
             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

     Security Vulnerability in the Java Runtime Environment Virtual Machine
                             [Sun Alert ID: 238967]

July 28, 2008 19:00 GMT                                           Number S-345
______________________________________________________________________________
PROBLEM:       A vulnerability in the Java Runtime Environment Virtual Machine 
               may allow an untrusted application or applet that is downloaded 
               from a website to elevate its privileges. 
PLATFORM:      Java Platform, Standard Edition (Java SE) 
DAMAGE:        Elevation of privileges. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. The application or applet may grant itself 
ASSESSMENT:    permissions to read and write local files or execute local 
               applications that are accessible to the user running the 
               untrusted application or applet. 
______________________________________________________________________________
CVSS 2 BASE SCORE: 7.5 
 TEMPORAL SCORE:   6.2 
 VECTOR:           (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C) 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/s-345.shtml 
 ORIGINAL BULLETIN:  http://sunsolve.sun.com/search/document.do?assetkey=1-66-238967-1 
 ADDITIONAL LINKS:   http://sunsolve.sun.com/search/document.do?assetkey=1-66-238968-1 
                     http://sunsolve.sun.com/search/document.do?assetkey=1-66-238905-1 
					 http://sunsolve.sun.com/search/document.do?assetkey=1-66-238687-1 
					 http://sunsolve.sun.com/search/document.do?assetkey=1-66-238666-1 
					 http://sunsolve.sun.com/search/document.do?assetkey=1-66-238966-1 
					 http://sunsolve.sun.com/search/document.do?assetkey=1-66-238965-1 
					 http://sunsolve.sun.com/search/document.do?assetkey=1-66-238628-1 
______________________________________________________________________________
[***** Start Sun Alert ID: 238967 *****]

Document Audience: PUBLIC 
Document ID: 238967 
Title: Security Vulnerability in the Java Runtime Environment Virtual Machine may 
           allow an untrusted Application or Applet to Elevate Privileges 
Copyright Notice: Copyright © 2008 Sun Microsystems, Inc. All Rights Reserved 
Update Date: Tue Jul 08 00:00:00 MDT 2008 

--------------------------------------------------------------------------------
Solution Type Sun Alert

Solution  238967 :   Security Vulnerability in the Java Runtime Environment Virtual 
Machine may allow an untrusted Application or Applet to Elevate Privileges  


Related Categories 
Home>Content>Sun Alert Criteria Categories>Security Home>Content>Sun Alert Release 
Phase>Resolved  


Bug ID

6661918


Product

Java Platform, Standard Edition (Java SE)


Date of Resolved Release

08-Jul-2008


SA Document Body

Security Vulnerability in the Java Runtime Environment Virtual Machine may allow an 
untrusted Application or Applet to elevate Privileges
1. Impact

A vulnerability in the Java Runtime Environment Virtual Machine may allow an untrusted 
application or applet that is downloaded from a website to elevate its privileges. For 
example, the application or applet may grant itself permissions to read and write 
local files or execute local applications that are accessible to the user running the 
untrusted application or applet.

Sun acknowledges with thanks, Fujitsu for bringing this issue to our attention.

2. Contributing Factors

This issue can occur in the following releases for Windows, Solaris, and Linux:

JDK and JRE 6 Update 6 and earlier 
JDK and JRE 5.0 Update 15 and earlier 
SDK and JRE 1.4.2_17 and earlier 

Note: SDK and JRE 1.3.x are not affected.

To determine the default version of the JRE that Internet Explorer uses:

Click "Tools" in the Menu Bar at the top of the browser 
Select "Sun Java Console" 
The first two lines in the console displays the version of Java Plug-in and JRE that 
Internet Explorer uses 

To determine the default version of the JRE that Mozilla or Firefox browsers use, visit 
the URL "about:plugins".

The browser will display a page called "Installed plug-ins" which lists the version of 
the Java Plug-in as in the following example:


Java(TM) Plug-in 1.5.0_11-b03


The example above indicates the version of the JRE that the browser uses is 1.5.0_11.

3. Symptoms

There are no predictable symptoms that would indicate the above issue has been exploited.

4. Workaround

There is no workaround for this issue. Please see the Resolution section below.

5. Resolution

This issue is addressed in the following releases for Windows, Solaris, and Linux:

JDK and JRE 6 Update 7 or later 
JDK and JRE 5.0 Update 16 or later 
SDK and JRE 1.4.2_18 or later 

JDK and JRE 6 Update 7 is available for download at the following links:


http://java.sun.com/javase/downloads/index.jsp



http://java.com/


JRE 6 updates are available through the Java Update tool for Microsoft Windows users.

JDK 6 Update 7 for Solaris is available in the following patches:

Java SE 6 Update 7 (as delivered in patch 125136-09 or later) 
Java SE 6 Update 7 (as delivered in patch 125137-09 or later (64bit)) 
Java SE 6_x86 Update 7 (as delivered in patch 125138-09 or later) 
Java SE 6_x86 Update 7 (as delivered in patch 125139-09 or later (64bit)) 

JDK and JRE 5.0 Update 16 is available for download at the following link:


http://java.sun.com/javase/downloads/index_jdk5.jsp


JDK 5.0 Update 16 for Solaris is available in the following patches:

J2SE 5.0: update 16 (as delivered in patch 118666-17) 
J2SE 5.0: update 16 (as delivered in patch 118667-17 (64bit)) 
J2SE 5.0_x86: update 16 (as delivered in patch 118668-17) 
J2SE 5.0_x86: update 16 (as delivered in patch 118669-17 (64bit)) 

SDK and JRE 1.4.2_18 is available for download at the following link:


http://java.sun.com/j2se/1.4.2/download.html


Note: When installing a new version of the product from a source other than a Solaris 
patch, it is recommended that the old affected versions be removed from your system. 
To remove old affected versions on the Windows platform, please see:


http://java.com/en/download/help/uninstall_java.xml


For more information on Security Sun Alerts, see Technical Instruction ID 213557.


This Sun Alert notification is being provided to you on an "AS IS" basis. This 
Sun Alert notification may contain information provided by third parties. The 
issues described in this Sun Alert notification may or may not impact your 
system(s). Sun makes no representations, warranties, or guarantees as to the 
information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, 
INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS 
DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, 
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR 
USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert 
notification contains Sun proprietary and confidential information. It is being 
provided to you pursuant to the provisions of your agreement to purchase services 
from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This 
Sun Alert notification may only be used for the purposes contemplated by these 
agreements. 

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 
95054 U.S.A. All rights reserved.





[***** End Sun Alert ID: 238967 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Sun Microsystems for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

S-213: Nukedit 'email' Parameter Vulnerability
S-214: SurgeMail and WebMail 'Page' Command Vulnerability
S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities
S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability
S-217: Drupal Multiple HTML Vulnerabilities
S-218: gd Security Update
S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability
S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability
S-221: Learn2 STRunner ActiveX Control Vulnerabilities
S-222: Evolution Security Update