[NEWS] Java HTTP Proxy Vulnerability (Additional Details)
From: support@securiteam.comDate: 03/11/02
- Previous message: support@securiteam.com: "[TOOL] mdmchk - detect modem drivers installed on NT systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 11 Mar 2002 09:46:12 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Java HTTP Proxy Vulnerability (Additional Details)
------------------------------------------------------------------------
SUMMARY
The Java security model is designed to allow code from an untrusted
source, usually web applets, to be safely executed. A malicious applet
could do irregular and unchecked HTTP requests. This would lead to,
depending on which network access restrictions are applied, bypassing of
those restrictions. Only systems that have a HTTP proxy configured can be
vulnerable.
DETAILS
Affected software & patch availability; vendor bulletins:
Sun
Bulletin Number: #00216
Date: March 4, 2002
Title: HttpURLConnection
<http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl>
http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl
(At the time of this writing bulletin 216 was not available on the website
yet.)
Microsoft
Microsoft Security Bulletin MS02-013
Java Applet Can Redirect Browser Traffic
Originally posted: March 04, 2002
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-013.asp
(URL may get wrapped)
Netscape
Sun JVM (Java Virtual Machine) Issue
http://home.netscape.com/security/
Free Java implementations
Both Kaffe and GNU Classpath class libraries are not vulnerable to this
issue.
Tested software:
Sun/Blackdown 1.1.7/8, 1.2.2, 1.3.0/1 linux/win32
Netscape 4.61 default Java Runtime Linux
MSIE 5.0 default Java Runtime win32
HotJava Browser 3.0
Kaffe 1.06
GNU Classpath 0.03
ADDITIONAL INFORMATION
The information has been provided by <mailto:harmwal@xs4all.nl> Harmen
van der Wal.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] mdmchk - detect modem drivers installed on NT systems"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- security bulletins digest
... Subject: security bulletins digest ... Digest Name: daily security bulletins
digest ... The information in the following Security Bulletin should be acted ...
Determine what Java version you have, ... (Bugtraq) - Sec. Vulnerability in JAVA JRE
... The information in the following Security Bulletin should be acted ... Install
the latest Java releases, ... (comp.security.misc) - Sec. Vulnerability in JAVA JRE
... The information in the following Security Bulletin should be acted ... Install
the latest Java releases, ... (comp.security.unix) - Sec. Vulnerability in JRE Bytecode Verifier (rev.1)
... SECURITY BULLETIN: HPSBUX0203-187 ... A vulnerability in the JavaRuntime
Environment Bytecode ... Install the latest Java releases, ... (comp.security.misc) - Sec. Vulnerability in JRE Bytecode Verifier (rev.1)
... SECURITY BULLETIN: HPSBUX0203-187 ... A vulnerability in the JavaRuntime
Environment Bytecode ... Install the latest Java releases, ... (comp.security.unix)
