Nessus Plugin #17615

Plugin Index

Note: This file has been created from a downloaded version of the Nessus Plugins from http://www.nessus.org/. Therefore, the information here can be outdated.

[GLSA-200503-28] Sun Java: Web Start argument injection vulnerability

Family:
Gentoo Local Security Checks
Category:
infos
Copyright:
(C) 2005 Michel Arboi
Summary:
Sun Java: Web Start argument injection vulnerability
Version:
$Revision: 1.1 $
Cve_id:
-
Bugtraq_id:
-
Xrefs:
GLSA:200503-28
Description:
The remote host is affected by the vulnerability described in GLSA-200503-28
(Sun Java: Web Start argument injection vulnerability)


Jouko Pynnonen discovered that Java Web Start contains a
vulnerability in the way it handles property tags in JNLP files.

Impact

By enticing a user to open a malicious JNLP file, a remote
attacker could pass command line arguments to the Java Virtual machine,
which can be used to bypass the Java "sandbox" and to execute arbitrary
code with the permissions of the user running the application.

Workaround

There is no known workaround at this time.

References:
http://jouko.iki.fi/adv/ws.html
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57740-1


Solution:
All Sun JDK users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jdk-1.4.2.07"
All Sun JRE users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-java/sun-jre-bin-1.4.2.07"


Risk factor : Medium
Generiert am 27.04.2005 um 18:49:54 Uhr.