[Japanese]

JVNDB-2007-000329

Java Web Start vulnerable to execution of unauthorized system classes

Overview

Java Web Start, included in the JRE (Java Runtime Environment) from Sun Microsystems and other products, contains a vulnerability allowing unauthorized execution of system classes.

Java Web Start, included in the JRE (Java Runtime Environment) and other products, is a tool for distributing Java applications over the web. A vulnerability exists in an implementation of Java Web Start which may allow Java Web Start Application including a malformed JAR file to execute an unauthorized system class.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products


BEA Systems, Inc.
  • BEA JRockit R26.0.0 1.4.2_07 and earlier
  • BEA JRockit R26.0.0 1.5.0_04 and earlier
Apple Inc.
  • Apple Mac OS X v10.4.10
  • Apple Mac OS X Server v10.4.10
Allied Telesis
  • SSL VPN-Plus
  • SwimRadius
Sun Microsystems, Inc.
  • JDK 5 Update 10 and earlier
  • JRE 1.4.2 Update 13 and earlier
  • JRE 5 Update 10 and earlier
  • SDK 1.4.2 Update 13 and earlier
Red Hat, Inc.
  • Red Hat Enterprise Linux Extras 3 extras
  • Red Hat Enterprise Linux Extras 4 extras
  • RHEL Desktop Supplementary 5 (client)
  • RHEL Supplementary 5 (server)
NEC Corporation
  • TW703000 (TW850)
  • WebSAM DeploymentManager (HP-UX)

Impact

An arbitrary command or code may be executed or files on a user's computer may be overwritten, with the privilege of the user running the application.
Solution

Please update to the fixed version from the vendor.
Vendor Information

BEA Systems, Inc. Apple Inc. Allied Telesis Sun Microsystems, Inc.
  • Sun Alert Notification : 102881
Red Hat, Inc. NEC Corporation
  • NEC Security Information : NV07-014 (Japanese)
CWE (What is CWE?)

  1. Permissions(CWE-264) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2007-2435
References

  1. JVN : JVN#44724673
  2. National Vulnerability Database (NVD) : CVE-2007-2435
  3. JPCERT REPORT : JPCERT-WR-2007-1701 (Japanese)
  4. Secunia Advisory : SA25069
  5. SecurityFocus : 23728
  6. ISS X-Force Database : 33984
  7. SecurityTracker : 1017986
  8. FrSIRT Advisories : FrSIRT/ADV-2007-1598
Revision History

  • [2008/05/21]
      Web page published
    [2008/06/06]
      Affected Products : Allied Telesis K.K. (20080521_1).
      Vendor Information : Allied Telesis K.K. (20080521_1).