| VID |
28247 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
A version of Sun Java Runtime Environment which is older than JRE 1.6.0_17, 1.5.0_22 has been installed on the host. Or A version of Sun Java Runtime Environment which is older than SDK 1.4.2_24, 1.3.1_27 has been installed on the host. They are vulnerable to multiple vulnerabilities.
- The Java update mechanism on non-English versions does not update the JRE when a new version is available. (269868)
- A command execution vulnerability exists in the Java runtime environment deployment toolkit. (269869)
- An issue in the Java web start installer may be leveraged to allow an untrusted Java web start application to run as a trusted application. (269870)
- Multiple buffer and integer overflow vulnerabilities.(270474)
- A security vulnerability in the JRE with verifying HMAC digests may allow authentication to be bypassed. (270475)
- Two vulnerabilities in the JRE with decoding DER encoded data and parsing HTTP headers may separately allow a remote client to cause the JRE on the server to run out of memory, resulting in a denial of service. (270476)
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of this condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269868-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269869-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-269870-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270475-1
http://sunsolve.sun.com/search/document.do?assetkey=1-66-270476-1
* Platforms Affected:
Sun JRE versions 1.6.0_xx/1.5.0_xx prior to 1.6.0_17, 1.5.0_22
Sun SDK versions 1.4.2_xx/1.3.1_xx prior to 1.4.2_24, 1.3.1_27
Microsoft Windows Any version
Linux Any version |
| Recommendation |
Update to Sun Java JDK / JRE 6 Update 17, JDK / JRE 5.0 Update 22, SDK / JRE 1.4.2_24, or SDK / JRE 1.3.1_27 available from the Sun Download Web page at http://www.sun.com/ or later and remove if necessary any affected versions. |
| Related URL |
CVE-2009-3864~3869,CVE-2009-3871~3877 (CVE) |
| Related URL |
36881 (SecurityFocus) |
| Related URL |
(ISS) |
|
