


                                                   JPCERT-AT-2007-0011
                                                             JPCERT/CC
                                   May 8, 2007 (Original release date)
                                            May 9, 2007 (Last revised)

                  <<< JPCERT/CC Alert 2007-05-08 >>>

                    Vulnerability in Java Web Start

             http://www.jpcert.or.jp/at/2007/at070011.txt

I. Overview

   Java Web Start from Sun Microsystems contains a vulnerability that 
allows escalation of privileges. Exploitation of this vulnerability
could allow a remote attacker to execute unauthorized system classes
using a specially crafted Java Web Start application.

  Java Web Start is a tool used for deploying Java applications 
through a web browser, and is included in a Java execution environment
such as the Java Runtime Environment (JRE).


II. Systems Affected

  The following products and versions are affected:

    - SDK 1.4.2 Update 13 and earlier
    - JDK 5 Update 10 and earlier
    - JRE 1.4.2 Update 13 and earlier
    - JRE 5 Update 10 and earlier

  To check the version of your product, run the following command. If
you use Windows, run the command from the command prompt.

    % java -fullversion

  For more information, refer to the vendor's website.


III. Solution

  To fix this problem, update to a fixed version of the software
provided by Sun Microsystems. For more information, see the following
website:

    Sun Alert #102881
    Security Vulnerability With Java Web Start Related to Incorrect
    Use of System Classes
    http://sunsolve.sun.com/search/document.do?assetkey=1-26-102881-1

  When the JRE is installed on Windows, you can easily update the
software by using Java Update.

    Java.com
    What is Java Update?
    http://www.java.com/ja/download/help/5000020700.xml


IV. Reference Information

    Japan Vulnerability Notes JVN#44724673
    Security Vulnerability with Java Web Start Related to Incorrect
    Use of System Classes
    http://jvn.jp/jp/JVN%2344724673/index.html

    IT Security Center, Information-technology Promotion Agency, Japan
    (IPA)
    JVN#44724673 Vulnerability in Java Web Start may allow execution
    of unauthorized system classes
    http://www.ipa.go.jp/security/vuln/documents/2007/JVN_44724673.html


  If you have any information regarding this matter, please contact us.

__________

Revision History
May 8, 2007  Initial release
May 9, 2007  Corrected the titles of Reference Information URLs

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600  FAX: 03-3518-4602
http://www.jpcert.or.jp/