The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Java JDK/SDK/JRE: multiple vulnerabilities

Synthesis of the vulnerability 

Several vulnerabilities of Java JDK/SDK/JRE environment permit an attacker to access to files or to create network connections.
Vulnerable products: HP-UX, NLD, OES, openSUSE, Java Oracle, Solaris, Trusted Solaris, RHEL, SLES, ESX.
Severity of this weakness: 3/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 04/10/2007.
Revision date: 23/10/2007.
Références of this bulletin: 103071, 103072, 103073, 103078, 103079, 6569621, 6589527, 6590813, 6590827, 6590837, 6590850, 6590857, 6594007, 6609269, BID-25918, BID-25920, c01234533, CERTA-2007-AVI-440, CVE-2007-5232, CVE-2007-5236, CVE-2007-5237, CVE-2007-5238, CVE-2007-5239, CVE-2007-5240, CVE-2007-5273, CVE-2007-5274, HPSBUX02284, RHSA-2007:0963-01, RHSA-2007:1041-01, RHSA-2008:0100-01, RHSA-2008:0132-01, RHSA-2008:0156-02, SSRT071483, SUSE-SA:2007:055, SUSE-SA:2008:025, VIGILANCE-VUL-7212, VMSA-2008-00010.3, VU#336105.

Description of the vulnerability 

Several vulnerabilities of Java JDK/SDK/JRE environment permit an attacker to access to files or to create network connections.

An applet can create a large window in order to mask other windows or user's desktop. [severity:3/4; 103071, 6589527, CVE-2007-5240]

A Java applet or a Java Web Start application can invite victim to Drag and Drop a file in order to create it on his computer. [severity:3/4; 103072, 6590857, CVE-2007-5239]

A Java Web Start application can read or write files on victim's computer, or obtain the location of the cache. [severity:3/4; 103073, 6590813, 6590827, 6590837, 6590850, BID-25920, CVE-2007-5236, CVE-2007-5237, CVE-2007-5238]

A Java applet or a Javascript code can connect to computers different than the originating server. [severity:3/4; 103078, 6569621, 6609269, CVE-2007-5273, CVE-2007-5274]

A Java applet can connect to computers different than the originating server. [severity:3/4; 103079, 6594007, CERTA-2007-AVI-440, CVE-2007-5232, VU#336105]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity weakness impacts software or systems such as HP-UX, NLD, OES, openSUSE, Java Oracle, Solaris, Trusted Solaris, RHEL, SLES, ESX.

Our Vigil@nce team determined that the severity of this security vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 5 vulnerabilities.

An attacker with a expert ability can exploit this vulnerability bulletin.

Solutions for this threat 

Java JDK/JRE 6: version 6 Update 3.
Version 6 Update 3 is corrected:
  http://java.sun.com/javase/downloads/index.jsp
For Solaris :
  * Java SE 6: patch 125136-04
  * Java SE 6 64bit: patch 125137-04
  * Java SE 6_x86: patch 125138-04
  * Java SE 6_x86 64 bit: patch 125139-04
Previous versions have to be uninstalled.

Java JDK/JRE 5: version 5 Update 13.
Version 5 Update 13 is corrected:
  http://java.sun.com/javase/downloads/index_jdk5.jsp
For Solaris :
  Sparc :
    32 bits : patch 118666-14
    64 bits : patch 118667-14
  x86 :
    32 bits : patch 118668-14
    64 bits : patch 118669-14
Previous versions have to be uninstalled.

Java SDK/JRE 1.4.2: version 1.4.2_16.
Version 1.4.2_16 is corrected:
  http://java.sun.com/j2se/1.4.2/download.html
Previous versions have to be uninstalled.

Java SDK/JRE 1.3.1: version 1.3.1_21.
Version 1.3.1_21 is corrected:
  http://java.sun.com/j2se/1.3/download.html
Previous versions have to be uninstalled.

HP-UX: version Java.
Versions 1.4.2.17.00 are corrected:
  http://www.hp.com/go/java

HP-UX: version Java JRE and JDK.
Following versions are corrected:
  1.4.2.17.00
  1.5.0.11

RHEL 3E, 4E, 5S: new java-1.4.2-bea packages.
New packages are available:
Red Hat Enterprise Linux version 3 : java-1.4.2-bea-1.4.2.16-1jpp.1.el3
Red Hat Enterprise Linux version 4 : java-1.4.2-bea-1.4.2.16-1jpp.1.el4
Red Hat Enterprise Linux version 5 : java-1.4.2-bea-1.4.2.16-1jpp.1.el5

RHEL 3E, 4E, 5S: new java-1.4.2-ibm packages.
New packages are available:
Red Hat Enterprise Linux version 3 Extras: java-1.4.2-ibm-1.4.2.10-1jpp.2.el3
Red Hat Enterprise Linux version 4 Extras: java-1.4.2-ibm-1.4.2.10-1jpp.2.el4
Red Hat Enterprise Linux version 5 Supplementary : java-1.4.2-ibm-1.4.2.10-1jpp.2.el5

RHEL 4E, 5S: new java-1.5.0-bea packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras: java-1.5.0-bea-1.5.0.14-1jpp.1.el4
RHEL Supplementary (v. 5 server): java-1.5.0-bea-1.5.0.14-1jpp.1.el5

RHEL 4E, 5S: new java-1.5.0-ibm packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras : java-1.5.0-ibm-1.5.0.6-1jpp.2.el4
Red Hat Enterprise Linux version 5 Supplementary : java-1.5.0-ibm-1.5.0.6-1jpp.1.el5

RHEL: new java-1.5.0-sun packages.
New packages are available:
Red Hat Enterprise Linux version 4: java-1.5.0-sun-1.5.0.13-1jpp.1.el4
Red Hat Enterprise Linux version 5: java-1.5.0-sun-1.5.0.13-1jpp.1.el5

SUSE: new IBMJava5 packages.
New packages are available:
  http://support.novell.com/techcenter/psdb/9a5ab06f4b454def4dc88e7b2a5b241b.html

SUSE: new IBM Java packages.
New packages are available:
   SUSE Linux Enterprise Desktop 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
   SUSE Linux Enterprise Server 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   SLE SDK 10 SP1
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   Open Enterprise Server
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   Novell Linux POS 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   SUSE SLES 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html

SUSE: new Sun Java packages.
New packages are available:
 openSUSE 10.3:
   http://download.opensuse.org/pub/opensuse/update/10.3/rpm/*/java-1_5_0-sun*-1.5.0_update13-0.1.*.rpm
   http://download.opensuse.org/pub/opensuse/update/10.3/rpm/*/java-1_6_0-sun*-1.6.0.u3-0.1.*.rpm
 openSUSE 10.2:
   ftp://ftp.suse.com/pub/suse/update/10.2/rpm/*/java-1_4_2-sun*-1.4.2_update16-0.1.*.rpm
   ftp://ftp.suse.com/pub/suse/update/10.2/rpm/*/java-1_5_0-sun*-1.5.0_update13-0.1.*.rpm
 SUSE LINUX 10.1:
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/*/java-1_4_2-sun*-1.4.2.16-0.2.*.rpm
   ftp://ftp.suse.com/pub/suse/update/10.1/rpm/*/java-1_5_0-sun*-1.5.0_13-0.1.*.rpm
 SUSE LINUX 10.0:
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/*/java-1_4_2-sun*-1.4.2.16-0.1.*.rpm
   ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/*/java-1_5_0-sun*-1.5.0_13-0.1.*.rpm

VMware ESX: patch for Tomcat and Java JRE.
A patch is available:
VMware ESX 3.5 patch ESX350-200806404-SG
http://download3.vmware.com/software/esx/ESX350-200806404-SG.zip
md5sum: 669e97880a21cce13eb7e9051f403162
http://kb.vmware.com/kb/1005219
ESX 3.0.3 patch ESX303-200808407-SG
http://download3.vmware.com/software/vi/ESX303-200808407-SG.zip
md5sum: 083cee0475a8f73e511199800e8c3af4
http://kb.vmware.com/kb/1006358
ESX 3.0.2 patch ESX-1006360
http://download3.vmware.com/software/vi/ESX-1006360.tgz
md5sum: 5d2d629b6c4b1894571742569ae2e2da
http://kb.vmware.com/kb/1006360
ESX 3.0.1 patch ESX-1006359
http://download3.vmware.com/software/vi/ESX-1006359.tgz
md5sum: 2224d6e27b86f3155ce9d5895f1f191a
http://kb.vmware.com/kb/1006359
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer vulnerability note. The Vigil@nce vulnerability database contains several thousand vulnerabilities.