SSRT3581 Potential Sec. Vulnerability in Java(TM) Runtime Env.

SSRT3581 Potential Sec. Vulnerability in Java(TM) Runtime Env.

Post by Security Ale » Fri, 18 Jul 2003 00:37:19

Hash: SHA1

 Originally issued: 16 July 2003
 SSRT3581 Potential Sec. Vulnerability in Java(TM) Runtime Env.
NOTICE: There are no restrictions for distribution of this
        Bulletin provided that it remains complete and intact.
        The information in the following Security Bulletin should
        be acted upon as soon as possible.  Hewlett-Packard
        Company will not be liable for any consequences to any
        customer resulting from customer's failure to fully
        implement instructions in this Security Bulletin as soon
        as possible.
PROBLEM: A vulnerability in the Java(TM) Runtime Environment may
         allow an untrusted applet to access information from a
         trusted applet.  This is not allowed in the Java Security
         Model.  The trusted applet must contain code that
         exploits this vulnerability.

IMPACT:  This bug may introduce potential vulnerabilities into any
         program. These defects includes the affected libraries.
         The resulting vulnerabilities may result in information
         leakage.  There are no known reported attacks based on
         these vulnerabilities.

PLATFORM: Any HP-UX system running the supported HP-UX versions
          of Java 1.2.X, 1.3.X, and 1.4.X is affected by this.

SOLUTION: Manual update to the version of Java with the security
          fixes.  The list below describes the minimal Java
          release necessary:


                Update to Java to:

AVAILABILITY: Updated releases are now available at:

 A. Background
    Javasoft has issued their Security Bulletin 112.

 B. Recommended solution
    Resolution of this issue requires a manual update to the
    appropriate version of the Java SDK, JPI, and JRE, which
    contains the security fix from website

    Update to at least the following appropriate Java version
    from the website

       1.2.X    -
       1.3.X    -
       1.4.0.X  -
       1.4.1.X  -

C. To subscribe to automatically receive future NEW HP Security
   Bulletins from the HP IT Resource Center via electronic
   mail, do the following:

   Use your browser to et to the HP IT Resource Center page

   Use the 'Loin' tab at the left side of the screen to loin
   using your ID and password.  Use your existing login or the
   "Register" button at the left to create a login, in order to
   gain access to many areas of the ITRC.  Remember to save the
   User ID assigned to you, and your password.

   In the left most frame select "Maintenance and Support".

   Under the "Notifications" section (near the bottom of
   the page), select "Support Information Diests".

   To -subscribe- to future HP Security Bulletins or other
   Technical Digests, click the check box (in the left column)
   for the appropriate digest and then click the "Update
   Subscriptions" button at the bottom of the page.


   To -review- bulletins already released, select the link
   (in the middle column) for the appropriate digest.

   NOTE: Using your itrc account, security bulletins can be
         found here:

   To -gain access- to the Security Patch Matrix, select
   the link for "The Security Bulletins Archive".  (near the
   bottom of the page)  Once in the archive the third link is
   to the current Security Patch Matrix. Updated daily, this
   matrix categorizes security patches by platform/OS release,
   and by bulletin topic.  Security Patch Check completely
   automates the process of reviewing the patch matrix for
   11.XX systems.

   For information on the Security Patch Check tool, see:

   The security patch matrix is also available via anonymous

   On the "Support Information Digest Main" page:
   click on the "HP Security Bulletin Archive".

D. To report new security vulnerabilities, send email to

   Please encrypt any exploit information using the
   security-alert PGP key, available from your local key
   server, or by sending a message with a -subject- (not body)

- ------------------------------------------------------------------

(c)Copyright 2003 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of HP products referenced
herein are trademarks and/or service marks of Hewlett-Packard
Company.  Other product and company names mentioned herein may be
trademarks and/or service marks of their respective owners.

- --

Version: PGP 8.0


Yours truly,
HP S/W Security Team
WTEC Cupertino, California