Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Java(tm) Runtime Environment - Proxy and JVM Potential Security Vuln.

Java(tm) Runtime Environment - Proxy and JVM Potential Security Vuln.

by Nikola Strahija on May 15th, 2002 When using Microsoft Internet Explorer or NetScape Navigator to browse to Compaq products incorporating affected versions of the Java Runtime Environment, users may become vulnerable to attack from untrusted applets. These applets may be able to increase their privileges on the user system and potentially gain un- authorized access to system resources. This potential problem would exist on either side of a corporate firewall.


Sun Microsystems published two security bulletins regarding
potential vulnerabilities in Java(tm).

o The first is a security bulletin (#00216) regarding a
potential runtime environmental redirection issue that
may allow an untrusted applet to monitor requests to
and responses from an HTTP proxy server when a persistent
connection is used between a client and an HTTP proxy server.
NOTE: Only systems that have a HTTP proxy configured would be
vulnerable to this potential exploit.

o The second is a security bulletin (#00218) regarding a
potential vulnerability to attack of the Java Runtime
Environment Bytecode Verifier. The security advisory
states, "A vulnerability in the Java(TM) Runtime
Environment Bytecode Verifier may be exploited by an
untrusted applet to escalate privileges."

__________________
VERSIONS IMPACTED:

Compaq Management Software
Compaq Insight Manager 7, Compaq Insight Manager XE, the
Compaq Management Agents and the Remote Insight Lights-Out
Edition Card leverage Java technology to deliver portions of their
functionality. The Java software causing this problem is delivered
as part of the Java Runtime Environment used to enable access to
these management products and as part of the server-side software
embedded in Compaq Insight Manager XE and Compaq Insight
Manager 7.

o Compaq Insight Manager XE
Compaq Insight Manager XE uses the Microsoft Java Runtime
Environment integrated into Microsoft Internet Explorer.=3D3D20

o Compaq Insight Manager 7
Compaq Insight Manager 7 uses the Sun Java Runtime Environment
version 1.3.1 in place of the Microsoft Java Runtime
Environment.

o Compaq Management Agents
See resolution Section

o Remote Insight Lights-Out Edition
See resolution Section


Compaq Tru64 UNIX
V4.0f SDK and JRE 1.1.7B-2
V4.0g SDK and JRE 1.1.7B-2
V5.0a SDK and JRE 1.1.7B-6
V5.1 SDK and JRE 1.1.8-6 (default) and 1.2.2-6

Compaq Nonstop Himalaya
No applets run on the Compaq NonStop Himalaya operating systems.
This is not a vulnerability on these systems.

Compaq OpenVMS
V7.2 V7.2-1 SDK and JRE 1.1.6-2
V7.2-1h1 SDK and JRE 1.1.6-2
V7.2-1h2 SDK and JRE 1.1.6-2
V7.2-2 SDK and JRE 1.1.6-2
V7.3 SDK and JRE 1.1.8-5 (includes fix)
*Please note that this is an issue for the Alpha
architecture only. OpenVMS on Vax does not support Java.

___________
RESOLUTION:

The following table outlines the suggested resolutions to the
vulnerabilities described above. Suggested remedies will be
different on a product-by-product depending on developer of
the Java Runtime Environment and any dependencies for
synchronization between server and client side components.

Compaq Insight Manager XE
Compaq Insight Manager XE uses the Microsoft Java Runtime
Environment integrated into Microsoft Internet Explorer.
Compaq recommends that Compaq Insight Manager XE users
upgrade to Compaq Insight Manager 7 SP1 that will be
available for download in the first half of May at
http://www.compaq.com/manage. Compaq Insight Manager 7 SP1
leverages version 1.3.1_02 of the Sun Java Runtime Environment
that addresses the vulnerability described above. Prior to the
release of Compaq Insight Manager 7 SP1, Compaq recommends that
users exercise care when browsing to sites outside of the
internal network using a browser with a vulnerable version of
the Microsoft Java Runtime Environment. While it is possible
to update the browser to the version of the Java Runtime
Environment recommended by Microsoft, this version has not been
tested with Compaq Insight Manager XE and Compaq cannot
guarantee that Insight Manager XE will function properly.

Compaq Insight Manager 7
Compaq Insight Manager 7 uses the Sun Java Runtime Environment
version 1.3.1 in place of the Microsoft Java Runtime Environment.
Compaq is in the process of incorporating version 1.3.1_02 of the
runtime environment, which fixes the aforementioned vulnerability,
into Compaq Insight Manager 7 Service Pack 1. Compaq Insight
Manager 7 SP1 will be available at the beginning of May. Users
may not use version 1.3.1_02 of the plug-in with the current
version of Compaq Insight Manager 7 as newer versions of the Sun
Java Runtime Environment are not backwards compatible and the
Insight Manager 7 may not function properly if client
and server side runtime environments are not of the same version.
Compaq recommends that current Compaq Insight Manager 7 users
close Microsoft Internet Explorer prior to browsing to
untrusted sites outside of the corporate firewall. This will
ensure that the Java plug-in is closed prior to browsing to
sites on the public Internet. With Compaq Insight Manager 7 SP1,
the requirement to close the browser prior to visiting public
sites will be removed.

Compaq Management Agents
Update to the version of the Java Runtime Environment that
Microsoft Recommends. This information may be found at
http://www.microsoft.com/java/vm/dl_vm40.htm

Remote Insight Lights-Out Edition / Integrated Lights-Out
on ProLiant DL360 G2
Update to the Java(tm) 2 Runtime Environment, Standard Edition,
version 1.3.1_02. To download this software simply click on
the hyperlink http://java.sun.com/j2se/1.3/

Compaq TRU64 UNIX
Tru64 UNIX - Java 1.1.7B-10
Tru64 UNIX - Java 1.1.8-13 (includes fix)
Tru64 UNIX - Java 1.2.2-12
Tru64 UNIX - Java 1.3.0-1
Tru64 UNIX - Java 1.3.1-2 (includes fix)
It is critical that the information posted at
http://www.compaq.com/java/alpha be reviewed before updating Java.
Tru64 UNIX 5.0 and higher include some Java-based tools that
depend on the Java environment version that ships with the
operating system and is installed in /usr/bin. If you change
the default system Java environment version, some operating
system tools, such as the SysMan Station, the SysMan Station
authentication daemon, and the Logical Storage Manager (LSM)
Storage Administrator, will not work correctly.

Compaq OpenVMS
The following table shows Java versions that are available at
http://www.compaq.com/java/alpha and indicates if the version
includes
the fix:
Compaq OpenVMS - Java 1.1.8-5 (includes fix)
Compaq OpenVMS - Java 1.2.2-3
Compaq OpenVMS - Java 1.3.0-2 (includes fix)
Compaq OpenVMS - Java 1.3.1-2 (includes fix)
It is critical that the information posted at
http://www.compaq.com/java/alpha be reviewed before updating Java.

__________
SUBSCRIBE:

To subscribe to automatically receive future Security
Advisories from the Compaq's Software Security Response Team via
electronic mail:
http://www.support.compaq.com/patches/mailing-list.shtml

_______
REPORT:

To report a potential security vulnerability with any Compaq
supported product, send email mailto:[email protected]
or mailto:[email protected]

Compaq appreciates your cooperation and patience. As always,
Compaq urges you to periodically review your system management
and security procedures. Compaq will continue to review and
enhance the security features of its products and work with
our customers to maintain and improve the security and integrity
of their systems.

"Compaq is broadly distributing this Security Bulletin in order to
bring to the attention of users of the affected Compaq products the
important security information contained in this Bulletin.
Compaq recommends that all users determine the applicability of
this information to their individual situations and take appropriate
action. Compaq does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently,
Compaq will not be responsible for any damages resulting from
user's use or disregard of the information provided in this
Bulletin."

Copyright 2002 Compaq Information Technologies Group, L.P.
Compaq shall not be liable for technical or editorial errors
or omissions contained herein. The information in this document
is subject to change without notice. Compaq and the names of
Compaq products referenced herein are, either, trademarks
and/or service marks or registered trademarks and/or service
marks of Compaq Information Technologies Group, L.P. Other product
and company names mentioned herein may be trademarks and/or service
marks of their respective owners.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »