Java Web Start may insecurely load dynamic libraries


Java Web Start provided Oracle may use unsafe methods for determining how to load DLLs.

Java Web Start is tool to distribute Java applications over the web and is contained in Java applications such as JRE (Java Runtime Environment) Java Web Start contains an issue with the DLL search path, which may lead to insecurely loading dynamic libraries.

Hisashi Kojima of Fujitsu Laboratories, Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products

Sun Microsystems, Inc.
  • JDK 6 Update 25 and earlier for Windows
  • JDK 5 Update 29 and earlier for Windows
  • JRE 6 Update 25 and earlier for Windows
  • SDK 1.4.2_31 and earlier for Windows
Hewlett-Packard Development Company, L.P
  • HP Systems Insight Manager prior to v7.0


An attacker may execute arbitrary code with the privilege of the running application.

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Oracle Corporation Hewlett-Packard Development Company, L.P
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-0866

  1. JVN : JVN#18680611
  2. National Vulnerability Database (NVD) : CVE-2011-0866
  3. IPA SECURITY ALERTS : Security Alert for Multiple Vulnerabilities in Java Web Start
Revision History

  Web page published
  Affected Products : Product was added (HPSBMU02769 SSRT100846)
  Vendor Information : Content was added (HPSBMU02769 SSRT100846)