[Japanese]

JVNDB-2011-000033

Java Web Start may insecurely load policy files

Overview

Java Web Start provided Oracle may use unsafe methods for determining how to load policy files.

Java Web Start is tool to distribute Java applications over the web and is contained in Java applications such as JRE (Java Runtime Environment) Java Web Start contains an issue with the file search path, which may insecurely load policy files.

Hisashi Kojima of Fujitsu Laboratories, Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products


Sun Microsystems, Inc.
  • JDK 6 Update 25 and earlier for Windows
  • JRE 6 Update 25 and earlier for Windows
Hewlett-Packard Development Company, L.P
  • HP Systems Insight Manager prior to v7.0

Impact

An attacker may execute arbitrary code with the privilege of the running application.
Solution

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Oracle Corporation Hewlett-Packard Development Company, L.P
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-0788
References

  1. JVN : JVN#29212182
  2. National Vulnerability Database (NVD) : CVE-2011-0788
  3. IPA SECURITY ALERTS : Security Alert for Multiple Vulnerabilities in Java Web Start
Revision History

[2011/06/10]
  Web page published
[2013/03/29]
  Affected Products : Product was added (HPSBMU02769 SSRT100846)
  Vendor Information : Content was added (HPSBMU02769 SSRT100846)