Vulnerability Note VU#393292

Sun Java Runtime Environment allows untrusted applets to access information within trusted applets

Overview

The Sun Java Runtime Environment (JRE) contains a vulnerability that may lead to sensitive information being leaked.

I. Description

Sun Microsystems describes the Sun JRE as follows:

The Java RE provides the libraries, Java virtual machine, and other components necessary for you to run applets and applications written in the Java programming language. It does not contain tools and utilities such as compilers or debuggers for developing applets and applications.

Sun Alert 55100 indicates that a vulnerability in the Sun JRE "may allow an untrusted applet to access information from a trusted applet. This is not allowed by the Java security model. The trusted applet must contain code that exploits this vulnerability."

II. Impact

An attacker may be able to gain access to sensitive information.

III. Solution

Upgrade to the latest versions of Sun SDK and JRE, which are available from http://java.sun.com/j2se/.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Sun Microsystems Inc.	Vulnerable	10-Jun-2003

References

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F55100&zone_32=category%3Asecurity
http://java.sun.com/j2se/1.4.1/docs/guide/platform/sdk-jre.html
http://securitytracker.com/alerts/2003/Jun/1006935.html
http://www.iss.net/security_center/static/12189.php
http://www.secunia.com/advisories/8958/
http://java.sun.com/security/
http://java.sun.com/j2se/

Credit

This vulnerability was discovered by RecipeXperience.

This document was written by Ian A Finlay.

Other Information

Date Public:	2003-06-04
Date First Published:	2003-06-10
Date Last Updated:	2003-06-10
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Severity Metric:	5.62
Document Revision:	14

If you have feedback, comments, or additional information about this vulnerability, please send us email.