Note: This is an archival copy of Security Sun Alert 201102 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000822.1.
Article ID : 1000822.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-11-07
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability With Java Management Extensions in the Java Runtime Environment may Allow Untrusted Applet to Elevate Privileges



Category
Security

Release Phase
Resolved

Product
Java 2 Platform, Standard Edition

Bug Id
6268876

Date of Resolved Release
28-NOV-2005

Impact

A vulnerability with the Java Management Extensions (JMX) implementation included with the Java Runtime Environment (JRE) may allow an untrusted applet to elevate its privileges. For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

Sun acknowledges, with thanks, Adam Gowdiak, for bringing this issue to our attention.


Contributing Factors

This issue can occur in the following releases:

Java 2 Platform Standard Edition

  • JDK and JRE 5.0 Update 3 (for Windows, Solaris and Linux)or earlier

Note: SDK and JRE 1.4.2_xx and earlier, and 1.3.1_xx and earlier are not affected. All Java Management Extensions (JMX) reference implementations and all releases of the Java Dynamic Management Kit (JDMK) are not affected by this issue.

To determine the default version of the JRE on a system:

for Windows:

    Click "Start"
Select "Run"
Type "cmd"
    At the prompt, type "java -fullversion"

for Solaris and Linux:

    % java -fullversion
    java full version "1.5.0_02-b09"

Note: The above command only determines the default version. Other versions may also be installed on the system.


Symptoms

There are no reliable symptoms that would show the described issue has been exploited.


Workaround

There is no workaround. Please see Resolution section below.


Resolution

This issue is addressed in the following releases:

Java 2 Platform Standard Edition

  • JDK and JRE 5.0 Update 4 (for for Windows, Solaris, and Linux) or later

J2SE 5.0 is available for download at the following links, http://java.sun.com/j2se/1.5.0/download.jsp and http://java.com.

Note: It is recommended that affected versions be removed from your system. For more information, see the installation notes on the respective java.sun.com download pages.

 













Attachments
This solution has no attachment