Security hole in Java may expose servers

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-201-4917560-0.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com
February 22, 2001, 10:45 a.m. PT

Sun Microsystems has revealed a security hole in several versions of a
critical component of Java that could allow an attacker to run harmful
programs on a victim's computer.

The vulnerability appears in versions of the Java Runtime Environment
that Sun has released for servers running Windows, Linux and Sun's
Solaris operating systems. However, the company asserts that the flaw
doesn't affect the Java components included in Microsoft's Internet
Explorer and Netscape's Navigator browsers.

Sun posted the bulletin to Bugtraq late Wednesday. Sun could not
immediately be reached for comment.

The advisory stressed that, most likely, the flaw should affect only a
few of the servers running Java.The circumstances necessary to exploit
this vulnerability are relatively rare, the company said in the
bulletin.

Specifically, a person must have already given Java the permission to
execute at least one other command because permission to run commands
is not given by default.

In a separate advisory, Hewlett-Packard warned customers as early as
last week that several of its servers, including the HP9000, 700/800,
and e3000, may have the vulnerable code and recommended that people
upgrade their Java components.

Sun did not know whether the security flaw affected other companies'
Java technology but has notified its licensees of the possibility, Sun
said.

The problem affects various releases of versions 1.1 and 1.2 of the
Java Runtime Environment. The company asks people to upgrade their
Java software to version 1.2.2_006 or higher.

Sun's newest suite of Java components, known as Java 2, does not have
the security hole, the company said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".