JVN#18680611
Java Web Start may insecurely load dynamic libraries
Overview
Java Web Start provided Oracle may use unsafe methods for determining how to load DLLs.
Products Affected
- Java SE 6 Update 25 and earlier for Windows
Description
Java Web Start is tool to distribute Java applications over the web and is contained in Java applications such as JRE (Java Runtime Environment) Java Web Start contains an issue with the DLL search path, which may lead to insecurely loading dynamic libraries.
Impact
An attacker may execute arbitrary code with the privilege of the running application.
Solution
Update the software
Update to the latest version according to the information provided by the developer.
Vendor Status
| Vendor | Link |
| Oracle | Oracle Java SE Critical Patch Update Advisory - June 2011 |
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2011.06.10
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | the user must be convinced to take a standard action that does not feel harmful to most users, such as click on a link or view a file |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Hisashi Kojima of Fujitsu Laboratories, Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2011-0866 |
| JVN iPedia |
JVNDB-2011-000035 |
Update History
- 2011/06/30
- Information under the sections "References" were modified.