Sun Java Runtime Environment Remote XSLT特权升级漏洞

CNNVD-ID编号	CNNVD-200906-021
CVE编号	CVE-2004-2764
发布时间	2009-06-02
更新时间	2009-06-02
漏洞类型	权限许可和访问控制
漏洞来源	Discovery of this issue is credited to Marc Schoenefeld.
危险等级	超危
威胁类型	远程
厂商	sun

漏洞介绍

Sun SDK和Java Runtime Environment (JRE) 1.4.2版本至1.4.2_04版本,1.4.1版本至1.4.1_07版本,和1.4.0版本至1.4.0_04版本允许不可靠的applet程序和没有特权的servlets获得特权并可以借助与XSLT处理器(又称\"XML sniffing\")中的等级相关的未明向量，从其它applet程序中读取数据。

漏洞补丁

目前厂商已经发布了升级补丁以修复这个安全问题，补丁下载链接：

Sun JRE (Windows Production Release) 1.4

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Linux Production Release) 1.4

Sun J2SE v 1.4.2_05 SDK

http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Solaris Production Release) 1.4 .0_01

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Solaris Production Release) 1.4

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun SDK (Linux Production Release) 1.4 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Windows Production Release) 1.4 .0_03 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun JRE (Windows Production Release) 1.4 .0_01 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun JRE (Linux Production Release) 1.4 .0_03

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Solaris Production Release) 1.4 .0_04

Sun J2SE v 1.4.2_05 SDK

http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Windows Production Release) 1.4

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun SDK (Solaris Production Release) 1.4 .0_03

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun SDK (Windows Production Release) 1.4 .0_4 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Windows Production Release) 1.4 .0_03 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Solaris Production Release) 1.4 .0_02

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Solaris Production Release) 1.4 .0_04 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Solaris Production Release) 1.4

Sun J2SE v 1.4.2_05 SDK

http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Windows Production Release) 1.4 .0_01

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Linux Production Release) 1.4 .0_03

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Solaris Production Release) 1.4 .0_03

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Windows Production Release) 1.4 .0_02

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun SDK (Solaris Production Release) 1.4 .0_02

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun SDK (Solaris Production Release) 1.4 .0_4 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Linux Production Release) 1.4 .0_02

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Linux Production Release) 1.4 .0_4 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Linux Production Release) 1.4 .0_02

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Windows Production Release) 1.4 .0_04

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Windows Production Release) 1.4 .0_02

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun JRE (Linux Production Release) 1.4 .0_04

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Solaris Production Release) 1.4.1

Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun JRE (Solaris Production Release) 1.4.1 _02 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun JRE (Solaris Production Release) 1.4.1 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun JRE (Linux Production Release) 1.4.1 _02 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html Sun SDK (Linux Production Release) 1.4.1 _03 Sun J2SE v 1.4.2_05 SDK http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Solaris Production Release) 1.4.1 _01

Sun J2SE v 1.4.2_05 SDK

http://java.sun.com/j2se/1.4.2/download.html

Sun SDK (Windows Production Release) 1.4.1

Sun J2SE v 1.4.

参考网址

来源: XF

名称: sun-xslt-applet-gain-privileges(16864)

链接：http://xforce.iss.net/xforce/xfdb/16864
来源: BID

名称: 10844

链接：http://www.securityfocus.com/bid/10844
来源: BUGTRAQ

名称: 20040808 Java XSLT security advisory addendum

链接：http://www.securityfocus.com/archive/1/371208
来源: OSVDB

名称: 8288

链接：http://www.osvdb.org/8288
来源: SECTRACK

名称: 1011661

链接：http://securitytracker.com/id?1011661
来源: SECUNIA

名称: 12206

链接：http://secunia.com/advisories/12206
来源: HP

名称: HPSBUX01087

链接：http://groups.google.com/group/comp.security.unix/tree/browse_frm/month/2004-10/fe63f1daa9689d50?rnum=161&_done=%2Fgroup%2Fcomp.security.unix%2Fbrowse_frm%2Fmonth%2F2004-10%3Ffwc%3D1%26#doc_29036353582c690d
来源: HP

名称: HPSBUX01087

链接：http://groups.google.com/group/comp.security.unix/tree/browse_frm/month/2004-10/fe63f1daa9689d50?rnum=161&_done=%2Fgroup%2Fcomp.security.unix%2Fbrowse_frm%2Fmonth%2F2004-10%3Ffwc%3D1%26#doc_29036353582c690d

受影响实体

信息来源

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200906-021