Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize
National Cyber Alert System
Technical Cyber Security Alert TA08-340A archive

Sun Java Updates for Multiple Vulnerabilities

Original release date: December 05, 2008
Last revised: --
Source: US-CERT

Systems Affected

Sun Java Runtime Environment versions

  • JDK and JRE 6 Update 10 and earlier
  • JDK and JRE 5.0 Update 16 and earlier
  • SDK and JRE 1.4.2_18 and earlier
  • SDK and JRE 1.3.1_23 and earlier

Overview

Sun has released alerts to address multiple vulnerabilities affecting the Sun Java Runtime Environment. The most severe of these vulnerabilities could allow a remote attacker to execute arbitrary code.


I. Description

The Sun Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Sun has released updates to the Java Runtime Environment software to address multiple vulnerabilities. 

Sun released the following alerts to address these issues: 

  • 244986 :   The Java Runtime Environment Creates Temporary Files That Have "Guessable" File Names
  • 244987 :   Java Runtime Environment (JRE) Buffer Overflow Vulnerabilities in Processing Image Files and Fonts May Allow Applets or Java Web Start Applications to Elevate Their Privileges 
  • 244988 :   Multiple Security Vulnerabilities in Java Web Start and Java Plug-in May Allow Privilege Escalation 
  • 244989 :   The Java Runtime Environment (JRE) "Java Update" Mechanism Does Not Check the Digital Signature of the JRE that it Downloads 
  • 244990 :   A Buffer Overflow Vulnerability in the Java Runtime Environment (JRE) May Allow Privileges to be Escalated 
  • 244991 :   A Security Vulnerability in the Java Runtime Environment (JRE) Related to Deserializing Calendar Objects May Allow Privileges to be Escalated 
  • 245246 :   The Java Runtime Environment UTF-8 Decoder May Allow Multiple Representations of UTF-8 Input
  • 246266 :   Security Vulnerability in Java Runtime Environment May Allow Applets to List the Contents of the Current User's Home Directory
  • 246286 :   Security Vulnerability in the Java Runtime Environment With Processing RSA Public Keys
  • 246346 :   A Security Vulnerability in Java Runtime Environment (JRE) With Authenticating Users Through Kerberos May Lead to a Denial of Service (DoS)
  • 246366 :   Security Vulnerabilities in the Java Runtime Environment (JRE) JAX-WS and JAXB Packages may Allow Privileges to be Escalated
  • 246386 :   A Security Vulnerability in Java Runtime Environment (JRE) With Parsing of Zip Files May Allow Reading of Arbitrary Memory Locations
  • 246387 :   A Security Vulnerability in the Java Runtime Environment may Allow Code Loaded From the Local Filesystem to Access LocalHost

II. Impact

The impacts of these vulnerabilities vary. The most severe of these vulnerabilities allows a remote attacker to execute arbitrary code.


III. Solution

Apply an update from Sun

These issues are addressed in the following versions of the Sun Java Runtime Environment:

  • JDK and JRE 6 Update 11
  • JDK and JRE 5.0 Update 17
  • SDK and JRE 1.4.2_19
  • SDK and JRE 1.3.1_24

If you install the latest version of Java, older versions may remain installed on your computer. If you do not need these older versions, you can remove them by following Sun's instructions.

Disable Java

Disable Java in your web browser, as described in the Securing Your Web Browser document. While this does not fix the underlying vulnerabilities, it does block a common attack vector.


IV. References


Feedback can be directed to US-CERT.

Produced 2008 by US-CERT, a government organization. Terms of use


Revision History

December 05, 2008: Initial release

Last updated December 05, 2008
print this document