Skip navigation.
Arch2Arch Tab BEA.com
 GET INVOLVED
 New to Java?
 Blogs
 CodeShare
 Newsgroups
 User Groups
 Submit Content/Code
 PRODUCT CENTERS
 BEA AquaLogic
 AquaLogic BPM Suite
 AquaLogic Service Bus
 WebLogic Platform
 WebLogic Server
 BEA Workshop
 WebLogic Portal
 WebLogic Integration
 BEA JRockit
 WebLogic Event Server
 BEA WLCP
 More Product Centers
 TECHNOLOGY CENTERS
 Controls
 Web Services
 Eclipse
 XML
 EJB
 Persistence
 JMS
 Vertical Markets
 Dev Toolbox
 BROWSE BY ROLE
 Platform Admin
 RESOURCES
 Dev2Dev Media Center
 Article Index
 Open Source
 Security Advisories
 Utilities & Tools
 Events Calendar
 About Dev2Dev
 SUBSCRIBE
 Dev2Dev Newsletter
 RSS/XML Feeds

Security Advisories and Notifications

Subject: Security Advisory (BEA08-198.00)
From: BEA Systems Inc.
Minor Subject: Multiple Security Vulnerabilities in Java Web Start and the Java Plug-in for browsers
Product(s) Affected: BEA JRockit R24 and BEA JRockit R25

Threat level: Low
Multiple security vulnerabilities found that might give applets or Java Web Start applications elevated privileges. This vulnerability only affects client side applications.

Severity: Medium
Applets or Java Web Start applications might elevate their privileges.

Problems were identified that could potentially cause security vulnerabilities in very old versions of JRockit. The vulnerabilities are only affecting Java Web Start and the Java Plug-in for browsers. As these features are no longer supported, newer versions of JRockit (R26 and later) will not be affected. Also, customers that are not using Java Web Start or the Java Plug-in will not be affected. BEA Systems treats potential security problems with a high degree of urgency and endeavors to take appropriate steps to help ensure the security of our customers' systems. As a result, BEA Systems strongly suggests the following actions:

I. Read the following advisory.
II. Apply the suggested action if any (most users will not be affected).
III. If you know of any additional users interested in future security advisories, please forward them the registration instructions included in this advisory.

I. Advisory

This is a combined security advisory for the Sun Emergency 6 Update 3, 5.0 Update 13 and 1.4.2_16 releases. The corresponding Sun Security Alerts are: #103071, #103072, #103073, #103078 and #103079.

Sun Security Alert #103071
Java Runtime Environment (JRE) May Allow Untrusted Applets or Applications to Display An Oversized Window so that the Warning Banner is Not Visible to User.

When an untrusted applet or application displays a window, the Java Runtime Environment includes a warning banner inside the window to indicate that the applet or application is untrusted. A defect in the Java Runtime Environment may allow an untrusted applet or application that is downloaded from a malicious website to display a window that exceeds the size of a user's screen so that the warning banner is not visible to the user.

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

    • Sun Microsystems advised of this JRE vulnerability at:
    http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1


    Sun Security Alert #103072
    An Untrusted Java Web Start Application or Java Applet May Move or Copy Arbitrary Files by Requesting the User to Drag and Drop a File from Application or Applet Window to a Desktop Application.

    A vulnerability in the Java Runtime Environment may allow an untrusted Java Web Start application or Java applet to move or copy arbitrary files on the system that the application or applet runs on, by requesting the user of the application or applet to drag a file from the application or applet window to a desktop application that has permissions to accept and write files on the system. To exploit this vulnerability, the application or applet has to successfully persuade the user to drag and drop the file.

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

    • Sun Microsystems advised of this JRE vulnerability at:
    http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1

    Sun Security Alert #103073
    Multiple Security Vulnerabilities in Java Web Start Relating to Local File Access.

    1. A vulnerability in Java Web Start may allow an untrusted application to read local files that are accessible to the user running the untrusted application.
    2. Two vulnerabilities in Java Web Start may allow an untrusted application to read and write local files that are accessible to the user running the untrusted application.
    3. Three vulnerabilities in Java Web Start may allow an untrusted application to determine the location of the Java Web Start cache.

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier

    • Sun Microsystems advised of this JRE vulnerability at:
    http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1

    Sun Security Alert #103078
    Security Vulnerabilities in Java Runtime Environment May Allow Network Access Restrictions to be Circumvented.
    1. A vulnerability in the Java Runtime Environment (JRE) may allow malicious JavaScript code that is downloaded by a browser from a malicious website to make network connections, through Java APIs, to network services on machines other than the one that the JavaScript code was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.
    2. A second vulnerability in the JRE may allow an untrusted applet that is downloaded from a malicious website through a web proxy to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

    Both issues are reported in the following publication:
    http://crypto.stanford.edu/dns/
    and the second issue is also reported at:
    http://seclists.org/fulldisclosure/2007/Jul/0159.html

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

    • Sun Microsystems advised of this JRE vulnerability at:
    http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1

    Sun Security Alert #103079
    Security Vulnerability in Java Runtime Environment with Applet Caching May Allow Network Access Restrictions to be Circumvented.

    A vulnerability in the Java Runtime Environment (JRE) with applet caching may allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.

    This issue has been reported at:
    http://conference.hitb.org/hitbsecconf2007kl/?page_id=148

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

    • Sun Microsystems advised of this JRE vulnerability at:
    http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1

    Sun Security Alert # 103112
    Vulnerability in Java Runtime Environment Virtual Machine May Allow Untrusted Application or Applet to Elevate Privileges.

    A vulnerability in the Virtual Machine of the Java Runtime Environment may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet.

  • JDK and JRE 6 Update 2 and earlier
  • JDK and JRE 5.0 Update 12 and earlier
  • SDK and JRE 1.4.2_15 and earlier
  • SDK and JRE 1.3.1_20 and earlier

    • Sun Microsystems advised of this JRE vulnerability at:
    http://sunsolve.sun.com/search/document.do?assetkey=1-26-103112-1

    Impact and CVSS Ratings:

    The issues described above are rated equally:

    CVSS Severity Score: 2.4 (Low)
    Attack Range (AV): Local
    Attack Complexity (AC): High
    Authentication Level (Au): Single Instance
    Impact Type: Elevation of Privileges, Partial Confidentiality and Availability impact
    Vulnerability Type: Elevation of Privilege
    CVSS Base Score Vector: (AV:L/AC:H/Au:S/C:P/I:P/A:N)

    Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
    Online Calculator: http://nvd.nist.gov/cvss.cfm?calculator&version;=2

    The following versions of BEA JRockit are affected by these vulnerabilities:

    • BEA JRockit R24:JRockit 1.4.2_04 R24.3 to 1.4.2_08 R24.5
    • BEA JRockit R25:JRockit 1.5.0 R25.0 to 1.5.0_03 R25.2

    II. SUGGESTED ACTION

    Only customers using Java Web Start or the Java Plug-in for browsers, only available in BEA JRockit version R24 or R25, will be affected. You can verify your version of BEA JRockit by running “java -version”. BEA recommends upgrading to the latest version of BEA JRockit. If your company needs to use the Java Plug-In or Java Web Start, please contact BEA support.

    BEA strongly suggests that customers apply the remedies recommended in all our security advisories. BEA also urges customers to apply every Service/Maintenance Pack as they are released. Service/Maintenance Packs include a roll-up of all bug fixes for each version of the product, as well as each of the prior Service/Maintenance Packs. Service/Maintenance Packs and information about them can be found at:

    BEA JRockit: http://commerce.bea.com/products/weblogicjrockit/jrockit_prod_fam.jsp

    WebLogic Server: http://commerce.bea.com/showallversions.jsp?family=WLS

    WebLogic Platform: http://commerce.bea.com/showallversions.jsp?family=WLP

    Note: Information about securing WebLogic Server and WebLogic Express can be found at: http://edocs.bea.com/wls/docs100/security.html. Specific lockdown information is provided at http://edocs.bea.com/wls/docs100/lockdown/index.html. We strongly encourage you to review this documentation to ensure your server deployment is securely configured.


    III. FUTURE SECURITY COMMUNICATIONS

    If there are security-related issues with BEA product, BEA Systems generally distributes an advisory and instructions with a recommended course of action. Because the security of your site, data, and code is a high priority, we are committed to generally communicating security-related issues to our customers and partners.

    All previous advisories and notifications can be viewed at http://dev2dev.bea.com/advisories/

    BEA Systems has established an opt-in emailing list specifically targeted for product security advisories and notifications. As a policy, if a user has opted-in to our emailing list and there is a relevant security issue with the BEA product(s) he/she is using, BEA generally distributes an advisory and instructions via email with a recommended course of action.

    ADDITIONAL USERS WHO WISH TO REGISTER FOR ADVISORY DISTRIBUTION SHOULD FOLLOW THE REGISTRATION DIRECTIONS AT http://dev2dev.bea.com/advisories


    IV. REPORTING SECURITY ISSUES

    Security issues can be reported to BEA Systems by sending email to secalert@bea.com or by following the directions at http://dev2dev.bea.com/advisories. If BEA has validated a reported security issue, we will endeavor to assess the severity of the impact of the security issue and the likelihood of the exploitation of the vulnerability. Based on these assessments and other factors, BEA will endeavor to develop and appropriately prioritize a workaround or patch designed to reduce or eliminate the risk of the vulnerability.

    If you have any questions or care to verify the authenticity of this advisory, please contact BEA Technical Support at support@bea.com

    Thank you,
    BEA Systems, Inc.