Note: This is an archival copy of Security Sun Alert 230789 as previously published on
Latest version of this security advisory is available from as Sun Alert 1018933.1.
Article ID : 1018933.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-11-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability With Java Runtime Environment May Allow Untrusted Applet to Elevate Privileges


Release Phase

Java 2 Platform, Standard Edition

Bug Id

Date of Resolved Release


A vulnerability in the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Sun acknowledges, with thanks, Adam Gowdiak, for bringing this issue to our attention.

Contributing Factors

This issue can occur in the following J2SE releases:

  • JDK and JRE 5.0 Update 3 and earlier for Windows, Solaris and Linux

Note: SDK and JRE 1.4.2_xx and earlier, and 1.3.1_xx releases for Windows, Solaris and Linux are not affected by this issue.

To determine the default version of the JRE on a system, the following command can be run:

For Windows:

    Click "Start"
    Select "Run"
    Type "cmd"
    At the prompt, type "java -fullversion"

For Solaris and Linux:

    % java -fullversion
    java full version "1.5.0_02-b09"

Note: The above command only determines the default version. Other versions may also be installed on the system.


There are no reliable symptoms that would indicate the described issue has been exploited.


There is no workaround. Please see the "Resolution" section below.


This issue is addressed in the following J2SE releases:

  • JDK and JRE 5.0 Update 4 and later for Windows, Solaris, and Linux

J2SE 5.0 is available for download at:

Note: It is recommended that affected versions be removed from your system. For more information, please see the installation notes on the respective download pages.

This solution has no attachment