Published: 2008-07-20T10:29+00:00    Last Updated: 2008-07-20T10:29+00:00

TRTA08-193A
Sun Java Updates for Multiple Vulnerabilities

Overview

Sun has released alerts to address multiple vulnerabilities affecting the Sun Java Runtime Environment. The most severe of these vulnerabilities could allow a remote attacker to execute arbitrary code.

Event Information

Date (UTC)Description
2008-07-11 20:04 US-CERT
TA08-193A: Sun Java Updates for Multiple Vulnerabilities
Via US-CERT Mailing List
2008-07-10 12:30 US-CERT
Sun Releases Updates for Java SE
US-CERT Current Activity
Sun has released updates for Java SE. These updates address multiple vulnerabilities in Java Runtime Environment (JRE), Java Web Start, Java Management Extensions (JMX), JDK, and Java Runtime Environment Virtual Machine. These vulnerabilities may allow a remote attacker to execute arbitrary code, bypass security restrictions, obtain sensitive information or cause a denial-of-service condition.
2008-07-10 02:51 SANS Internet Storm Center
Java Update
Couple readers told us about a security relevant update to Java.
2008-07-08 06:00 Sun Microsystems
238965: Security Vulnerability in Java Management Extensions (JMX)
A vulnerability in the Java Management Extensions (JMX) management agent included in the Java Runtime Environment (JRE) may allow a JMX client running on a remote host to perform unauthorized operations on a system running JMX with local monitoring enabled.
2008-07-08 06:00 Sun Microsystems
238966: Security Vulnerability in JDK/JRE Secure Static Versioning
Secure Static Versioning was introduced in JDK and JRE 5.0 Update 6. With this feature, after the installation of a JRE 5.0 Update 6 or later release, applets are not allowed to run on an older release of the JRE. Due to a defect in the implementation, if an older release is subsequently installed, applets may run on that older release.
2008-07-08 06:00 Sun Microsystems
238967: Security Vulnerability in the Java Runtime Environment Virtual Machine may allow an untrusted Application or Applet to Elevate Privileges
A vulnerability in the Java Runtime Environment Virtual Machine may allow an untrusted application or applet that is downloaded from a website to elevate its privileges. For example, the application or applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted application or applet.
2008-07-08 06:00 Sun Microsystems
238968: Security Vulnerabilities in the Java Runtime Environment may allow Same Origin Policy to be Bypassed
Security vulnerabilities in the Java Runtime Environment may allow an untrusted applet that is loaded from a remote system to circumvent network access restrictions and establish socket connections to certain services running on machines other than the one that the applet was downloaded from. This may allow the untrusted remote applet the ability to exploit any security vulnerabilities existing in the services it has connected to.
2008-07-08 06:00 Sun Microsystems
238628: Security Vulnerabilities in the Java Runtime Environment related to the processing of XML Data
A vulnerability in the Java Runtime Environment related to the processing of XML data may allow unauthorized access to certain URL resources (such as some files and web pages) or a Denial of Service (DoS) condition to be created on the system running the JRE.
2008-07-08 06:00 Sun Microsystems
238666: A Security Vulnerability with the processing of fonts in the Java Runtime Environment may allow Elevation of Privileges
A buffer overflow security vulnerability with the processing of fonts in the Java Runtime Environment (JRE) may allow an untrusted applet or application to elevate its privileges.
2008-07-08 06:00 Sun Microsystems
238687: Security Vulnerabilities in the Java Runtime Environment Scripting Language Support
A vulnerability in the Java Runtime Environment relating to scripting language support may allow an untrusted applet or application to elevate its privileges.
2008-07-08 06:00 Sun Microsystems
238905: Multiple Security Vulnerabilities in Java Web Start may allow Privileges to be Elevated
2008-05-05 Zero Day Initiative (ZDI)
ZDI-08-042: Sun Java Web Start Sandbox Bypass Vulnerability
Vulnerability Reported
The specific flaw exists in the writeManifest() method of the CacheEntry class. A directory traversal flaw in this method allows the creation of arbitrary files on the target system. After the file has been created, a call to Runtime.getRuntime.exec() can be used to execute the file.
2008-01-17 Zero Day Initiative (ZDI)
ZDI-08-043: Sun Java Web Start vm args Stack Buffer Overflow
Vulnerability Reported
The specific flaw exists in the GetVMArgsOption() function used while parsing the java-vm-args attribute of the j2se tag in xml based JNLP files. When a user downloads a malicious JNLP file, the vulnerable attribute is read into a static buffer. If an overly long value is defined by the java-vm-args attribute, a stack based buffer overflow occurs, resulting in an exploitable condition.

Other Information

CVE