Note: This is an archival copy of Security Sun Alert 201586 as previously published on
Latest version of this security advisory is available from as Sun Alert 1001191.1.
Article ID : 1001191.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-19
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Potential Security Issue in ServerSocket.accept()


Release Phase

Date of Resolved Release


An implementation bug which exists in Java 1.1.x releases allows an untrusted applet to accept connections from hosts other than the host that the applet came from. While this should not be allowed, this bug by itself does not allow the applet to violate other Java sandbox restrictions. Also, a firewall will stop such incoming connections from the Internet. This is a Java 1.1.x implementation bug, not an architectural flaw with the Java Security Model.

An exploit called Brown Orifice was publicly posted recently. Brown Orifice exploits a bug in the Netscape Java Runtime Environment (see CERT Advisory CA-2000-15). It also exploits this implementation bug. Sun's supported versions of J2SE 1.2 and later are not affected.

Contributing Factors

Customer deployments of Java 1.1.x may encounter this issue if code exploiting the problem is introduced into their runtime environment.


There may be no obvious symptoms.


Please see resolution.


The issue is addressed in the following upgrade releases:

Windows Production and Solaris Reference Releases:

    JDK/JRE 1.1.8_005  & plugin1.1.3_003  Posted at web-site
JDK/JRE 1.1.7B_007 & plugin1.1.2_006  Available approx: 8/24/2000
JDK/JRE 1.1.6_009  & plugin1.1.1_006  Available approx: 8/25/2000

Solaris Production Release:

    JDK/JRE 1.1.8_12  Available approx: 8/21/2000
(Note: No plugin exists for 1.1.x Solaris production release)

available from:

Modification History

Sun Java Standard Edition (Java SE)

This solution has no attachment