Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability In Sun JRE XSLT Transformations

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability In Sun JRE XSLT Transformations

March 11, 2008
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Buheita Fujiwara) has issued the Security Alert for Vulnerability in Sun JRE (Java Runtime Environment) XSLT Transformations on March 11, 2008.
This vulnerability allows an attacker to execute unauthorized operations through privilege escalation in the processing of XSLT transformations when a user views a web page embedded with a malicious Java applet.
When exploited, an attacker could view local files, execute arbitrary code or shut down the user’s web browser.
To fix the problem, update to the fixed version provided by the product vendor.

1.Overview

Sun Microsystems’ JRE (Java Runtime Environment) is an runtime environment for running Java programs. It enables, for example, Java applets to run in the web browser. JRE has a vulnerability and when exploited, an attacker could execute unauthorized operations through privilege escalation in the processing of XSLT transformations when a user views a web page embedded with a malicious Java applet.

For affected systems and the latest information on the vulnerability, please refer to:
http://jvndb.jvn.jp/contents/en/2008/JVNDB-2008-000016.html

The following creditee reported this vulnerability to IPA on October 18, 2006. JPCERT Coordination Center (JPCERT/CC) coordinated with the product vendors and published the vulnerability on March 11, 2008, under Information Security Early Warning Partnership.
Credit: Hisashi Kojima of Fujitsu Labs. Ltd.

2.Impact

An attacker could view local files, execute arbitrary code or terminate a user’s web browser when the user runs a Java applet embedded in a malicious web page.

Security Alert for Vulnerability In Sun JRE XSLT Transformations

3.Solution

To fix the problem, update to the fixed version provided by the product vendor.

For more information, please refer to the ‘Vendor Status’ section of JVN Vulnerability Information.

To be more specific, visit the Sun Microsystems web page below, check if the system in use is affected by this vulnerability through the steps described in ‘2. Contributing Factors’ and update to the fixed version (JRE Update) using information provided in ‘5. Resolution’.

Note that updating a JRE to a different version may affect the behavior of some Java applications. Make sure to check operational environment for each application before updating.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
Medium
(4.0~6.9)
□High
(7.0~10.0)
CVSS base score   6.8  

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High ■ Medium □ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: