Executive Summary
Summary | |
---|---|
Title | Sun Alert 244986 The Java Runtime Environment Creates Temporary Files That Have "Guessable" File Names |
Informations | |||
---|---|---|---|
Name | SUN-244986 | First vendor Publication | 2008-12-03 |
Vendor | Sun | Last vendor Modification | 2010-01-20 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 6.4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Product: Sun Java Standard Edition (Java SE) The Java Runtime Environment creates temporary files with insufficiently random names. This may be leveraged to write JAR files which may then be loaded as untrusted applets and Java Web Start applications to access and provide services from localhost and hence steal cookies. State: Resolved First released: 03-Dec-2008 |
Original Source
Url : http://blogs.sun.com/security/entry/sun_alert_244986_the_java |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:13408 | |||
Oval ID: | oval:org.mitre.oval:def:13408 | ||
Title: | USN-713-1 -- openjdk-6 vulnerabilities | ||
Description: | It was discovered that Java did not correctly handle untrusted applets. If a user were tricked into running a malicious applet, a remote attacker could gain user privileges, or list directory contents. It was discovered that Kerberos authentication and RSA public key processing were not correctly handled in Java. A remote attacker could exploit these flaws to cause a denial of service. It was discovered that Java accepted UTF-8 encodings that might be handled incorrectly by certain applications. A remote attacker could bypass string filters, possible leading to other exploits. Overflows were discovered in Java JAR processing. If a user or automated system were tricked into processing a malicious JAR file, a remote attacker could crash the application, leading to a denial of service. It was discovered that Java calendar objects were not unserialized safely. If a user or automated system were tricked into processing a specially crafted calendar object, a remote attacker could execute arbitrary code with user privileges. It was discovered that the Java image handling code could lead to memory corruption. If a user or automated system were tricked into processing a specially crafted image, a remote attacker could crash the application, leading to a denial of service. It was discovered that temporary files created by Java had predictable names. If a user or automated system were tricked into processing a specially crafted JAR file, a remote attacker could overwrite sensitive information | ||
Family: | unix | Class: | patch |
Reference(s): | USN-713-1 CVE-2008-5347 CVE-2008-5350 CVE-2008-5348 CVE-2008-5349 CVE-2008-5351 CVE-2008-5352 CVE-2008-5354 CVE-2008-5353 CVE-2008-5358 CVE-2008-5359 CVE-2008-5360 | Version: | 5 |
Platform(s): | Ubuntu 8.10 | Product(s): | openjdk-6 |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:6596 | |||
Oval ID: | oval:org.mitre.oval:def:6596 | ||
Title: | Sun Java Runtime Environment temporary files weak security | ||
Description: | Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier creates temporary files with predictable file names, which allows attackers to write malicious JAR files via unknown vectors. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-5360 | Version: | 1 |
Platform(s): | VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2010-05-28 | Name : Java for Mac OS X 10.5 Update 4 File : nvt/macosx_java_for_10_5_upd_4.nasl |
2009-10-13 | Name : SLES10: Security update for IBM Java 1.4.2 File : nvt/sles10_java-1_4_2-ibm0.nasl |
2009-10-13 | Name : SLES10: Security update for Sun Java 1.4.2 File : nvt/sles10_java-1_4_2-sun.nasl |
2009-10-13 | Name : SLES10: Security update for IBM Java 1.5.0 File : nvt/sles10_java-1_5_0-ibm2.nasl |
2009-10-11 | Name : SLES11: Security update for IBM Java 1.4.2 File : nvt/sles11_java-1_4_2-ibm.nasl |
2009-10-10 | Name : SLES9: Security update for Sun Java File : nvt/sles9p5040565.nasl |
2009-10-10 | Name : SLES9: Security update for IBM Java5 JRE and SDK File : nvt/sles9p5041763.nasl |
2009-10-10 | Name : SLES9: Security update for IBM Java2 JRE and SDK File : nvt/sles9p5046860.nasl |
2009-05-20 | Name : SuSE Security Summary SUSE-SR:2009:010 File : nvt/suse_sr_2009_010.nasl |
2009-05-05 | Name : HP-UX Update for Java HPSBUX02411 File : nvt/gb_hp_ux_HPSBUX02411.nasl |
2009-04-28 | Name : RedHat Security Advisory RHSA-2009:0445 File : nvt/RHSA_2009_0445.nasl |
2009-03-13 | Name : Ubuntu USN-732-1 (dash) File : nvt/ubuntu_732_1.nasl |
2009-03-13 | Name : Ubuntu USN-731-1 (apache2) File : nvt/ubuntu_731_1.nasl |
2009-03-13 | Name : SuSE Security Summary SUSE-SR:2009:006 File : nvt/suse_sr_2009_006.nasl |
2009-02-16 | Name : Fedora Update for java-1.6.0-openjdk FEDORA-2008-10913 File : nvt/gb_fedora_2008_10913_java-1.6.0-openjdk_fc10.nasl |
2009-02-16 | Name : Fedora Update for java-1.6.0-openjdk FEDORA-2008-10860 File : nvt/gb_fedora_2008_10860_java-1.6.0-openjdk_fc9.nasl |
2009-02-02 | Name : Ubuntu USN-710-1 (xine-lib) File : nvt/ubuntu_710_1.nasl |
2009-02-02 | Name : Ubuntu USN-711-1 (ktorrent) File : nvt/ubuntu_711_1.nasl |
2009-02-02 | Name : Ubuntu USN-712-1 (vim) File : nvt/ubuntu_712_1.nasl |
2009-02-02 | Name : Ubuntu USN-713-1 (openjdk-6) File : nvt/ubuntu_713_1.nasl |
2009-01-20 | Name : RedHat Security Advisory RHSA-2009:0016 File : nvt/RHSA_2009_0016.nasl |
2009-01-20 | Name : RedHat Security Advisory RHSA-2009:0015 File : nvt/RHSA_2009_0015.nasl |
2009-01-13 | Name : SuSE Security Advisory SUSE-SA:2009:001 (Sun Java) File : nvt/suse_sa_2009_001.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
50495 | Sun Java JDK / JRE Environment Temporary File Name Prediction Weakness |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2009-10-22 | IAVM : 2009-A-0105 - Multiple Vulnerabilities in VMware Products Severity : Category I - VMSKEY : V0021867 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-03 | Name : The remote host is missing a security-related patch. File : vmware_VMSA-2009-0014_remote.nasl - Type : ACT_GATHER_INFO |
2013-02-22 | Name : The remote Unix host contains a runtime environment that is affected by multi... File : sun_java_jre_244986_unix.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0466.nasl - Type : ACT_GATHER_INFO |
2009-12-14 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_40374.nasl - Type : ACT_GATHER_INFO |
2009-12-14 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_40375.nasl - Type : ACT_GATHER_INFO |
2009-11-18 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200911-02.nasl - Type : ACT_GATHER_INFO |
2009-10-19 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2009-0014.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12321.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_java-1_5_0-ibm-5960.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_java-1_4_2-sun-5852.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_4_2-ibm-090405.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12387.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12336.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0445.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-1018.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0016.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0015.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-1025.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-sun-081217.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-openjdk-090303.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_5_0-sun-081217.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_6_0-sun-081217.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_5_0-sun-081217.nasl - Type : ACT_GATHER_INFO |
2009-07-09 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_rel9.nasl - Type : ACT_GATHER_INFO |
2009-06-17 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_10_5_update4.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-713-1.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10913.nasl - Type : ACT_GATHER_INFO |
2009-01-07 | Name : The remote openSUSE host is missing a security update. File : suse_java-1_5_0-sun-5875.nasl - Type : ACT_GATHER_INFO |
2009-01-07 | Name : The remote openSUSE host is missing a security update. File : suse_java-1_6_0-sun-5876.nasl - Type : ACT_GATHER_INFO |
2008-12-08 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10860.nasl - Type : ACT_GATHER_INFO |
2008-12-04 | Name : The remote Windows host contains a runtime environment that is affected by mu... File : sun_java_jre_244986.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2013-02-06 19:08:20 |
|