[Japanese]
|
JVNDB-2008-000016
|
Sun Java Runtime Environment (JRE) contains a vulnerability in processing XSLT transformations
|
The Sun Microsystems Java Runtime Environment (JRE) contains a vulnerability that could allow privilege escalation in the processing of XSLT transformations.
The Sun Microsystems Java Runtime Environment (JRE) contains a vulnerability that could allow a remote attacker to elevate its privileges via an untrusted applet or application that is downloaded from a website to perform XSLT transformations on XML documents.
|
CVSS V2 Severity: Base Metrics 6.8 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
|
|
Apple Inc.
- Apple Mac OS X v10.4.11
- Apple Mac OS X v10.5.4 through v10.5.5
- Apple Mac OS X Server v10.4.11
- Apple Mac OS X Server v10.5.4 through v10.5.5
Sun Microsystems, Inc.
- JDK 6 Update 4 and earlier
- JDK 5.0 Update 14 and earlier
- JRE 6 Update 4 and earlier
- JRE 5.0 Update 14 and earlier
- JRE 1.4.2_16 and earlier
- SDK 1.4.2_16 and earlier
MIRACLE LINUX CORPORATION
- Asianux Server 3 (x86)
- Asianux Server 3 (x86-64)
Red Hat, Inc.
- Red Hat Enterprise Linux Extras 4 extras
- Red Hat Enterprise Linux Extras 3 extras
- RHEL Desktop Supplementary 5 (client)
- RHEL Supplementary 5 (server)
Hitachi, Ltd
- uCosminexus Application Server Enterprise
- uCosminexus Application Server Standard
- uCosminexus Client
- uCosminexus Developer Professional
- uCosminexus Developer Standard
- uCosminexus Operator
- uCosminexus Service Platform
- uCosminexus Service Architect
- Electronic Form Workflow Set
- Electronic Form Workflow Professional Set
- Electronic Form Workflow Developer Set
- Electronic Form Workflow Standard Set
- Electronic Form Workflow Professional Library Set
- Electronic Form Workflow Developer Client Set
|
|
The impacts vary depending on the version of JRE.
If a user downloads an untrusted applet from a website which performs XSLT transformations, a remote attacker could view local files, execute arbitrary code, or terminate the user's web browser via the applet executed on the web browser.
|
[Update the Software]
Sun Microsystems has released JDK and JRE 6 Update 5, JDK and JRE 5.0 Update 15, and SDK and JRE 1.4.2_17 to address this vulnerability. Users affected are recommended to update to the fixed versions as soon as possible.
|
Apple Inc.
Sun Microsystems, Inc.
MIRACLE LINUX CORPORATION
Red Hat, Inc.
Hitachi, Ltd
- Hitachi Software Vulnerability Information : HS08-010
|
- Permissions(CWE-264) [IPA Evaluation]
|
- CVE-2008-1187
|
- JVN : JVNTA08-066A
- JVN : JVN#04032535
- JVN Status Tracking Notes : TRTA08-066A
- National Vulnerability Database (NVD) : CVE-2008-1187
- IPA SECURITY ALERTS : Security Alert for Vulnerability In Sun JRE (Java Runtime Environment) XSLT Transformations
- US-CERT Cyber Security Alerts : SA08-066A
- US-CERT Technical Cyber Security Alert : TA08-066A
- Secunia Advisory : SA29273
- SecurityFocus : 28083
- ISS X-Force Database : 41025
- SecurityTracker : 1019548
- FrSIRT Advisories : FrSIRT/ADV-2008-0770
- JVN iPedia (Japanese) : JVNDB-2008-000016
|
- [2008/05/21]
Web page published
[2008/06/06]
Affected Products : Added Hitachi, Ltd(HS08-010).
Vendor Information : Added Red Hat, Inc.
RHSA-2008:0243
RHSA-2008:0244
RHSA-2008:0245
RHSA-2008:0267
Vendor Information : Added Hitachi, Ltd(HS08-010).
[2008/07/30]
Affected Products : Added Red Hat, Inc. (RHSA-2008:0555).
Vendor Information : Added Red Hat, Inc. (RHSA-2008:0555).
[2008/10/09]
Affected Products : Added Apple Inc.
Java for Mac OS X 10.4, Release 7
Java for Mac OS X 10.5 Update 2
Vendor Information : Added Apple Inc.
Java for Mac OS X 10.4, Release 7
Java for Mac OS X 10.5 Update 2
|