Java Reflection API privilege escalation vulnerability
 Technote (troubleshooting)
 
Problem(Abstract)
Three security vulnerabilities with the use of "reflection" APIs in the Java™ Runtime Environment (JRE) may (independently) allow an untrusted applet to elevate its privileges.
 
Resolving the problem
The first issue is due to three errors related to the use of "reflection" APIs in the JRE, which could be exploited by attackers to read and write local files or execute local applications by convincing a user to visit a specially crafted Web page.

The second vulnerability is due to an error in Java Management Extensions (JMX) when handling specially crafted applets, which could be exploited by attackers to read and write local files or execute local applications with the privileges of the user running the untrusted
applet.

The third is due to an unspecified error when handling specially crafted applets, which could be exploited by attackers to read and write local files or execute local applications with the privileges of the user running the untrusted applet.

All of these vulnerabilities apply only to applet containers that execute malicious code downloaded from server applications. These vulnerabilities do not apply to most applications running in WebSphere® Application Server, because the Application Server is trusted code.

To eliminate these vulnerabilities, please ensure you are up to date with the following:

  • AIX®, Windows® and Linux® platforms:
    IBM® SDK 1.4.2 Service Release 3 (SR3) and later
    IBM SDK 1.3.1 Service Release 9 (SR9) and later
  • Solaris platforms:
    Java 2 SDK, Standard Edition 1.4.2_09 and later
    Java 2 SDK, Standard Edition 1.3.1_16 and later
 
Related information
US-CERT Vulnerability Note VU#974188
Sun Alert ID: 102003 Security Vulnerabilities
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Java SDK
Operating system(s): Windows
Software version: 6.0
Software edition:
Reference #: 1225628
IBM Group: Software Group
Modified date: Dec 13, 2006