Executive Summary
Summary | |
---|---|
Title | Sun Alert 263409 Security Vulnerabilities With the Proxy Mechanism Implementation in the Java Runtime Environment (JRE) may Lead to Escalation of Privileges |
Informations | |||
---|---|---|---|
Name | SUN-263409 | First vendor Publication | 2009-08-04 |
Vendor | Sun | Last vendor Modification | 2010-01-21 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Product: Java Platform, Standard Edition 6 (Java SE 6) CR 6801071: A security vulnerability in the Java Runtime Environment SOCKSproxy implementation may allow an untrusted applet or Java Web Startapplication to determine the username of the user running the applet orapplication. A second vulnerability in the Java Runtime Environment proxymechanism implementation may allow an untrusted applet or Java Web Start application to obtain browser cookies and leverage thosecookies to hijack sessions. CR 6801497: A security vulnerability in the Java Runtime Environment proxymechanism implementation may allow an untrusted applet or Java WebStart application to make non-authorized socket or URL connections tohosts other than the origin host. Sun acknowledges, with thanks, Gregory Fleischer for bringing the firsttwo issues to our attention. State: Resolved First released: 04-Aug-2009 |
Original Source
Url : http://blogs.sun.com/security/entry/sun_alert_263409_security_vulnerabilities |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:10263 | |||
Oval ID: | oval:org.mitre.oval:def:10263 | ||
Title: | The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unspecified vectors, related to a declaration that lacks the final keyword. | ||
Description: | The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to bypass intended access restrictions and connect to arbitrary sites via unspecified vectors, related to a declaration that lacks the final keyword. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-2673 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:11115 | |||
Oval ID: | oval:org.mitre.oval:def:11115 | ||
Title: | The SOCKS proxy implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to discover the username of the account that invoked an untrusted (1) applet or (2) Java Web Start application via unspecified vectors. | ||
Description: | The SOCKS proxy implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, allows remote attackers to discover the username of the account that invoked an untrusted (1) applet or (2) Java Web Start application via unspecified vectors. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-2671 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:9359 | |||
Oval ID: | oval:org.mitre.oval:def:9359 | ||
Title: | The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to browser cookies by untrusted (1) applets and (2) Java Web Start applications, which allows remote attackers to hijack web sessions via unspecified vectors. | ||
Description: | The proxy mechanism implementation in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15, and JDK and JRE 5.0 before Update 20, does not prevent access to browser cookies by untrusted (1) applets and (2) Java Web Start applications, which allows remote attackers to hijack web sessions via unspecified vectors. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2009-2672 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2011-08-09 | Name : CentOS Update for java CESA-2009:1201 centos5 i386 File : nvt/gb_CESA-2009_1201_java_centos5_i386.nasl |
2010-05-28 | Name : Java for Mac OS X 10.5 Update 5 File : nvt/macosx_java_for_10_5_upd_5.nasl |
2009-11-17 | Name : RedHat Security Advisory RHSA-2009:1582 File : nvt/RHSA_2009_1582.nasl |
2009-11-11 | Name : SLES11: Security update for IBM Java 1.6.0 File : nvt/sles11_java-1_6_0-ibm1.nasl |
2009-10-19 | Name : SuSE Security Summary SUSE-SR:2009:016 File : nvt/suse_sr_2009_016.nasl |
2009-09-02 | Name : RedHat Security Advisory RHSA-2009:1236 File : nvt/RHSA_2009_1236.nasl |
2009-09-02 | Name : Mandrake Security Advisory MDVSA-2009:209 (java-1.6.0-openjdk) File : nvt/mdksa_2009_209.nasl |
2009-08-20 | Name : Sun Java JDK/JRE Multiple Vulnerabilities - Aug09 File : nvt/gb_sun_java_jre_mult_vuln_aug09.nasl |
2009-08-17 | Name : RedHat Security Advisory RHSA-2009:1199 File : nvt/RHSA_2009_1199.nasl |
2009-08-17 | Name : RedHat Security Advisory RHSA-2009:1200 File : nvt/RHSA_2009_1200.nasl |
2009-08-17 | Name : RedHat Security Advisory RHSA-2009:1201 File : nvt/RHSA_2009_1201.nasl |
2009-08-17 | Name : Fedora Core 11 FEDORA-2009-8329 (java-1.6.0-openjdk) File : nvt/fcore_2009_8329.nasl |
2009-08-17 | Name : Fedora Core 10 FEDORA-2009-8337 (java-1.6.0-openjdk) File : nvt/fcore_2009_8337.nasl |
2009-08-17 | Name : CentOS Security Advisory CESA-2009:1201 (java-1.6.0-openjdk) File : nvt/ovcesa2009_1201.nasl |
2009-08-17 | Name : SuSE Security Advisory SUSE-SA:2009:043 (java-1_5_0-sun,java-1_6_0-sun) File : nvt/suse_sa_2009_043.nasl |
2009-08-17 | Name : Ubuntu USN-814-1 (openjdk-6) File : nvt/ubuntu_814_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
56785 | Sun Java JDK / JRE Proxy Mechanism Implementation Arbitrary Host Connection |
56784 | Sun Java JDK / JRE Proxy Mechanism Implementation Unauthorized Browser Cookie... |
56783 | Sun Java JDK / JRE SOCKS Proxy Implementation Applet Process Owner Disclosure |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-08 | Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2010-0002_remote.nasl - Type : ACT_GATHER_INFO |
2016-03-03 | Name : The remote host is missing a security-related patch. File : vmware_VMSA-2009-0016_remote.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2009-1201.nasl - Type : ACT_GATHER_INFO |
2013-02-22 | Name : The remote Unix host contains a runtime environment that is affected by multi... File : sun_java_jre_263408_unix.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090824_java__jdk_1_6_0__on_SL4_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20090806_java_1_6_0_openjdk_on_SL5_3.nasl - Type : ACT_GATHER_INFO |
2011-04-23 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1662.nasl - Type : ACT_GATHER_INFO |
2010-03-31 | Name : The remote VMware ESX host is missing a security-related patch. File : vmware_VMSA-2010-0002.nasl - Type : ACT_GATHER_INFO |
2010-01-15 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2010-0043.nasl - Type : ACT_GATHER_INFO |
2010-01-06 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2009-1201.nasl - Type : ACT_GATHER_INFO |
2009-11-23 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2009-0016.nasl - Type : ACT_GATHER_INFO |
2009-11-18 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200911-02.nasl - Type : ACT_GATHER_INFO |
2009-11-13 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1582.nasl - Type : ACT_GATHER_INFO |
2009-11-05 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_6_0-ibm-091102.nasl - Type : ACT_GATHER_INFO |
2009-10-06 | Name : The remote openSUSE host is missing a security update. File : suse_java-1_6_0-sun-6395.nasl - Type : ACT_GATHER_INFO |
2009-10-06 | Name : The remote openSUSE host is missing a security update. File : suse_java-1_5_0-sun-6396.nasl - Type : ACT_GATHER_INFO |
2009-09-25 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_6_0-openjdk-090920.nasl - Type : ACT_GATHER_INFO |
2009-09-25 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-openjdk-090922.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_6_0-sun-090806.nasl - Type : ACT_GATHER_INFO |
2009-09-03 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_10_5_update5.nasl - Type : ACT_GATHER_INFO |
2009-08-31 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1236.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2009-209.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1199.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1200.nasl - Type : ACT_GATHER_INFO |
2009-08-11 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-814-1.nasl - Type : ACT_GATHER_INFO |
2009-08-10 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8337.nasl - Type : ACT_GATHER_INFO |
2009-08-10 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_5_0-sun-090806.nasl - Type : ACT_GATHER_INFO |
2009-08-10 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_6_0-sun-090806.nasl - Type : ACT_GATHER_INFO |
2009-08-10 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_5_0-sun-090806.nasl - Type : ACT_GATHER_INFO |
2009-08-10 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-sun-090806.nasl - Type : ACT_GATHER_INFO |
2009-08-07 | Name : The remote Fedora host is missing a security update. File : fedora_2009-8329.nasl - Type : ACT_GATHER_INFO |
2009-08-07 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-1201.nasl - Type : ACT_GATHER_INFO |
2009-08-05 | Name : The remote Windows host contains a runtime environment that is affected by mu... File : sun_java_jre_263408.nasl - Type : ACT_GATHER_INFO |
2007-10-12 | Name : The remote host is missing Sun Security Patch number 125136-97 File : solaris9_125136.nasl - Type : ACT_GATHER_INFO |
2007-10-12 | Name : The remote host is missing Sun Security Patch number 125136-97 File : solaris8_125136.nasl - Type : ACT_GATHER_INFO |
2007-10-12 | Name : The remote host is missing Sun Security Patch number 125136-97 File : solaris10_125136.nasl - Type : ACT_GATHER_INFO |