Sun Java Virtual Machine Slash Path Security Model Circumvention漏洞

漏洞信息详情

Sun Java Virtual Machine Slash Path Security Model Circumvention漏洞

• CNNVD编号：CNNVD-200311-075
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2003-0896
  
• 漏洞类型：
  
  
  设计错误
  
• 发布时间：
  
  2003-11-17
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2010-04-26
  
• 厂        商：
  
  sun
• 漏洞来源：
  Discovery is credi…

在Sun SDK和JRE 1.4.1_03以及之前版本中Java虚拟机（JVM）的sun.applet.AppletClassLoader类中loadClass类函数存在漏洞。远程攻击者借助含有“/”（斜线）而不是\”.\” （点）字符的加载类名绕过沙箱的限制并执行任意代码，该漏洞绕过安全管理checkPackageAccess
方法的调用。

HP has released an advisory (HPSBUX0311-295) to address this issue. HP suggests the following manual updates:
Java 1.4.1.04 or later (T1456AA (JDK 1.4), T1457AA (JRE 1.4))
Java 1.3.1.11 or later (B9788AA (JDK 1.3), B9789AA (JRE 1,3))
Java 1.2.1.16 or later (B8110AA (JDK 1.2), B8111AA (JRE 1.2))
These updates may be obtained from www.hp.com/go/java. HP revised their advisory to include details about HP-UX 11.04 (VVOS). This issue affects HP-UX 11.04 (VVOS) with Virtualvault A.04.50 or Virtualvault A.04.60 or Virtualvault A.04.70 installed. These platforms are only affected if Java has been downloaded and integrated on Virtualvault. Further details may be found in the advisory.
This issue is addressed in the following SDK and JRE versions of Windows Production Releases, Solaris OE Production Releases and Linux Production Releases:
SDK and JRE 1.4.1_04 and later
SDK and JRE 1.3.1_09 and later
SDK and JRE 1.2.2_016 and later
Solaris Operating Environment (OE) Reference Releases SDK and JRE 1.2.2_016 and later also include fixes.
Fixes are available at the following location:
http://java.sun.com/j2se/
See referenced advisory for additional details.
HP has released an update the their original advisory stating that more HP-UX versions are affected that were originally reported. Please see the referenced advisory for more information.

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028

来源: SUNALERT
名称: 200356
链接:http://sunsolve.sun.com/search/document.do?assetkey=1-66-200356-1

来源: SUNALERT
名称: 57221
链接:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57221

来源: BUGTRAQ
名称: 20021023 [LSD] Security vulnerability in SUN’s Java Virtual Machine implementation
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=106692334503819&w=2

来源: lsd-pl.net
链接:http://lsd-pl.net/code/JVM/jre.tar.gz

来源: BID
名称: 8879
链接:http://www.securityfocus.com/bid/8879

来源: BUGTRAQ
名称: 20031027 Re: [LSD] Security vulnerability in SUN’s Java Virtual Machineimplementation
链接:http://www.securityfocus.com/archive/1/342583

来源: BUGTRAQ
名称: 20031027 Re: [LSD] Security vulnerability in SUN’s Java Virtual Machine implementation
链接:http://www.securityfocus.com/archive/1/342580

来源: HP
名称: HPSBUX0311-295
链接:http://www.securityfocus.com/advisories/6028