vulnerabilities
FrSIRT/ADV-2008-1856: VMware ESX Server Security Update Fixes Multiple Vulnerabilities
RHSA-2007-0963: Important: java-1.5.0-sun security update
RHSA-2007-1041: Important: java-1.5.0-ibm security update
RHSA-2008-0100: Moderate: java-1.4.2-bea security update
RHSA-2008-0132: Critical: java-1.4.2-ibm security update
RHSA-2008-0156: Moderate: java-1.5.0-bea security update
SA29042: BEA JRockit Multiple Vulnerabilities
SA30676: VMware ESX Server update for Tomcat and Java JRE
SECTRACK ID: 1018769: Java Runtime Environment (JRE) Lets Remote Applets Obscure the Untrusted Applet Warning Banner Display
SUSE-SA:2007:055: Sun Java security problems
SUSE-SA:2008:025: IBM Java security update

Reported:

Oct 03, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page