Note: This is an archival copy of Security Sun Alert 200678 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000533.1.
Java Dynamic Management Kit 5.1
Date of Resolved Release
A security vulnerability in the JMX RMI-IIOP API may allow a local user who is able to create a JMX RMI-IIOP server application to gain unauthorized access to certain local data if a remote user who has privileges to access that data connects to that server application.
Note: JMX RMI-IIOP stands for:
This issue can occur in the following releases:
Note 1: This issue only affects systems which host applications deployed with the JMX RMI-IIOP API which is part of the Java Dynamic Management Kit product. This issue applies to JMX agents deployed under all of the following conditions:
In this case, the code covered by (3) may be able to access the protected MBeans despite the restrictions defined in (2).
Note 2: Java Dynamic Management Kit 5.0 does not include the Java Management Extensions Remote API and is therefore not impacted by this issue.
There are no predictable symptoms that would indicate the described vulnerability has been exploited.
There is no workaround for this issue. Please see the Resolution section below.
This issue is addressed in the following releases:
Note: When the JDMK product is used with JDK 5.0, this issue must be resolved within the JDK by upgrading to JDK 5.0 Update 5 or later. The JDMK is not impacted when used with JDK 5.0 Update 5 or later.
The latest JDK5.0 update is available for download at:
When the JDMK product is used with JDK 1.4 or earlier, this issue must be resolved within the JDMK product by installing one of the patches listed above. Solaris 10 is shipped with JDMK 5.1, and systems which make use of this bundled product with JDK 1.4 or earlier should install patch 124939-03 to address this issue.
This solution has no attachment