JRE Vulnerability - question on affected version

Joshua Wright Joshua.Wright at jwu.edu
Mon Oct 27 15:57:05 GMT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sun recently released an advisory on vulnerabilities in the JRE and
SDK that allows an attacker to run unsigned Java applets outside of
the sandbox environment [1].  This advisory is in conjunction with a
post from LSD to explain the flaw and affected versions of JRE [2].

The Sun advisory says the following versions of JRE are vulnerable
for Windows systems:

SDK and JRE 1.4.1_03 and earlier 
SDK and JRE 1.3.1_08 and earlier 
SDK and JRE 1.2.2_015 and earlier

I'm having trouble finding out what versions of JRE are actually
affected, as not all version information is presented or listed in
the "affected versions" description.

The default java.exe on my Win2K system is in "C:\Program
Files\Oracle\jre\1.3.1\bin", which appears to be vulnerable:

C:\Program Files\Oracle\jre\1.3.1\bin>java -version
java version "1.3.1_01"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1_01)
Java HotSpot(TM) Client VM (build 1.3.1_01, mixed mode)

But I also have the Sun JInitiator code on my system, which we use
for Oracle Forms applications:

C:\Program Files\Oracle\JInitiator 1.3.1.9\bin>java -version
java version "1.3.1.9"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.1.9)
Java HotSpot(TM) Client VM (build 1.3.1-rc2-b22, mixed mode)

Note that this build does not use the same versioning information as
is noted in the advisory (uses a "-rc2-b22" instead of a "_01").  I'd
like to clarify if the version of JInitiator is vulnerable - anyone
have any insight into this?  Anyone have contacts at Sun who can shed
some assistance on this issue?

Thanks.

- -Joshua Wright
Senior Network and Security Architect
Johnson & Wales University
Joshua.Wright at jwu.edu 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

[1] Sun Alert Notification, Alert ID: 57221. 
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57221&zone_3
2=category%3Asecurity
[2] BUGTRAQ Post.
http://www.securityfocus.com/archive/1/342147/2003-10-21/2003-10-27/0

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBP51AUY/i/ArUS0pzEQIrRgCfX8pcAw0Zq7qNZMbUu/omQ5wl2CEAoKU6
rjVGUeTC9sYi+Z1oPLMsdM5S
=MbMA
-----END PGP SIGNATURE-----



More information about the unisog mailing list