|
 |
|
Java JRE/JDK JSSE DoS and Untrusted Applets Network Security Bypass
|
|
|
|
|
Secunia Advisory:
|
SA26015
|
|
|
Release Date:
|
2007-07-11
|
|
Last Update:
|
2007-10-30
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Security Bypass
DoS
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | Java Secure Socket Extension (JSSE) 1.x
Sun Java JDK 1.5.x
Sun Java JDK 1.6.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java JRE 1.6.x / 6.x
Sun Java SDK 1.4.x
|
| | CVE reference: | CVE-2007-3698 (Secunia mirror)
CVE-2007-3922 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
Some vulnerabilities and a security issue have been reported in Java JRE/JDK, which can be exploited by malicious people to bypass certain security restrictions or to cause a DoS (Denial of Service).
1) An error exists in the Java Secure Socket Extension (JSSE) when processing SSL/TLS handshake requests and can be exploited to cause a DoS on an affected system that listens for SSL/TLS connections using JSSE for SSL/TLS support.
2) An error exists within the Java Runtime Environment Applet Class Loader, which can be exploited to establish network connections to certain services running on the local host by e.g. tricking a user into loading an untrusted applet from a remote system.
The vulnerability and the security issue affect the following versions for Solaris, Linux, and Windows:
* JDK and JRE 6 Update 1 and earlier
* JDK and JRE 5.0 Updates 7, 8, 9, 10, and 11
* SDK and JRE 1.4.2_11, _12, _13, and _14
Do you have this product installed on your home computer? Scan using the free Personal Software Inspector. Check if a vulnerable version is installed on computers in your corporate network, using the Network Software Inspector.
Solution:
Update to the latest versions:
JDK and JRE 6 Update 2 or later:
http://java.sun.com/javase/downloads/index.jsp
JDK and JRE 5.0 Update 12 and later:
http://java.sun.com/j2se/1.5.0/download.jsp
SDK and JRE 1.4.2_15 and later:
http://java.sun.com/j2se/1.4.2/download.html
Provided and/or discovered by:
1) The vendor credits Cisco Systems.
2) John Heasman, NGSSoftware
Changelog:
2007-07-19: Added vulnerability #2.
2007-07-26: Added CVE reference.
2007-07-27: Added CVE reference.
2007-10-30: Added reporter link for vulnerability #2 to the "Original Advisory" section.
Original Advisory:
1) http://sunsolve.sun.com/search/document.do?assetkey=1-26-102997-1
2) Sun Microsystems:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102995-1
NGSSoftware:
http://www.ngssoftware.com/advisories...vulnerability-in-java-browser-plugin/
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
46 Related Secunia Security Advisories, displaying 10
|
|
|
1. Sun Java JDK / JRE Multiple Vulnerabilities
|
|
2. Sun Java JDK / JRE Multiple Vulnerabilities
|
|
3. Sun JRE Applet Handling Two Vulnerabilities
|
|
4. Sun Java Runtime Environment External XML Entities Security Bypass
|
|
5. Sun JRE Applet Handling Vulnerability
|
|
6. Sun Java JRE Multiple Vulnerabilities
|
|
7. Sun JRE Font Parsing Vulnerability
|
|
8. Sun Java JRE/JDK Processing of XSLT Stylesheets in XML Signatures Vulnerability
|
|
9. Sun Java Web Start JNLP File Processing Buffer Overflow
|
|
10. Sun Java Web Start Untrusted Application Arbitrary File Overwrite
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
