US-CERT: United States Computer Emergency Readiness Team
Technical Cyber Security Alert TA08-193A
Sun Java Updates for Multiple Vulnerabilities
Original release date: July 11, 2008Last revised:
Source: US-CERT
Systems Affected
Sun Java Runtime Environment versions- JDK and JRE 6 Update 6 and earlier
- JDK and JRE 5.0 Update 15 and earlier
- SDK and JRE 1.4.2_17 and earlier
- SDK and JRE 1.3.1_22 and earlier
Overview
Sun has released alerts to address multiple vulnerabilities affecting the Sun Java Runtime Environment. The most severe of these vulnerabilities could allow a remote attacker to execute arbitrary code.
I. Description
The Sun Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Sun has released updates to the Java Runtime Environment software to address multiple vulnerabilities. Further details about these vulnerabilities are available in the US-CERT Vulnerability Notes Database.
Sun released the following alerts to address these issues:
- 238628 Security Vulnerabilities in the Java Runtime Environment related to the processing of XML Data
- 238666 A Security Vulnerability with the processing of fonts in the Java Runtime Environment may allow Elevation of Privileges
- 238687 Security Vulnerabilities in the Java Runtime Environment Scripting Language Support
- 238905 Multiple Security Vulnerabilities in Java Web Start may allow Privileges to be Elevated
- 238965 Security Vulnerability in Java Management Extensions (JMX)
- 238966 Security Vulnerability in JDK/JRE Secure Static Versioning
- 238967 Security Vulnerability in the Java Runtime Environment Virtual Machine may allow an untrusted Application or Applet to Elevate Privileges
- 238968 Security Vulnerabilities in the Java Runtime Environment may allow Same Origin Policy to be Bypassed
II. Impact
The impacts of these vulnerabilities vary. The most severe of these vulnerabilities allows a remote attacker to execute arbitrary code.
III. Solution
Apply an update from Sun
These issues are addressed in the following versions of the Sun Java Runtime environment:
- JDK and JRE 6 Update 7
- JDK and JRE 5.0 Update 16
- SDK and JRE 1.4.2_18
- SDK and JRE 1.3.1_23
If you install the latest version of Java, older versions may remain installed on your computer. If you do not need these older versions, you can remove them by following Sun's instructions.
Disable Java
Disable Java in your web browser, as described in the Securing Your Web Browser document. While this does not fix the underlying vulnerabilities, it does block a common attack vector.
IV. References
- Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/>
- Sun Alert 238628 - <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238628-1>
- Sun Alert 238666 - <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238666-1>
- Sun Alert 238687 - <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238687-1>
- Sun Alert 238905 - <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238905-1>
- Sun Alert 238965 - <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238965-1>
- Sun Alert 238966 - <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238966-1>
- Sun Alert 238967 - <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238967-1>
- Sun Alert 238968 - <http://sunsolve.sun.com/search/document.do?assetkey=1-66-238968-1>
- Java SE Technologies at a Glance - <http://java.sun.com/javase/technologies/>
- Java SE Security - <http://java.sun.com/javase/technologies/security/index.jsp>
- Can I remove older versions of the JRE after installing a newer version? - <http://www.java.com/en/download/faq/5000070400.xml>
Feedback can be directed to US-CERT.
Produced 2008 by US-CERT, a government organization. Terms of use
Revision History
July 11, 2008: Initial release
Get Adobe Reader