|
| From: | CERT <cert_(at)_cert.gov> | | Date: | 07.03.2008 | | Subject: | US-CERT Technical Cyber Security Alert TA08-066A -- Sun Updates for Multiple Vulnerabilities in Java |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA08-066A
Sun Updates for Multiple Vulnerabilities in Java
Original release date: March 6, 2008
Last revised: --
Source: US-CERT
Systems Affected
Sun Java Runtime Environment versions
* JDK and JRE 6 Update 4 and earlier
* JDK and JRE 5.0 Update 14 and earlier
* SDK and JRE 1.4.2_16 and earlier
* SDK and JRE 1.3.1_21 and earlier
Overview
Sun has released alerts to address multiple vulnerabilities affecting
the Sun Java Runtime Environment. The most severe of these
vulnerabilities could allow a remote attacker to execute arbitrary
code.
I. Description
The Sun Java Runtime Environment (JRE) allows users to run Java
applications in a browser or as standalone programs. Sun has released
updates to the Java Runtime Environment software to address multiple
vulnerabilities. Further details about these vulnerabilities are
available in the US-CERT Vulnerability Notes Database.
Sun released the following alerts to address these issues:
* 233321 Two Security Vulnerabilities in the Java Runtime
Environment Virtual Machine
* 233322 Security Vulnerability in the Java Runtime Environment With
the Processing of XSLT Transformations
* 233323 Multiple Security Vulnerabilities in Java Web Start May
Allow an Untrusted Application to Elevate Privileges
* 233324 A Security Vulnerability in the Java Plug-in May Allow an
Untrusted Applet to Elevate Privileges
* 233325 Vulnerabilties in the Java Runtime Environment image
Parsing Library
* 233326 Security Vulnerability in the Java Runtime Environment May
Allow Untrusted JavaScript Code to Elevate Privileges Through Java
APIs
* 233327 Buffer Overflow Vulnerability in Java Web Start May Allow
an Untrusted Application to Elevate its Privileges
II. Impact
The impacts of these vulnerabilities vary. The most severe of these
vulnerabilities allows a remote attacker to execute arbitrary code.
III. Solution
Apply an update from Sun
These issues are addressed in the following versions of the Sun Java
Runtime environment:
* JDK and JRE 6 Update 5 or later
* JDK and JRE 5.0 Update 15 or later
* SDK and JRE 1.4.2_17 or later
* SDK and JRE 1.3.1_21 and earlier
If you install the latest version of Java, older versions of Java may
remain installed on your computer. If these versions of Java are not
needed, you may wish to remove them. For instructions on how to remove
older versions of Java, refer to the following instructions from Sun.
Disable Java
Disable Java in your web browser, as specified in the Securing Your
Web Browser document. While this does not fix the underlying
vulnerabilities, it does block a common attack vector.
IV. References
* US-CERT Vulnerability Notes for Sun Alerts -
<http://www.kb.cert.org/vuls/byid?searchview&query=SUNJAVA_020608>
* Securing Your Web Browser -
<http://www.us-cert.gov/reading_room/securing_browser/>
* Sun Alert 233321 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233321-1>
* Sun Alert 233322 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233322-1>
* Sun Alert 233323 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233323-1>
* Sun Alert 233324 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233324-1>
* Sun Alert 233325 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233325-1>
* Sun Alert 233326 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233326-1>
* Sun Alert 233327 -
<http://sunsolve.sun.com/search/document.do?assetkey=1-66-233327-1>
* Java SE Technologies at a Glance -
<http://java.sun.com/javase/technologies/>
* Java SE Security -
<http://java.sun.com/javase/technologies/security/index.jsp>
* Can I remove older versions of the JRE after installing a newer
version? - <http://www.java.com/en/download/faq/5000070400.xml>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA08-066A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-066A Feedback VU#223028" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2008 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
March 6, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBR9BZrfRFkHkM87XOAQLTzQgAnYzrhCIWEuWRlfH8tVWZl159MZ+vEX5Z
TYwjqClljWyy8edzxNWRUV0pqHVe799hJtRA1luKgTEOWqOtXLrw6/AGdpIf+3CB
ikiAEQR4Cirvt5lHRrlZjMG7eBPZwGQtFgHxzVrEE2lwDl5UDGejMDz+rTwJCm7/
HWBkktM7suHWpZu9jKFpfnizFTbzRSXw/CcALe/FwFxjND3hBjnDWv2Gu7bmMaEA
7a/Q8IJ8mNiU6ZIYdriQEVZHZs6IHtzyw39Qh9NpL+NAGuBxna4MXAOtqoIR1Rvt
FyzZUfjMvEBSKHvA6VWrWmt/JlaSlcVUZB7jRIyInYTvbYPwAnylXg==
=U6aE
-----END PGP SIGNATURE-----
|
