| VID |
28102 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The version of the Sun Java JRE installed on the host is older than 1.4.2_06 or 1.3.1_13.
The Java Plug-in is part of the Java 2 Runtime Environment (JRE) and establishes a framework for displaying Java applets within a web browser. Sun Microsystems Java Runtime Environment (JRE) and Software Development Kit (SDK) versions prior to 1.4.2_06 or 1.3.1_13 provide support for dynamic and static versioning when loading applets in the Java plug-in. What this means is that it is possible during the invocation of an applet to request that a particular version of a plug-in is used to run the applet. An attacker could exploit this feature to cause a previous version of a plug-in, that is known to be prone to security vulnerabilities, to be loaded.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1
http://www.kb.cert.org/vuls/id/760344
http://archives.neohapsis.com/archives/bugtraq/2004-11/0370.html
http://www.ciac.org/ciac/bulletins/p-040.shtml
* Platforms Affected:
Sun Microsystems, Sun JRE 1.3.1_12 and earlier
Sun Microsystems, Sun JRE 1.4.0
Sun Microsystems, Sun JRE 1.4.1
Sun Microsystems, Sun JRE 1.4.2_05 and earlier
Sun Microsystems, Sun SDK 1.3.1_12 and earlier
Sun Microsystems, Sun SDK 1.4.0
Sun Microsystems, Sun SDK 1.4.1
Sun Microsystems, Sun SDK 1.4.2_05 and earlier
Sun Microsystems, Solaris 7, 8, 9
Microsoft Windows Any version
Unix Any version
Linux Any version |
| Recommendation |
Upgrade to the latest version of Sun JRE/SDK (1.4.2_06 or 1.3.1_13 or later), available from the Sun Microsystems, Inc. Web site at http://java.sun.com/j2se/1.4.2/download.html
For Gentoo Linux:
Upgrade to the latest version of Java, as listed in Gentoo Linux Security Advisory GLSA 200411-38 at http://www.gentoo.org/security/en/glsa/glsa-200411-38.xml
For Conectiva Linux:
Upgrade to the latest sun-jre package, as listed in Conectiva Linux Security Announcement CLSA-2004:900 at http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000900
For other distributions:
Contact your vendor for upgrade or patch information.
-- AND --
When upgrading a Java installation on a computer, all previous versions should be uninstalled to prevent them being accessed to run a malicious applet that may exploit latent vulnerabilities that may exist in those other previous versions.
It is also possible to workaround this issue by disabling Java support in the Web browser or any other applications that provide an environment for execution Java applets. |
| Related URL |
CVE-2004-1029 (CVE) |
| Related URL |
11757 (SecurityFocus) |
| Related URL |
18188 (ISS) |
|
