The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Java JDK/JRE: two vulnerabilities

Synthesis of the vulnerability 

Two vulnerabilities permit an applet or an application to access to a file or to execute commands.
Vulnerable software: WebSphere AS Traditional, NSM Central Manager, NLD, OES, Java Oracle, Solaris, Trusted Solaris, RHEL, SLES, ESX.
Severity of this announce: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 06/02/2008.
Références of this computer vulnerability: 231261, 6529590, 6529591, BID-27650, CERTA-2008-AVI-044, CVE-2008-0657, PK64999, PK65161, PSN-2011-02-159, RHSA-2008:0123-01, RHSA-2008:0156-02, RHSA-2008:0210-01, SUSE-SA:2008:025, VIGILANCE-VUL-7549, VMSA-2008-00010.3.

Description of the vulnerability 

Two vulnerabilities were announced in Java JDK/JRE.

A malicious applet or application can read and write local files. [severity:2/4]

A malicious applet or application can execute a local application. [severity:3/4]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat note impacts software or systems such as WebSphere AS Traditional, NSM Central Manager, NLD, OES, Java Oracle, Solaris, Trusted Solaris, RHEL, SLES, ESX.

Our Vigil@nce team determined that the severity of this weakness alert is important.

The trust level is of type confirmed by the editor, with an origin of internet server.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this computer weakness note.

Solutions for this threat 

Java JDK/JRE: version 6.0 Update 2.
Version 6.0 Update 2 is corrected:
  http://java.sun.com/javase/downloads/index.jsp
  http://java.sun.com/javase/6/webnotes/ReleaseNotes.html
For Solaris :
  Sparc :
    32 bits : patch 125136-04
    64 bits : patch 125137-04
  x86 :
    32 bits : patch 125138-04
    64 bits : patch 125139-04

Java JDK/JRE 5: version 5 Update 14.
Version 5 Update 14 is corrected:
  http://java.sun.com/javase/downloads/index_jdk5.jsp
For Solaris:
  Sparc :
    32 bits : patch 118666-15
    64 bits : patch 118667-15
  x86 :
    32 bits : patch 118668-15
    64 bits : patch 118669-15

WebSphere AS: APAR for Java Plug-in.
An APAR is available:
  http://www-1.ibm.com/support/docview.wss?uid=swg1PK65161

Juniper NSM: version 2009.1r1.
The version 2009.1r1 is corrected:
  http://support.juniper.net/

RHEL 4E, 5S: new java-1.5.0-bea packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras: java-1.5.0-bea-1.5.0.14-1jpp.1.el4
RHEL Supplementary (v. 5 server): java-1.5.0-bea-1.5.0.14-1jpp.1.el5

RHEL 4E, 5S: new java-1.5.0-ibm packages.
New packages are available.

RHEL 4E, 5S: new java-1.5.0-sun packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras: java-1.5.0-sun-1.5.0.14-1jpp.2.el4
Red Hat Enterprise Linux version 5 Supplementary: java-1.5.0-sun-1.5.0.14-1jpp.2.el5

SUSE: new IBM Java packages.
New packages are available:
   SUSE Linux Enterprise Desktop 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
   SUSE Linux Enterprise Server 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   SLE SDK 10 SP1
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   Open Enterprise Server
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   Novell Linux POS 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   SUSE SLES 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html

VMware ESX: patch for Tomcat and Java JRE.
A patch is available:
VMware ESX 3.5 patch ESX350-200806404-SG
http://download3.vmware.com/software/esx/ESX350-200806404-SG.zip
md5sum: 669e97880a21cce13eb7e9051f403162
http://kb.vmware.com/kb/1005219
ESX 3.0.3 patch ESX303-200808407-SG
http://download3.vmware.com/software/vi/ESX303-200808407-SG.zip
md5sum: 083cee0475a8f73e511199800e8c3af4
http://kb.vmware.com/kb/1006358
ESX 3.0.2 patch ESX-1006360
http://download3.vmware.com/software/vi/ESX-1006360.tgz
md5sum: 5d2d629b6c4b1894571742569ae2e2da
http://kb.vmware.com/kb/1006360
ESX 3.0.1 patch ESX-1006359
http://download3.vmware.com/software/vi/ESX-1006359.tgz
md5sum: 2224d6e27b86f3155ce9d5895f1f191a
http://kb.vmware.com/kb/1006359
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a systems vulnerabilities note. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.