Red Hat Bugzilla – Bug 581237
CVE-2010-0886 CVE-2010-0887 Sun Java: Java Web Start arbitrary command line injection
Last modified: 2018-10-27 12:06:58 EDT
Tavis Ormandy reported: [1] http://seclists.org/fulldisclosure/2010/Apr/119 a deficiency in the way Java Deployment Toolkit's Java Web Start sanitized URL of the applications, intended to be launched and installed via the Java Networking Launching Protocol. Remote attacker could trick a local victim into visiting a specially-crafted web page, potentially leading to execution of arbitrary Java code with the privileges of the user opening the page. References: [2] http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1 [3] http://bugs.gentoo.org/show_bug.cgi?id=314531 CVE Request: [4] http://www.openwall.com/lists/oss-security/2010/04/10/2
Sun never open sourced their plugin or Web Start code so it is not part of OpenJDK/IcedTea packages.
This was assigned CVE-2010-1423: http://thread.gmane.org/gmane.comp.security.oss.general/2801/focus=2820 This should be addressed in Sun/Oracle Java 6 U20: http://java.sun.com/javase/6/webnotes/6u20.html Oracle security alert mentions different CVEs - CVE-2010-0886 and CVE-2010-0887: http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html Metasploit module: http://www.metasploit.com/redmine/projects/framework/repository/changes/modules/exploits/windows/browser/java_ws_arginject_altvm.rb
Metasploit module name change: http://www.metasploit.com/redmine/projects/framework/repository/changes/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb
This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2010:0356 https://rhn.redhat.com/errata/RHSA-2010-0356.html
This issue has been addressed in following products: Extras for RHEL 4 Extras for Red Hat Enterprise Linux 5 Via RHSA-2010:0549 https://rhn.redhat.com/errata/RHSA-2010-0549.html