Java Reflection API privilege escalation vulnerability

Technote (troubleshooting)


Problem(Abstract)

Three security vulnerabilitys with the use of "reflection" APIs in the Java™ Runtime Environment (JRE) may (independently) allow an untrusted applet to elevate its privileges.

Resolving the problem

The first issue is due to three errors related to the use of "reflection" APIs in the JRE, which could be exploited by attackers to read and write local files or execute local applications by convincing a user to visit a specially crafted Web page.

The second vulnerability is due to an error in Java Management Extensions (JMX) when handling specially crafted applets, which could be exploited by attackers to read and write local files or execute local applications with the privileges of the user running the untrusted
applet.

The third is due to an unspecified error when handling specially crafted applets, which could be exploited by attackers to read and write local files or execute local applications with the privileges of the user running the untrusted applet.

All of these vulnerabilitys apply only to applet containers that execute malicious code downloaded from server applications. These vulnerabilitys do not apply to most applications running in WebSphere Application Server, because the Application Server is trusted code.

To eliminate these vulnerabilitys, please ensure you are up to date with the following:

  • AIX, Windows and Linux platforms:
      IBM SDK 1.4.2 Service Release 3 (SR3) and later
      IBM SDK 1.3.1 Service Release 9 (SR9) and later
  • Solaris platforms:
      Java 2 SDK, Standard Edition 1.4.2_09 and later
      Java 2 SDK, Standard Edition 1.3.1_16 and later
  • HP-UX platforms: contact the operating system vendor

Related information

US-CERT Vulnerability Note VU#974188
Sun Alert ID: 201372 Security Vulnerabilities

Cross reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
Java SDK

Software version:

5.1, 6.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1225628

Modified date:

2009-12-04

Translate my page

Machine Translation

Content navigation