Java Web Start may insecurely load settings files


Java Web Start provided Oracle may use unsafe methods for determining how to load settings files.

Java Web Start is tool to distribute Java applications over the web and is contained in Java applications such as JRE (Java Runtime Environment) Java Web Start contains an issue with the file search path, which may insecurely load settings files.

Hisashi Kojima of Fujitsu Laboratories, Ltd. reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendor under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

Sun Microsystems, Inc.
  • JDK 6 Update 25 and earlier for Windows
  • JRE 6 Update 25 and earlier for Windows
Hewlett-Packard Development Company, L.P
  • HP Systems Insight Manager prior to v7.0


An attacker may execute arbitrary code with the privilege of the running application.

[Update the software]
Update to the latest version according to the information provided by the developer.
Vendor Information

Oracle Corporation Hewlett-Packard Development Company, L.P
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2011-0786

  1. JVN : JVN#09206238
  2. National Vulnerability Database (NVD) : CVE-2011-0786
  3. IPA SECURITY ALERTS : Security Alert for Multiple Vulnerabilities in Java Web Start
Revision History

  • [2011/06/10]
      Web page published
      Affected Products : Product was added (HPSBMU02769 SSRT100846)
      Vendor Information : Content was added (HPSBMU02769 SSRT100846)