COMMAND
Java(TM) Runtime Environment
SYSTEMS AFFECTED
- JDK/JRE 1.2.2_004 or earlier
- JDK/JRE 1.2.1_003 or earlier
- JDK/JRE 1.1.8_002 or earlier
- JDK/JRE 1.1.7B_005 or earlier
- JDK/JRE 1.1.6_007 or earlier
- JDK/JRE 1.2.2_05 or earlier
- JDK/JRE 1.2.1
- JDK/JRE 1.1.8_10 or earlier
- JDK/JRE 1.1.7B
- JDK/JRE 1.1.6
- JDK/JRE 1.2.2_005 or earlier
PROBLEM
Following is based on a Sun Microsystems Security Bulletin #00199.
Under certain circumstances, the Java(TM) Runtime Environment may
allow an untrusted Java class to call into a disallowed class.
This is a potential security issue.
This issue may or may not affect other vendors' Java
implementations which are derived from Sun's Java Development Kit
JDK(TM) source base. Sun has notified and made the remedy
available to its Java licensees.
To the best of Sun's knowledge, Netscape Navigator and Microsoft
Internet Explorer are not exposed to this vulnerability.
Solaris Production releases JDK/JRE 1.2.1, 1.1.7B, and 1.1.6
should no longer be used. In addition, releases prior to JDK/JRE
1.1.6 for Windows or Solaris should no longer be used.
The HotSpot(TM) 1.0 and 1.0.1 virtual machines are affected by
this vulnerability. HotSpot 2.0 is not affected by this
vulnerability. HotSpot 1.0 and 1.0.1 virtual machines should no
longer be used. Users that cannot move to Java 2 Standard
Edition SDK v 1.3 should revert to the Classic virtual machine in
JDK/JRE 1.2.2_006 (Windows or Solaris reference). Those users
wishing to take advantage of the performance of HotSpot 2.0
should migrate to Java 2 Standard Edition SDK v 1.3.0.
SOLUTION
This vulnerability was fixed in Java 2 Standard Edition SDK v 1.3.
The following update releases are available in relation to this
issue.
Windows Production and Solaris Reference Releases
JDK/JRE 1.2.2_006 http://java.sun.com/products/jdk/1.2/
JDK/JRE 1.2.1_004 http://java.sun.com/products/jdk/1.2.1/
JDK/JRE 1.1.8_005 http://java.sun.com/products/jdk/1.1/
JDK/JRE 1.1.7B_007 http://java.sun.com/products/jdk/1.1.7B/
JDK/JRE 1.1.6_009 http://java.sun.com/products/jdk/1.1.6/
Solaris Production Releases
JDK/JRE 1.2.2_06 http://www.sun.com/software/solaris/java/download.html
JDK/JRE 1.1.8_12 http://www.sun.com/software/solaris/java/archive.html
Linux Production Release
JDK/JRE 1.2.2_006 http://java.sun.com/products/jdk/1.2/download-linux.html
For HpUX:
JDK and JRE 1.1.8.04 or higher for HP-UX 10.20 and 11.x.
JDK and JRE 1.2.2.04* or higher for HP-UX 11.x
JDK and JRE 1.3 (when available) for HP-UX 11.x.
Version 1.2.2.04 is the minimum to resolve the issue addressed in
this security bulletin. However, JDK and JRE version 1.2.2.06 or
later are preferred since they incorporate product quality
enhancements.
Also, upgrade to ContinentalClusters version A.02.00, and
for HP-UX Release 11.00: PHSS_22678,
for HP-UX Release 11.11: PHSS_22678.