Unspecified vulnerability in the font parsing implementation in Sun JDK and JRE 5.0 Update 9 and earlier, and SDK and JRE 1.4.2_14 and earlier, allows remote attackers to perform unauthorized actions via an applet that grants certain privileges to itself.

According to its version number, the Sun Java Runtime Environment (JRE) installed on the remote host reportedly contains an issue in its font parsing code that may allow an untrusted applet to gain elevated privileges and, for example read or write local files or execute local applications.

Updated java-1.4.2-bea packages that correct several security issues and add enhancements are now available for Red Hat Enterprise Linux 4 Extras.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The BEA WebLogic JRockit 1.4.2_15 JRE and SDK contain BEA WebLogic JRockit Virtual Machine 1.4.2_15 and are certified for the Java 2 Platform, Standard Edition, v1.4.2.

A buffer overflow in the Java Runtime Environment image handling code was found. If an attacker is able to cause a server application to process a specially crafted image file, it may be possible to execute arbitrary code as the user running the Java Virtual Machine.
(CVE-2007-2788, CVE-2007-2789, CVE-2007-3004)

A denial of service flaw was discovered in the Java Applet Viewer. An untrusted Java applet could cause the Java Virtual Machine to become unresponsive. Please note that the BEA WebLogic JRockit 1.4.2_15 does not ship with a browser plug-in and therefore this issue could only be triggered by a user running the 'appletviewer' application.
(CVE-2007-3005)

A denial of service flaw was found in the way the JSSE component processed SSL/TLS handshake requests. A remote attacker able to connect to a JSSE enabled service could send a specially crafted handshake which would cause the Java Runtime Environment to stop responding to future requests. (CVE-2007-3698)

A flaw was found in the way the Java Runtime Environment processes font data. An applet viewed via the 'appletviewer' application could elevate its privileges, allowing the applet to perform actions with the same permissions as the user running the 'appletviewer' application. It may also be possible to crash a server application which processes untrusted font information from a third party.
(CVE-2007-4381)

All users of java-1.4.2-bea should upgrade to these updated packages, which contain the BEA WebLogic JRockit 1.4.2_15 release that resolves these issues.

IBM Java 1.4.2 was updated to SR10 to fix various security issues :

  - A buffer overflow vulnerability in Java Web Start may     allow an untrusted Java Web Start application that is     downloaded from a website to elevate its privileges. For     example, an untrusted Java Web Start application may     grant itself permissions to read and write local files     or execute local applications that are accessible to the     user running the untrusted application. (CVE-2008-1196)

  - A vulnerability in the Java Runtime Environment may     allow JavaScript(TM) code that is downloaded by a     browser to make connections to network services on the     system that the browser runs on, through Java APIs, This     may allow files (that are accessible through these     network services) or vulnerabilities (that exist on     these network services) which are not otherwise normally     accessible to be accessed or exploited. (CVE-2008-1195)

  - A vulnerability in the Java Plug-in may an untrusted     applet to bypass same origin policy and leverage this     flaw to execute local applications that are accessible     to the user running the untrusted applet.
    (CVE-2008-1192)

  - A vulnerability in Java Web Start may allow an untrusted     Java Web Start application to elevate its privileges.
    For example, an application may grant itself permissions     to read and write local files or execute local     applications that are accessible to the user running the     untrusted application. (CVE-2008-1190)

  - A buffer overflow vulnerability in the Java Runtime     Environment may allow an untrusted applet or application     to elevate its privileges. For example, an applet may     grant itself permissions to read and write local files     or execute local applications that are accessible to the     user running the untrusted applet. (CVE-2008-1189)

  - A vulnerability in the Java Runtime Environment with     parsing XML data may allow an untrusted applet or     application to elevate its privileges. For example, an     applet may read certain URL resources (such as some     files and web pages). (CVE-2008-1187)

  - A vulnerability in the Java Runtime Environment (JRE)     with applet caching may allow an untrusted applet that     is downloaded from a malicious website to make network     connections to network services on machines other than     the one that the applet was downloaded from. This may     allow network resources (such as web pages) and     vulnerabilities (that exist on these network services)     which are not otherwise normally accessible to be     accessed or exploited. (CVE-2007-5232)

  - A vulnerability in the Java Runtime Environment (JRE)     may allow malicious JavaScript code that is downloaded     by a browser from a malicious website to make network     connections, through Java APIs, to network services on     machines other than the one that the JavaScript code was     downloaded from. This may allow network resources (such     as web pages) and vulnerabilities (that exist on these     network services) which are not otherwise normally     accessible to be accessed or exploited. (CVE-2007-5274)

  - A second vulnerability in the JRE may allow an untrusted     applet that is downloaded from a malicious website     through a web proxy to make network connections to     network services on machines other than the one that the     applet was downloaded from. This may allow network     resources (such as web pages) and vulnerabilities (that     exist on these network services) which are not otherwise     normally accessible to be accessed or exploited.
    (CVE-2007-5273)

  - An untrusted Java Web Start application may write     arbitrary files with the privileges of the user running     the application. (CVE-2007-5236)

  - Three separate vulnerabilities may allow an untrusted     Java Web Start application to determine the location of     the Java Web Start cache. (CVE-2007-5238)

  - An untrusted Java Web Start application or Java applet     may move or copy arbitrary files by requesting the user     of the application or applet to drag and drop a file     from the Java Web Start application or Java applet     window. (CVE-2007-5239)

  - An untrusted applet may display an over-sized window so     that the applet warning banner is not visible to the     user running the untrusted applet. (CVE-2007-5240)

  - A vulnerability in the font parsing code in the Java     Runtime Environment may allow an untrusted applet to     elevate its privileges. For example, an applet may grant     itself permissions to read and write local files or     execute local applications that are accessible to the     user running the untrusted applet. (CVE-2007-4381)

  - The Java Secure Socket Extension (JSSE) that is included     in various releases of the Java Runtime Environment does     not correctly process SSL/TLS handshake requests. This     vulnerability may be exploited to create a Denial of     Service (DoS) condition to the system as a whole on a     server that listens for SSL/TLS connections using JSSE     for SSL/TLS support. (CVE-2007-3698)

Updated java-1.4.2-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 3 and 4 Extras, and 5 Supplementary.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

IBM's 1.4.2 SR10 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.

The Java Secure Socket Extension (JSSE) component did not correctly process SSL/TLS handshake requests. A remote attacker who is able to connect to a JSSE-based service could trigger this flaw leading to a denial-of-service. (CVE-2007-3698)

A flaw was found in the way the Java Runtime Environment processes font data. An untrusted applet could elevate its privileges, allowing the applet to perform actions with the same permissions as the logged in user. It may also be possible to crash a server application which processes untrusted font information from a third party.
(CVE-2007-4381)

The applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from.
(CVE-2007-5232)

Multiple vulnerabilities existed in Java Web Start allowing an untrusted application to determine the location of the Java Web Start cache. (CVE-2007-5238)

Untrusted Java Web Start Applications or Java Applets were able to drag and drop a file to a Desktop Application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files.
(CVE-2007-5239)

The Java Runtime Environment allowed untrusted Java Applets or applications to display oversized Windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240)

Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached malicious Applet could create network connections to services on other machines.
(CVE-2007-5273)

Unsigned Applets loaded with Mozilla Firefox or Opera browsers allowed remote attackers to violate the Java security model. A cached malicious Applet could create network connections to services on other machines. (CVE-2007-5274)

All users of java-1.4.2-ibm are advised to upgrade to these updated packages, that contain IBM's 1.4.2 SR10 Java release which resolves these issues.

Updated java-1.4.2-bea packages that correct several security issues and add enhancements are now available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 Supplementary.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The BEA WebLogic JRockit 1.4.2_16 JRE and SDK contains BEA WebLogic JRockit Virtual Machine 1.4.2_16 and is certified for the Java 2 Platform, Standard Edition, v1.4.2.

A buffer overflow in the Java Runtime Environment image handling code was found. If an attacker could induce a server application to process a specially crafted image file, the attacker could potentially cause a denial-of-service or execute arbitrary code as the user running the Java Virtual Machine. (CVE-2007-2788, CVE-2007-2789)

A denial of service flaw was found in the way the JSSE component processed SSL/TLS handshake requests. A remote attacker able to connect to a JSSE enabled service could send a specially crafted handshake which would cause the Java Runtime Environment to stop responding to future requests. (CVE-2007-3698)

A flaw was found in the way the Java Runtime Environment processed font data. An applet viewed via the 'appletviewer' application could elevate its privileges, allowing the applet to perform actions with the same permissions as the user running the 'appletviewer' application. The same flaw could, potentially, crash a server application which processed untrusted font information from a third party. (CVE-2007-4381)

A flaw in the applet caching mechanism of the Java Runtime Environment (JRE) did not correctly process the creation of network connections. A remote attacker could use this flaw to create connections to services on machines other than the one that the applet was downloaded from.
(CVE-2007-5232)

Untrusted Java Applets were able to drag and drop files to a desktop application. A user-assisted remote attacker could use this flaw to move or copy arbitrary files. (CVE-2007-5239)

The Java Runtime Environment (JRE) allowed untrusted Java Applets or applications to display over-sized windows. This could be used by remote attackers to hide security warning banners. (CVE-2007-5240)

Unsigned Java Applets communicating via a HTTP proxy could allow a remote attacker to violate the Java security model. A cached, malicious Applet could create network connections to services on other machines. (CVE-2007-5273)

Please note: the vulnerabilities noted above concerned with applets can only be triggered in java-1.4.2-bea by calling the 'appletviewer' application.

All users of java-1.4.2-bea should upgrade to these updated packages, which contain the BEA WebLogic JRockit 1.4.2_16 release which resolves these issues.

Updated java-1.5.0-bea packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The BEA WebLogic JRockit 1.5.0_11 JRE and SDK contain BEA WebLogic JRockit Virtual Machine 1.5.0_11 and are certified for the Java 5 Platform, Standard Edition, v1.5.0.

A flaw was found in the BEA Java Runtime Environment GIF image handling. If an application processes untrusted GIF image input, it may be possible to execute arbitrary code as the user running the Java Virtual Machine. (CVE-2007-0243)

A buffer overflow in the Java Runtime Environment image handling code was found. If an attacker is able to cause a server application to process a specially crafted image file, it may be possible to execute arbitrary code as the user running the Java Virtual Machine.
(CVE-2007-2788, CVE-2007-2789, CVE-2007-3004)

A denial of service flaw was discovered in the Java Applet Viewer. An untrusted Java applet could cause the Java Virtual Machine to become unresponsive. Please note that the BEA WebLogic JRockit 1.5.0_11 does not ship with a browser plug-in and therefore this issue could only be triggered by a user running the 'appletviewer' application.
(CVE-2007-3005)

A cross site scripting (XSS) flaw was found in the Javadoc tool. An attacker could inject arbitrary content into a Javadoc generated HTML documentation page, possibly tricking a user or stealing sensitive information. (CVE-2007-3503)

A denial of service flaw was found in the way the JSSE component processed SSL/TLS handshake requests. A remote attacker able to connect to a JSSE enabled service could send a specially crafted handshake which would cause the Java Runtime Environment to stop responding to future requests. (CVE-2007-3698)

A flaw was found in the way the Java Runtime Environment processes font data. An applet viewed via the 'appletviewer' application could elevate its privileges, allowing the applet to perform actions with the same permissions as the user running the 'appletviewer' application. It may also be possible to crash a server application which processes untrusted font information from a third party.
(CVE-2007-4381)

All users of java-bea-1.5.0 should upgrade to these updated packages, which contain the BEA WebLogic JRockit 1.5.0_11 release that resolves these issues.

Updated java-1.5.0-ibm packages that correct several security issues are now available for Red Hat Enterprise Linux 4 Extras and 5 Supplementary.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

IBM's 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.

A security vulnerability in the Java Web Start component was discovered. An untrusted application could elevate it's privileges, allowing it to read and write local files that are accessible to the user running the Java Web Start application. (CVE-2007-2435)

A buffer overflow in the Java Runtime Environment image handling code was found. An untrusted applet or application could use this flaw to elevate its privileges and potentially execute arbitrary code as the user running the java virtual machine. (CVE-2007-2788, CVE-2007-2789, CVE-2007-3004)

An unspecified vulnerability was discovered in the Java Runtime Environment. An untrusted applet or application could cause the java virtual machine to become unresponsive. (CVE-2007-3005)

The Javadoc tool was able to generate HTML documentation pages that contained cross-site scripting (XSS) vulnerabilities. A remote attacker could use this to inject arbitrary web script or HTML.
(CVE-2007-3503)

The Java Web Start URL parsing component contains a buffer overflow vulnerability within the parsing code for JNLP files. A remote attacker could create a malicious JNLP file that could trigger this flaw and execute arbitrary code when opened. (CVE-2007-3655)

A flaw was found in the applet class loader. An untrusted applet could use this flaw to circumvent network access restrictions, possibly connecting to services hosted on the machine that executed the applet.
(CVE-2007-3922)

All users of java-ibm-1.5.0 should upgrade to these updated packages, which contain IBM's 1.5.0 SR5a Java release that resolves these issues.

IBM Java 5 was updated to SR7 to fix various security issues :

  - A buffer overflow vulnerability in Java Web Start may     allow an untrusted Java Web Start application that is     downloaded from a website to elevate its privileges. For     example, an untrusted Java Web Start application may     grant itself permissions to read and write local files     or execute local applications that are accessible to the     user running the untrusted application. (CVE-2008-1196)

  - A vulnerability in the Java Runtime Environment may     allow JavaScript(TM) code that is downloaded by a     browser to make connections to network services on the     system that the browser runs on, through Java APIs, This     may allow files (that are accessible through these     network services) or vulnerabilities (that exist on     these network services) which are not otherwise normally     accessible to be accessed or exploited. (CVE-2008-1195)

  - Two buffer overflow vulnerabilities may allow an     untrusted applet or application to cause the Java     Runtime Environment to crash. (CVE-2008-1194)

  - A buffer overflow vulnerability in the Java Runtime     Environment image parsing code may allow an untrusted     applet or application to create a denial-of-service     condition, by causing the Java Runtime Environment to     crash. (CVE-2008-1194)

  - A buffer overflow vulnerability in the Java Runtime     Environment image parsing code allow an untrusted applet     or application to elevate its privileges. For example,     an application may grant itself permissions to read and     write local files or execute local applications that are     accessible to the user running the untrusted     application. (CVE-2008-1193)

  - A vulnerability in the Java Plug-in may an untrusted     applet to bypass same origin policy and leverage this     flaw to execute local applications that are accessible     to the user running the untrusted applet.
    (CVE-2008-1192)

  - A vulnerability in Java Web Start may allow an untrusted     Java Web Start application to elevate its privileges.
    For example, an application may grant itself permissions     to read and write local files or execute local     applications that are accessible to the user running the     untrusted application. (CVE-2008-1190)

  - A buffer overflow vulnerability in the Java Runtime     Environment may allow an untrusted applet or application     to elevate its privileges. For example, an applet may     grant itself permissions to read and write local files     or execute local applications that are accessible to the     user running the untrusted applet. (CVE-2008-1189)

  - Two buffer overflow vulnerabilities in Java Web Start     may independently allow an untrusted Java Web Start     application to elevate its privileges. For example, an     untrusted Java Web Start application may grant itself     permissions to read and write local files or execute     local applications that are accessible to the user     running the untrusted application. (CVE-2008-1188)

  - A vulnerability in the Java Runtime Environment with     parsing XML data may allow an untrusted applet or     application to elevate its privileges. For example, an     applet may read certain URL resources (such as some     files and web pages). (CVE-2008-1187)

  - A vulnerability in the Java Runtime Environment may     allow an untrusted application or applet that is     downloaded from a website to elevate its privileges. For     example, the application or applet may grant itself     permissions to read and write local files or execute     local applications that are accessible to the user     running the untrusted application or applet.
    (CVE-2008-0657)

  - A vulnerability in the Java Runtime Environment (JRE)     with applet caching may allow an untrusted applet that     is downloaded from a malicious website to make network     connections to network services on machines other than     the one that the applet was downloaded from. This may     allow network resources (such as web pages) and     vulnerabilities (that exist on these network services)     which are not otherwise normally accessible to be     accessed or exploited. (CVE-2007-5232)

  - A vulnerability in the Java Runtime Environment (JRE)     may allow malicious JavaScript code that is downloaded     by a browser from a malicious website to make network     connections, through Java APIs, to network services on     machines other than the one that the JavaScript code was     downloaded from. This may allow network resources (such     as web pages) and vulnerabilities (that exist on these     network services) which are not otherwise normally     accessible to be accessed or exploited. (CVE-2007-5274)

  - A second vulnerability in the JRE may allow an untrusted     applet that is downloaded from a malicious website     through a web proxy to make network connections to     network services on machines other than the one that the     applet was downloaded from. This may allow network     resources (such as web pages) and vulnerabilities (that     exist on these network services) which are not otherwise     normally accessible to be accessed or exploited.
    (CVE-2007-5273)

  - An untrusted Java Web Start application may write     arbitrary files with the privileges of the user running     the application. (CVE-2007-5236)

  - Three separate vulnerabilities may allow an untrusted     Java Web Start application to determine the location of     the Java Web Start cache. (CVE-2007-5238)

  - An untrusted Java Web Start application or Java applet     may move or copy arbitrary files by requesting the user     of the application or applet to drag and drop a file     from the Java Web Start application or Java applet     window. (CVE-2007-5239)

  - An untrusted applet may display an over-sized window so     that the applet warning banner is not visible to the     user running the untrusted applet. (CVE-2007-5240)

  - A vulnerability in the font parsing code in the Java     Runtime Environment may allow an untrusted applet to     elevate its privileges. For example, an applet may grant     itself permissions to read and write local files or     execute local applications that are accessible to the     user running the untrusted applet. (CVE-2007-4381)

The remote Mac OS X 10.4 host is running a version of Java for Mac OS X that is older than release 6.

The remote version of this software contains several security vulnerabilities that may allow a rogue Java applet to escalate its privileges and to add or remove arbitrary items from the user's KeyChain.

To exploit these flaws, an attacker would need to lure an attacker into executing a rogue Java applet.

The IBM Java JRE/SDK has been brought to release 1.5.0 SR6, containing several bugfixes, including the following security fixes :

  - A vulnerability in the Java Runtime Environment (JRE)     with applet caching may allow an untrusted applet that     is downloaded from a malicious website to make network     connections to network services on machines other than     the one that the applet was downloaded from. This may     allow network resources (such as web pages) and     vulnerabilities (that exist on these network services)     which are not otherwise normally accessible to be     accessed or exploited. (CVE-2007-5232)

  - A vulnerability in the Java Runtime Environment (JRE)     may allow malicious JavaScript code that is downloaded     by a browser from a malicious website to make network     connections, through Java APIs, to network services on     machines other than the one that the JavaScript code was     downloaded from. This may allow network resources (such     as web pages) and vulnerabilities (that exist on these     network services) which are not otherwise normally     accessible to be accessed or exploited. (CVE-2007-5274)

  - A second vulnerability in the JRE may allow an untrusted     applet that is downloaded from a malicious website     through a web proxy to make network connections to     network services on machines other than the one that the     applet was downloaded from. This may allow network     resources (such as web pages) and vulnerabilities (that     exist on these network services) which are not otherwise     normally accessible to be accessed or exploited.
    (CVE-2007-5273)

  - An untrusted Java Web Start application may write     arbitrary files with the privileges of the user running     the application. (CVE-2007-5236)

  - Three separate vulnerabilities may allow an untrusted     Java Web Start application to determine the location of     the Java Web Start cache. (CVE-2007-5238)

  - An untrusted Java Web Start application or Java applet     may move or copy arbitrary files by requesting the user     of the application or applet to drag and drop a file     from the Java Web Start application or Java applet     window. (CVE-2007-5239)

  - An untrusted applet may display an over-sized window so     that the applet warning banner is not visible to the     user running the untrusted applet. CVE-2007-4381: A     vulnerability in the font parsing code in the Java     Runtime Environment may allow an untrusted applet to     elevate its privileges. For example, an applet may grant     itself permissions to read and write local files or     execute local applications that are accessible to the     user running the untrusted applet. (CVE-2007-5240)

  - The Java Secure Socket Extension (JSSE) that is included     in various releases of the Java Runtime Environment does     not correctly process SSL/TLS handshake requests. This     vulnerability may be exploited to create a Denial of     Service (DoS) condition to the system as a whole on a     server that listens for SSL/TLS connections using JSSE     for SSL/TLS support. (CVE-2007-3698)

For more information see:
http://www-128.ibm.com/developerworks/java/jdk/alerts/

Additionally a concurrency bug has been fixed (Novell Bug 330713).

The remote host is affected by the vulnerability described in GLSA-200709-15 (BEA JRockit: Multiple vulnerabilities)

    An integer overflow vulnerability exists in the embedded ICC profile     image parser (CVE-2007-2788), an unspecified vulnerability exists in     the font parsing implementation (CVE-2007-4381), and an error exists     when processing XSLT stylesheets contained in XSLT Transforms in XML     signatures (CVE-2007-3716), among other vulnerabilities.
  Impact :

    A remote attacker could trigger the integer overflow to execute     arbitrary code or crash the JVM through a specially crafted file. Also,     an attacker could perform unauthorized actions via an applet that     grants certain privileges to itself because of the font parsing     vulnerability. The error when processing XSLT stylesheets can be     exploited to execute arbitrary code. Other vulnerabilities could lead     to establishing restricted network connections to certain services,     Cross Site Scripting and Denial of Service attacks.
  Workaround :

    There is no known workaround at this time for all these     vulnerabilities.

ID	Name	Product	Family	Severity
64823	Sun Java JRE Font Parsing Privilege Escalation (103024) (Unix)	Nessus	Misc.	high
63846	RHEL 4 : java-1.4.2-bea (RHSA-2007:1086)	Nessus	Red Hat Local Security Checks	high
41210	SuSE9 Security Update : IBM Java 2 JRE and SDK (YOU Patch Number 12142)	Nessus	SuSE Local Security Checks	high
40714	RHEL 3 / 4 / 5 : java-1.4.2-ibm (RHSA-2008:0132)	Nessus	Red Hat Local Security Checks	high
40712	RHEL 3 / 4 / 5 : java-1.4.2-bea (RHSA-2008:0100)	Nessus	Red Hat Local Security Checks	high
40708	RHEL 4 / 5 : java-1.5.0-bea (RHSA-2007:0956)	Nessus	Red Hat Local Security Checks	high
40706	RHEL 4 / 5 : java-1.5.0-ibm (RHSA-2007:0829)	Nessus	Red Hat Local Security Checks	critical
32050	SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 5183)	Nessus	SuSE Local Security Checks	critical
32049	SuSE 10 Security Update : IBM Java 1.4.2 (ZYPP Patch Number 5182)	Nessus	SuSE Local Security Checks	high
29702	Mac OS X : Java for Mac OS X 10.4 Release 6	Nessus	MacOS X Local Security Checks	critical
29476	SuSE 10 Security Update : java-1_5_0-ibm (ZYPP Patch Number 4687)	Nessus	SuSE Local Security Checks	high
26117	GLSA-200709-15 : BEA JRockit: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
25903	Sun Java JRE Font Parsing Privilege Escalation (103024)	Nessus	Windows	high

Detections

Analytics

CVE-2007-4381

critical

Tenable Plugins

high

high

high

high

high

high

critical

critical

high

critical

high

high

high