COMMAND

    Java(TM) Runtime Environment

SYSTEMS AFFECTED

    - JDK/JRE 1.2.2_004 or earlier
    - JDK/JRE 1.2.1_003 or earlier
    - JDK/JRE 1.1.8_002 or earlier
    - JDK/JRE 1.1.7B_005 or earlier
    - JDK/JRE 1.1.6_007 or earlier
    - JDK/JRE 1.2.2_05 or earlier
    - JDK/JRE 1.2.1
    - JDK/JRE 1.1.8_10 or earlier
    - JDK/JRE 1.1.7B
    - JDK/JRE 1.1.6
    - JDK/JRE 1.2.2_005 or earlier

PROBLEM

    Following is based on a Sun Microsystems Security Bulletin #00199.
    Under certain circumstances, the Java(TM) Runtime Environment  may
    allow an  untrusted Java  class to  call into  a disallowed class.
    This is a potential security issue.

    This  issue   may  or   may  not   affect  other   vendors'   Java
    implementations which are derived from Sun's Java Development  Kit
    JDK(TM)  source  base.   Sun  has  notified  and  made  the remedy
    available to its Java licensees.

    To the best of  Sun's knowledge, Netscape Navigator  and Microsoft
    Internet Explorer are not exposed to this vulnerability.

    Solaris Production releases JDK/JRE 1.2.1, 1.1.7B, and 1.1.6
    should no longer be used.  In addition, releases prior to JDK/JRE
    1.1.6 for Windows or Solaris should no longer be used.

    The HotSpot(TM)  1.0 and  1.0.1 virtual  machines are  affected by
    this  vulnerability.   HotSpot  2.0   is  not  affected  by   this
    vulnerability.  HotSpot 1.0  and 1.0.1 virtual machines  should no
    longer  be  used.   Users  that  cannot  move  to  Java 2 Standard
    Edition SDK v 1.3 should revert to the Classic virtual machine  in
    JDK/JRE 1.2.2_006  (Windows or  Solaris reference).   Those  users
    wishing  to  take  advantage  of  the  performance  of HotSpot 2.0
    should migrate to Java 2 Standard Edition SDK v 1.3.0.

SOLUTION

    This vulnerability was fixed in Java 2 Standard Edition SDK v 1.3.
    The following update  releases are available  in relation to  this
    issue.

        Windows Production and Solaris Reference Releases
        JDK/JRE 1.2.2_006    http://java.sun.com/products/jdk/1.2/
        JDK/JRE 1.2.1_004    http://java.sun.com/products/jdk/1.2.1/
        JDK/JRE 1.1.8_005    http://java.sun.com/products/jdk/1.1/
        JDK/JRE 1.1.7B_007   http://java.sun.com/products/jdk/1.1.7B/
        JDK/JRE 1.1.6_009    http://java.sun.com/products/jdk/1.1.6/

        Solaris Production Releases
        JDK/JRE 1.2.2_06     http://www.sun.com/software/solaris/java/download.html
        JDK/JRE 1.1.8_12     http://www.sun.com/software/solaris/java/archive.html

        Linux Production Release
        JDK/JRE 1.2.2_006    http://java.sun.com/products/jdk/1.2/download-linux.html

    For HpUX:

        JDK and JRE 1.1.8.04 or higher for HP-UX 10.20 and 11.x.
        JDK and JRE 1.2.2.04* or higher for HP-UX 11.x
        JDK and JRE 1.3 (when available) for HP-UX 11.x.

    Version 1.2.2.04 is the minimum to resolve the issue addressed  in
    this security bulletin.  However, JDK and JRE version 1.2.2.06  or
    later  are  preferred  since  they  incorporate  product   quality
    enhancements.

    Also, upgrade to ContinentalClusters version A.02.00, and

        for HP-UX Release 11.00:                PHSS_22678,
        for HP-UX Release 11.11:                PHSS_22678.