US-CERT Technical Cyber Security Alert TA08-066A -- Sun Updates for Multiple Vulnerabilities in Java

07/03/08, US-CERT Technical Cyber Security Alert TA08-066A -- Sun Updates for Multiple Vulnerabilities in Java
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: US-CERT Technical Cyber Security Alert TA08-066A -- Sun Updates for Multiple Vulnerabilities in Java
From: CERT Advisory <cert-advisory@cert.org>
Date: Thu, 6 Mar 2008 16:05:59 -0500
List-archive: <http://www.cert.org/>
List-help: <http://www.cert.org/>, <mailto:Majordomo@cert.org?body=help>
List-owner: <mailto:cert-advisory-owner@cert.org>
List-post: NO (posting not allowed on this list)
List-unsubscribe: <mailto:Majordomo@cert.org?body=unsubscribe%20cert-advisory>
Organization: CERT(R) Coordination Center - +1 412-268-7090

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

        National Cyber Alert System

   Technical Cyber Security Alert TA08-066A


Sun Updates for Multiple Vulnerabilities in Java

   Original release date: March 6, 2008
   Last revised: --
   Source: US-CERT


Systems Affected

   Sun Java Runtime Environment versions
     * JDK and JRE 6 Update 4 and earlier
     * JDK and JRE 5.0 Update 14 and earlier
     * SDK and JRE 1.4.2_16 and earlier
     * SDK and JRE 1.3.1_21 and earlier


Overview

   Sun  has released alerts to address multiple vulnerabilities affecting
   the   Sun   Java   Runtime  Environment.  The  most  severe  of  these
   vulnerabilities  could  allow  a  remote attacker to execute arbitrary
   code.


I. Description

   The  Sun  Java  Runtime  Environment  (JRE)  allows  users to run Java
   applications  in a browser or as standalone programs. Sun has released
   updates  to  the Java Runtime Environment software to address multiple
   vulnerabilities.  Further  details  about  these  vulnerabilities  are
   available in the US-CERT Vulnerability Notes Database.

   Sun released the following alerts to address these issues:
     * 233321   Two   Security   Vulnerabilities   in  the  Java  Runtime
       Environment Virtual Machine

     * 233322 Security Vulnerability in the Java Runtime Environment With
       the Processing of XSLT Transformations

     * 233323  Multiple  Security  Vulnerabilities  in Java Web Start May
       Allow an Untrusted Application to Elevate Privileges

     * 233324  A  Security Vulnerability in the Java Plug-in May Allow an
       Untrusted Applet to Elevate Privileges

     * 233325  Vulnerabilties  in  the  Java  Runtime  Environment  image
       Parsing Library

     * 233326  Security Vulnerability in the Java Runtime Environment May
       Allow Untrusted JavaScript Code to Elevate Privileges Through Java
       APIs

     * 233327  Buffer  Overflow Vulnerability in Java Web Start May Allow
       an Untrusted Application to Elevate its Privileges


II. Impact

   The  impacts  of  these vulnerabilities vary. The most severe of these
   vulnerabilities allows a remote attacker to execute arbitrary code.


III. Solution

Apply an update from Sun

   These  issues  are addressed in the following versions of the Sun Java
   Runtime environment:
     * JDK and JRE 6 Update 5 or later
     * JDK and JRE 5.0 Update 15 or later
     * SDK and JRE 1.4.2_17 or later
     * SDK and JRE 1.3.1_21 and earlier

   If  you install the latest version of Java, older versions of Java may
   remain  installed  on your computer. If these versions of Java are not
   needed, you may wish to remove them. For instructions on how to remove
   older versions of Java, refer to the following instructions from Sun.

Disable Java

   Disable  Java  in  your web browser, as specified in the Securing Your
   Web   Browser  document.  While  this  does  not  fix  the  underlying
   vulnerabilities, it does block a common attack vector.


IV. References

     * US-CERT Vulnerability Notes for Sun Alerts -
       <http://www.kb.cert.org/vuls/byid?searchview&query=SUNJAVA_020608>

     * Securing Your Web Browser -
       <http://www.us-cert.gov/reading_room/securing_browser/>

     * Sun Alert 233321 -
       <http://sunsolve.sun.com/search/document.do?assetkey=1-66-233321-1>

     * Sun Alert 233322 -
       <http://sunsolve.sun.com/search/document.do?assetkey=1-66-233322-1>

     * Sun Alert 233323 -
       <http://sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1>

     * Sun Alert 233324 -
       <http://sunsolve.sun.com/search/document.do?assetkey=1-66-233324-1>

     * Sun Alert 233325 -
       <http://sunsolve.sun.com/search/document.do?assetkey=1-66-233325-1>

     * Sun Alert 233326 -
       <http://sunsolve.sun.com/search/document.do?assetkey=1-66-233326-1>

     * Sun Alert 233327 -
       <http://sunsolve.sun.com/search/document.do?assetkey=1-66-233327-1>

     * Java SE Technologies at a Glance -
       <http://java.sun.com/javase/technologies/>

     * Java SE Security -
       <http://java.sun.com/javase/technologies/security/index.jsp>

     * Can  I  remove  older versions of the JRE after installing a newer
       version? - <http://www.java.com/en/download/faq/5000070400.xml>
 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA08-066A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA08-066A Feedback VU#223028" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2008 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   March 6, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR9BZrfRFkHkM87XOAQLTzQgAnYzrhCIWEuWRlfH8tVWZl159MZ+vEX5Z
TYwjqClljWyy8edzxNWRUV0pqHVe799hJtRA1luKgTEOWqOtXLrw6/AGdpIf+3CB
ikiAEQR4Cirvt5lHRrlZjMG7eBPZwGQtFgHxzVrEE2lwDl5UDGejMDz+rTwJCm7/
HWBkktM7suHWpZu9jKFpfnizFTbzRSXw/CcALe/FwFxjND3hBjnDWv2Gu7bmMaEA
7a/Q8IJ8mNiU6ZIYdriQEVZHZs6IHtzyw39Qh9NpL+NAGuBxna4MXAOtqoIR1Rvt
FyzZUfjMvEBSKHvA6VWrWmt/JlaSlcVUZB7jRIyInYTvbYPwAnylXg==
=U6aE
-----END PGP SIGNATURE-----

Previous message sorted by date: US-CERT Technical Cyber Security Alert TA08-043C -- Microsoft Updates for Multiple Vulnerabilities
Next message sorted by date: US-CERT Technical Cyber Security Alert TA08-071A -- Microsoft Updates for Multiple Vulnerabilities
Previous message sorted by thread: US-CERT Technical Cyber Security Alert TA08-043C -- Microsoft Updates for Multiple Vulnerabilities
Next message by thread: US-CERT Technical Cyber Security Alert TA08-071A -- Microsoft Updates for Multiple Vulnerabilities
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Mar 2008