Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Multiple Vulnerabilities in Java Web Start

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Multiple Vulnerabilities in Java Web Start

Published: Jun 10, 2011
>> JAPANESE

Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has issued a security alert concerning 3 security vulnerabilities in Java Web Start on June 10, 2011. To fix this vulnerability, update the software to the latest version following the instructions provided by the product vendor.

1.Overview

Java Web Start is a software included in Java execution environments such as JRE (Java Runtime Environment) provided by Oracle.

Java Web Start has security vulnerabilities in 3 processes (loading policy files, configuration files and DLL). If exploited, the vulnerabilities could allow an attacker to execute arbitrary code on the computer installed with Java Web Start.

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000033
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000034
http://jvndb.jvn.jp/jvndb/JVNDB-2011-000035

The tool below enables to see if software, including JRE (Java Runtime Environment), installed in a computer is up to date. Try and check it now.

MyJVN Version Checker
http://jvndb.jvn.jp/apis/myjvn/#VCCHECK (Japanese)

Note: The tool supports the latest JRE version with which 3 said vulnerabilities are fixed. In line with the Information Security Early Warning Partnership, the IPA received a report concerning this vulnerability through the creditee below, and the JPCERT Coordination Center (JPCERT/CC) made adjustments to clarify the matter with the product developer and made it public on June 10, 2011.

Credit: Hisashi Kojima Fujitsu Laboratories Ltd.
(Reported: September 10, 2010)

2.Impact

An attacker could execute programs unintended by the user, delete files and install malicious tools like virus and bots when the user is lured into executing a Java Web Start application stored in public folders such as those on a file server.

Security Alert for Vulnerability in Ichitaro Series

3.Solution

To fix this vulnerability, update the software to the latest version following the instructions provided by the product vendor.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
Medium
(4.0~6.9)
□ High
(7.0~10.0)
CVSS base score  
6.8

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High ■ Medium □ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

5.CWE Type

This vulnerability has been CWE classified as "No Mapping (CWE-Other)".

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: