X

The Third Party Vulnerability Resolution Blog covers CVEs and patches in Systems product suite.

Sun Alert 103078 Security Vulnerabilities in Java Runtime Environment May Allow Network Access Restrictions to be Circumvented

Guest Author
Product: Java 2 Platform, Standard Edition

[1] A vulnerability in the Java Runtime Environment (JRE) may allow malicious Javascript code that is downloaded by a browser from a malicious website to make network connections, through Java APIs, to network services on machines other than the one that the Javascript code was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

[2] A second vulnerability in the JRE may allow an untrusted applet that is downloaded from a malicious website through a web proxy to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

Both issues are reported in the following publication:

http://crypto.stanford.edu/dns/

and the second issue is also reported at:

http://seclists.org/fulldisclosure/2007/Jul/0159.html

Sun acknowledges with thanks, Dan Boneh, Collin Jackson, Adam Barth, Andrew Bortz, Weidong Shao, and David Byrne for bringing these issues to our attention.

Avoidance: Patch, Upgrade, Workaround
State: Workaround
First released: 03-Oct-2007

Join the discussion

Comments ( 1 )
  • Andreas Bunten Tuesday, October 23, 2007

    Hello,

    why on earth does the "change history" only contain the usual "Updated Resolution section" instead of real information on what was done? It seems this was - again - just a text correction. It would be very helpfull to note this in the change history instead of letting everybody search for changes with diff ...

    Thanks,
    anreas

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.