CVE-2008-5353

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".

References

http://blog.cr0.org/2009/05/write-once-own-everyone.html

http://landonf.bikemonkey.org/code/macosx/CVE-2008-5353.20090519.html

http://lists.opensuse.org/opensuse-security-announce/2009-01/msg00009.html

http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2009-05/msg00000.html

http://marc.info/?l=bugtraq&m=123678756409861&w=2

http://marc.info/?l=bugtraq&m=126583436323697&w=2

http://osvdb.org/50500

http://rhn.redhat.com/errata/RHSA-2008-1018.html

http://rhn.redhat.com/errata/RHSA-2008-1025.html

http://secunia.com/advisories/32991

http://secunia.com/advisories/33015

http://secunia.com/advisories/33528

http://secunia.com/advisories/33709

http://secunia.com/advisories/33710

http://secunia.com/advisories/34233

http://secunia.com/advisories/34259

http://secunia.com/advisories/34605

http://secunia.com/advisories/34889

http://secunia.com/advisories/34972

http://secunia.com/advisories/35065

http://secunia.com/advisories/35118

http://secunia.com/advisories/37386

http://secunia.com/advisories/38539

http://security.gentoo.org/glsa/glsa-200911-02.xml

http://sunsolve.sun.com/search/document.do?assetkey=1-26-244991-1

http://support.avaya.com/elmodocs2/security/ASA-2009-012.htm

http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=829914&poid=

http://www.redhat.com/support/errata/RHSA-2009-0015.html

http://www.redhat.com/support/errata/RHSA-2009-0016.html

http://www.redhat.com/support/errata/RHSA-2009-0445.html

http://www.securityfocus.com/archive/1/503797/100/0/threaded

http://www.securityfocus.com/bid/32608

http://www.securitytracker.com/id?1021313

http://www.us-cert.gov/cas/techalerts/TA08-340A.html

http://www.vupen.com/english/advisories/2008/3339

http://www.vupen.com/english/advisories/2009/0672

http://www.vupen.com/english/advisories/2009/1391

http://www116.nortel.com/pub/repository/CLARIFY/DOCUMENT/2009/03/024431-01.pdf

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6511

https://rhn.redhat.com/errata/RHSA-2009-0466.html

Details

Source: MITRE

Published: 2008-12-05

Updated: 2018-10-11

Risk Information

CVSS v2

Base Score: 10

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 10

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:sun:jdk:5.0:update_1:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_10:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_11:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_12:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_13:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_14:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_15:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:*:update_16:*:*:*:*:*:* versions up to 5.0 (inclusive)

cpe:2.3:a:sun:jdk:5.0:update_2:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_3:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_4:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_5:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_6:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_7:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_8:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:5.0:update_9:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:6:*:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:6:update_1:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:*:update_10:*:*:*:*:*:* versions up to 6 (inclusive)

cpe:2.3:a:sun:jdk:6:update_2:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:6:update_3:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:6:update_4:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:6:update_5:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:6:update_6:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:6:update_7:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:6:update_8:*:*:*:*:*:*

cpe:2.3:a:sun:jdk:6:update_9:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_1:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_2:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_3:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_4:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_5:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_6:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_7:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_8:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_9:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_10:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_11:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_12:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_13:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_14:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_15:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_16:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:1.4.2_17:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:*:*:*:*:*:*:*:* versions up to 1.4.2_18 (inclusive)

cpe:2.3:a:sun:jre:5.0:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_1:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_10:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_11:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_12:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_13:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_14:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_15:*:*:*:*:*:*

cpe:2.3:a:sun:jre:*:update_16:*:*:*:*:*:* versions up to 5.0 (inclusive)

cpe:2.3:a:sun:jre:5.0:update_2:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_3:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_4:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_5:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_6:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_7:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_8:*:*:*:*:*:*

cpe:2.3:a:sun:jre:5.0:update_9:*:*:*:*:*:*

cpe:2.3:a:sun:jre:6:*:*:*:*:*:*:*

cpe:2.3:a:sun:jre:6:update_1:*:*:*:*:*:*

cpe:2.3:a:sun:jre:*:update_10:*:*:*:*:*:* versions up to 6 (inclusive)

cpe:2.3:a:sun:jre:6:update_2:*:*:*:*:*:*

cpe:2.3:a:sun:jre:6:update_3:*:*:*:*:*:*

cpe:2.3:a:sun:jre:6:update_4:*:*:*:*:*:*

cpe:2.3:a:sun:jre:6:update_5:*:*:*:*:*:*

cpe:2.3:a:sun:jre:6:update_6:*:*:*:*:*:*

cpe:2.3:a:sun:jre:6:update_7:*:*:*:*:*:*

cpe:2.3:a:sun:jre:6:update_8:*:*:*:*:*:*

cpe:2.3:a:sun:jre:6:update_9:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_1:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_2:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_3:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_4:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_5:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_6:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_7:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_8:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_9:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_10:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_11:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_12:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_13:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_14:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_15:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_16:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:1.4.2_17:*:*:*:*:*:*:*

cpe:2.3:a:sun:sdk:*:*:*:*:*:*:*:* versions up to 1.4.2_18 (inclusive)

Tenable Plugins

View all (32 total)

IDNameProductFamilySeverity
89116VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0014) (remote check)NessusMisc.
critical
64828Sun Java JRE Multiple Vulnerabilities (244986 et al) (Unix)NessusMisc.
critical
43843RHEL 4 / 5 : java-1.5.0-ibm (RHSA-2009:0466)NessusRed Hat Local Security Checks
critical
43143HP-UX PHSS_40375 : s700_800 11.X OV NNM7.53 IA-64 Intermediate Patch 25NessusHP-UX Local Security Checks
critical
43142HP-UX PHSS_40374 : s700_800 11.X OV NNM7.53 PA-RISC Intermediate Patch 25NessusHP-UX Local Security Checks
critical
42834GLSA-200911-02 : Sun JDK/JRE: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
42179VMSA-2009-0014 : VMware ESX patches for DHCP, Service Console kernel, and JRE resolve multiple security issuesNessusVMware ESX Local Security Checks
high
41527SuSE 10 Security Update : IBM Java 1.5.0 (ZYPP Patch Number 5960)NessusSuSE Local Security Checks
critical
41526SuSE 10 Security Update : Sun Java 1.4.2 (ZYPP Patch Number 5852)NessusSuSE Local Security Checks
critical
41525SuSE 10 Security Update : IBM Java 1.4.2 (ZYPP Patch Number 6136)NessusSuSE Local Security Checks
critical
41404SuSE 11 Security Update : IBM Java 1.4.2 (SAT Patch Number 735)NessusSuSE Local Security Checks
critical
41289SuSE9 Security Update : IBM Java2 JRE and SDK (YOU Patch Number 12387)NessusSuSE Local Security Checks
critical
41268SuSE9 Security Update : IBM Java5 JRE and SDK (YOU Patch Number 12336)NessusSuSE Local Security Checks
critical
41263SuSE9 Security Update : Sun Java (YOU Patch Number 12321)NessusSuSE Local Security Checks
critical
40743RHEL 3 / 4 / 5 : java-1.4.2-ibm (RHSA-2009:0445)NessusRed Hat Local Security Checks
critical
40738RHEL 4 / 5 : java-1.5.0-ibm (RHSA-2009:0016)NessusRed Hat Local Security Checks
critical
40737RHEL 4 / 5 : java-1.6.0-ibm (RHSA-2009:0015)NessusRed Hat Local Security Checks
critical
40732RHEL 4 / 5 : java-1.5.0-sun (RHSA-2008:1025)NessusRed Hat Local Security Checks
critical
40731RHEL 4 / 5 : java-1.6.0-sun (RHSA-2008:1018)NessusRed Hat Local Security Checks
critical
40241openSUSE Security Update : java-1_6_0-sun (java-1_6_0-sun-376)NessusSuSE Local Security Checks
critical
40238openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-578)NessusSuSE Local Security Checks
critical
40235openSUSE Security Update : java-1_5_0-sun (java-1_5_0-sun-375)NessusSuSE Local Security Checks
critical
40002openSUSE Security Update : java-1_6_0-sun (java-1_6_0-sun-376)NessusSuSE Local Security Checks
critical
39997openSUSE Security Update : java-1_5_0-sun (java-1_5_0-sun-375)NessusSuSE Local Security Checks
critical
39766Mac OS X : Java for Mac OS X 10.4 Release 9NessusMacOS X Local Security Checks
high
39435Mac OS X : Java for Mac OS X 10.5 Update 4NessusMacOS X Local Security Checks
high
37381Ubuntu 8.10 : OpenJDK vulnerabilities (USN-713-1)NessusUbuntu Local Security Checks
critical
37147Fedora 10 : java-1.6.0-openjdk-1.6.0.0-7.b12.fc10 (2008-10913)NessusFedora Local Security Checks
critical
35306openSUSE 10 Security Update : java-1_6_0-sun (java-1_6_0-sun-5876)NessusSuSE Local Security Checks
critical
35305openSUSE 10 Security Update : java-1_5_0-sun (java-1_5_0-sun-5875)NessusSuSE Local Security Checks
critical
35046Fedora 9 : java-1.6.0-openjdk-1.6.0.0-0.20.b09.fc9 (2008-10860)NessusFedora Local Security Checks
critical
35030Sun Java JRE Multiple Vulnerabilities (244986 et al)NessusWindows
high