Sun Java JRE External XML Entities Restriction Bypass (231246) (Unix)

This script is Copyright (C) 2013 Tenable Network Security, Inc.


Synopsis :

The remote Unix host has an application that is affected by a security
bypass vulnerability.

Description :

According to its version number, the Sun Java Runtime Environment (JRE)
installed on the remote host reportedly allows processing of external
entity references even when the 'external general entities' property is
set to 'FALSE'. This could allow an application to access certain URL
resources, such as files or web pages, or to launch a denial of service
attack against the system.

Note that successful exploitation requires that specially crafted XML
data be processed by a trusted application rather than by an untrusted
applet or Java Web Start application.

See also :

http://archives.neohapsis.com/archives/bugtraq/2008-02/0007.html
http://download.oracle.com/sunalerts/1018967.1.html

Solution :

Upgrade to Sun JDK and JRE 6 Update 4 or later.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:P)
CVSS Temporal Score : 3.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Misc.

Nessus Plugin ID: 64825 ()

Bugtraq ID: 27553

CVE ID: CVE-2008-0628