Sun Java JRE External XML Entities Restriction Bypass (231246)

This script is Copyright (C) 2008-2017 Tenable Network Security, Inc.


Synopsis :

The remote Windows host has an application that is affected by a
security bypass vulnerability.

Description :

According to its version number, the Sun Java Runtime Environment
(JRE) installed on the remote host reportedly allows processing of
external entity references even when the 'external general entities'
property is set to 'FALSE'. This could allow an application to access
certain URL resources, such as files or web pages, or to launch a
denial of service attack against the system.

Note that successful exploitation requires that specially crafted XML
data be processed by a trusted application rather than by an untrusted
applet or Java Web Start application.

See also :

http://seclists.org/bugtraq/2008/Feb/7
http://download.oracle.com/sunalerts/1018967.1.html

Solution :

Upgrade to Sun JDK and JRE 6 Update 4 or later.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:C)
CVSS Temporal Score : 5.8
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 30149 ()

Bugtraq ID: 27553

CVE ID: CVE-2008-0628

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now