Summary
This host is installed with Sun Java SE and is prone to multiple vulnerabilities.
Impact
Successful exploitation allows remote attacker to execute arbitrary code, gain escalated privileges, bypass security restrictions and cause denial of service attacks inside the context of the affected system.
Impact Level: System/Application.
Solution
Upgrade to JRE version 6 Update 17 or later.
http://java.sun.com/javase/downloads/index.jsp
OR
Upgrade to JRE version 5 Update 22
http://java.sun.com/javase/downloads/index_jdk5.jsp
Insight
Multiple flaws occur due to:
- Directory traversal vulnerabilty in 'ICC_Profile.getInstance' method.
- Unspecified error in TrueType font parsing functionality.
- When a non-English version of Windows is used, the Java Update functionality does not retrieve available new JRE versions.
- Failure to clone arrays that are returned by the 'getConfigurations()' function in X11 and Win32GraphicsDevice.
- The Abstract Window Toolkit (AWT) does not properly restrict the objects that may be sent to loggers.
- Information leak occurs as the application does not prevent the existence of children of a resurrected ClassLoader.
- Multiple unspecified errors in the Swing implementation.
- The 'TimeZone.getTimeZone' method allows users to probe for the existence of local files via vectors related to handling of zoneinfo.
- Error during parsing of BMP files containing UNC ICC links.
Affected
Sun Java SE 6 prior to 6 Update 17
Sun Java SE 5 prior to 5 Update 22 on Windows.
References
Severity
Classification
-
CVE CVE-2009-3728, CVE-2009-3729, CVE-2009-3864, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3885 -
CVSS Base Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
Related Vulnerabilities