SuSE 10 Security Update : Sun Java 1.4.2 (ZYPP Patch Number 4533)

High Nessus Plugin ID 29473

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 4.7

Synopsis

The remote SuSE 10 host is missing a security-related patch.

Description

The Sun JAVA JDK 1.4.2 was upgraded to release 16 to fix various bugs, including the following security bugs :

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103079-1

- Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled, allows remote attackers to violate the security model for an applet's outbound connections via a DNS rebinding attack. (CVE-2007-5232)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103073-1

- Java Web Start in Sun JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier, on Windows does not properly enfor ce access restrictions for untrusted applications, which allows user-assisted remote attackers to read local files via an untrusted applica tion. (CVE-2007-5236)

- Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read and modify local files via an untrusted application, aka 'two vulnerabilities'.
(CVE-2007-5237)

- Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to obtain sensitive information (the Java Web Start cache location) via an untrusted application, aka 'three vulnerabilities.'. (CVE-2007-5238)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103072-1

- Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier does not properly enforce access restrictions for untrusted (1) applications and (2) applets, which allows user-assisted remote attackers to copy or rename arbitrary files when local users perform drag-and-drop operations from the untrusted application or applet window onto certain types of desktop applications.
(CVE-2007-5239)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103071-1

- Visual truncation vulnerability in the Java Runtime Environment in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows remote attackers to circumvent display of the untrusted-code warning banner by creating a window larger than the workstation screen. (CVE-2007-5240)

http://sunsolve.sun.com/search/document.do?assetkey=1-26-103078-1

- Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used, allows remote attackers to violate the security model for an applet's outbound connections via a multi-pin DNS rebinding attack in which the applet download relies on DNS resolution on the proxy server, but the applet's socket operations rely on DNS resolution on the local machine, a different issue than CVE-2007-5274. (CVE-2007-5273)

- Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows remote attackers to violate the security model for JavaScript outbound connections via a multi-pin DNS rebinding attack dependent on the LiveConnect API, in which JavaScript download relies on DNS resolution by the browser, but JavaScript socket operations rely on separate DNS resolution by a Java Virtual Machine (JVM), a different issue than CVE-2007-5273. (CVE-2007-5274)

Solution

Apply ZYPP patch number 4533.

See Also

http://support.novell.com/security/cve/CVE-2007-5232.html

http://support.novell.com/security/cve/CVE-2007-5236.html

http://support.novell.com/security/cve/CVE-2007-5237.html

http://support.novell.com/security/cve/CVE-2007-5238.html

http://support.novell.com/security/cve/CVE-2007-5239.html

http://support.novell.com/security/cve/CVE-2007-5240.html

http://support.novell.com/security/cve/CVE-2007-5273.html

http://support.novell.com/security/cve/CVE-2007-5274.html

Plugin Details

Severity: High

ID: 29473

File Name: suse_java-1_4_2-sun-4533.nasl

Version: 1.17

Type: local

Agent: unix

Published: 2007/12/13

Updated: 2019/10/25

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 4.7

CVSS v2.0

Base Score: 7.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

Vulnerability Information

CPE: cpe:/o:suse:suse_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Patch Publication Date: 2007/10/11

Reference Information

CVE: CVE-2007-5232, CVE-2007-5236, CVE-2007-5237, CVE-2007-5238, CVE-2007-5239, CVE-2007-5240, CVE-2007-5273, CVE-2007-5274

CWE: 264