Security Advisories and Notifications


Subject: Security Advisory (BEA08-198.00)
From: Oracle Corporation
Minor Subject: Multiple Security Vulnerabilities in Java Web Start and the Java Plug-in for browsers
Product(s) Affected: BEA JRockit R24 and BEA JRockit R25

Threat level: Low
Multiple security vulnerabilities found that might give applets or Java Web Start applications elevated privileges. This vulnerability only affects client side applications.

Severity: Medium
Applets or Java Web Start applications might elevate their privileges.

Problems were identified that could potentially cause security vulnerabilities in very old versions of JRockit. The vulnerabilities are only affecting Java Web Start and the Java Plug-in for browsers. As these features are no longer supported, newer versions of JRockit (R26 and later) will not be affected. Also, customers that are not using Java Web Start or the Java Plug-in will not be affected. Oracle treats potential security problems with a high degree of urgency and endeavors to take appropriate steps to help ensure the security of our customers' systems. As a result, Oracle strongly suggests the following actions:

I. Read the following advisory.
II. Apply the suggested action if any (most users will not be affected).
III. If you know of any additional users interested in future security advisories, please forward them the registration instructions included in this advisory.

I. Advisory

This is a combined security advisory for the Sun Emergency 6 Update 3, 5.0 Update 13 and 1.4.2_16 releases. The corresponding Sun Security Alerts are: #103071, #103072, #103073, #103078 and #103079.

Sun Security Alert #103071
Java Runtime Environment (JRE) May Allow Untrusted Applets or Applications to Display An Oversized Window so that the Warning Banner is Not Visible to User.

When an untrusted applet or application displays a window, the Java Runtime Environment includes a warning banner inside the window to indicate that the applet or application is untrusted. A defect in the Java Runtime Environment may allow an untrusted applet or application that is downloaded from a malicious website to display a window that exceeds the size of a user's screen so that the warning banner is not visible to the user.

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

Sun Microsystems advised of this JRE vulnerability at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1


Sun Security Alert #103072
An Untrusted Java Web Start Application or Java Applet May Move or Copy Arbitrary Files by Requesting the User to Drag and Drop a File from Application or Applet Window to a Desktop Application.

A vulnerability in the Java Runtime Environment may allow an untrusted Java Web Start application or Java applet to move or copy arbitrary files on the system that the application or applet runs on, by requesting the user of the application or applet to drag a file from the application or applet window to a desktop application that has permissions to accept and write files on the system. To exploit this vulnerability, the application or applet has to successfully persuade the user to drag and drop the file.

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

Sun Microsystems advised of this JRE vulnerability at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1

Sun Security Alert #103073
Multiple Security Vulnerabilities in Java Web Start Relating to Local File Access.

  1. A vulnerability in Java Web Start may allow an untrusted application to read local files that are accessible to the user running the untrusted application.
  2. Two vulnerabilities in Java Web Start may allow an untrusted application to read and write local files that are accessible to the user running the untrusted application.
  3. Three vulnerabilities in Java Web Start may allow an untrusted application to determine the location of the Java Web Start cache.

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier

Sun Microsystems advised of this JRE vulnerability at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1

Sun Security Alert #103078
Security Vulnerabilities in Java Runtime Environment May Allow Network Access Restrictions to be Circumvented.

  1. A vulnerability in the Java Runtime Environment (JRE) may allow malicious JavaScript code that is downloaded by a browser from a malicious website to make network connections, through Java APIs, to network services on machines other than the one that the JavaScript code was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.
  2. A second vulnerability in the JRE may allow an untrusted applet that is downloaded from a malicious website through a web proxy to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

Both issues are reported in the following publication:
http://crypto.stanford.edu/dns/
and the second issue is also reported at:
http://seclists.org/fulldisclosure/2007/Jul/0159.html

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

Sun Microsystems advised of this JRE vulnerability at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1

Sun Security Alert #103079
Security Vulnerability in Java Runtime Environment with Applet Caching May Allow Network Access Restrictions to be Circumvented.

A vulnerability in the Java Runtime Environment (JRE) with applet caching may allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

This issue has been reported at:
http://conference.hitb.org/hitbsecconf2007kl/?page_id=148

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

Sun Microsystems advised of this JRE vulnerability at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1

Sun Security Alert # 103112
Vulnerability in Java Runtime Environment Virtual Machine May Allow Untrusted Application or Applet to Elevate Privileges.

A vulnerability in the Virtual Machine of the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

Sun Microsystems advised of this JRE vulnerability at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1

Impact and CVSS Ratings:

The issues described above are rated equally:

CVSS Severity Score: 2.4 (Low)
Attack Range (AV): Local
Attack Complexity (AC): High
Authentication Level (Au): Single Instance
Impact Type: Elevation of Privileges, Partial Confidentiality and Availability impact
Vulnerability Type: Elevation of Privilege
CVSS Base Score Vector: (AV:L/AC:H/Au:S/C:P/I:P/A:N)

Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
Online Calculator: http://nvd.nist.gov/cvss.cfm?calculator&version=2

The following versions of BEA JRockit are affected by these vulnerabilities:

  • BEA JRockit R24:JRockit 1.4.2_04 R24.3 to 1.4.2_08 R24.5
  • BEA JRockit R25:JRockit 1.5.0 R25.0 to 1.5.0_03 R25.2

II. SUGGESTED ACTION

Only customers using Java Web Start or the Java Plug-in for browsers, only available in BEA JRockit version R24 or R25, will be affected. You can verify your version of BEA JRockit by running "java -version". BEA recommends upgrading to the latest version of BEA JRockit. If your company needs to use the Java Plug-In or Java Web Start, please contact BEA support.



SECURITY COMMUNICATIONS

Oracle strongly suggests that customers apply the remedies recommended in all our security advisories. Oracle also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at: http://www.oracle.com/technology/software/products/ias/bea_main.html

Note: Information about securing WebLogic Server and WebLogic Express can be found at http://edocs.bea.com/wls/docs103/security.html. Specific lockdown information is provided at http://e-docs.bea.com/wls/docs103/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.

As a policy, if there are any security-related issues with any Oracle product, Oracle will distribute an advisory and instructions with the appropriate course of action. Because the security of your site, data, and code is our highest priority, we are committed to communicating all security-related issues clearly and openly.

All previous advisories can be viewed at: http://www.oracle.com/technology/deploy/security/wls-security.

Additional users who wish to register for product advisory distribution should follow the registration directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Security issues can be reported to Oracle by following the directions at: http://www.oracle.com/technology/deploy/security/alerts.htm.

Thank you,
Oracle Corporation