ID CVE-2009-1102
Summary Unspecified vulnerability in the Virtual Machine in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to access files and execute arbitrary code via unknown vectors related to "code generation."
References
Vulnerable Configurations
  • cpe:2.3:a:sun:java:*:*:*:*:*:*:*:*
    cpe:2.3:a:sun:java:*:*:*:*:*:*:*:*
CVSS
Base: 6.4 (as of 10-10-2018 - 19:34)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Code Injection
    An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:N
oval via4
  • accepted 2013-04-29T04:04:24.694-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description Unspecified vulnerability in the Virtual Machine in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to access files and execute arbitrary code via unknown vectors related to "code generation."
    family unix
    id oval:org.mitre.oval:def:10300
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Unspecified vulnerability in the Virtual Machine in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to access files and execute arbitrary code via unknown vectors related to "code generation."
    version 18
  • accepted 2014-01-20T04:01:28.898-05:00
    class vulnerability
    contributors
    • name Michael Wood
      organization Hewlett-Packard
    • name Chris Coffin
      organization The MITRE Corporation
    definition_extensions
    • comment VMware ESX Server 3.5.0 is installed
      oval oval:org.mitre.oval:def:5887
    • comment VMware ESX Server 4.0 is installed
      oval oval:org.mitre.oval:def:6293
    description Unspecified vulnerability in the Virtual Machine in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12 and earlier allows remote attackers to access files and execute arbitrary code via unknown vectors related to "code generation."
    family unix
    id oval:org.mitre.oval:def:6722
    status accepted
    submitted 2009-11-30T15:39:02.000-04:00
    title Java Runtime Environment (JRE) Virtual Machine Lets Remote Users Read/Write Files and Execute Local Applications
    version 7
redhat via4
advisories
  • bugzilla
    id 492353
    title CVE-2009-0793 lcms: Null pointer dereference (DoS) by handling transformations of monochrome profiles
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331001
    • OR
      • AND
        • comment java-1.6.0-openjdk is earlier than 1:1.6.0.0-0.30.b09.el5
          oval oval:com.redhat.rhsa:tst:20090377002
        • comment java-1.6.0-openjdk is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377003
      • AND
        • comment java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-0.30.b09.el5
          oval oval:com.redhat.rhsa:tst:20090377010
        • comment java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377011
      • AND
        • comment java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-0.30.b09.el5
          oval oval:com.redhat.rhsa:tst:20090377004
        • comment java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377005
      • AND
        • comment java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-0.30.b09.el5
          oval oval:com.redhat.rhsa:tst:20090377006
        • comment java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377007
      • AND
        • comment java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-0.30.b09.el5
          oval oval:com.redhat.rhsa:tst:20090377008
        • comment java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377009
    rhsa
    id RHSA-2009:0377
    released 2009-04-07
    severity Important
    title RHSA-2009:0377: java-1.6.0-openjdk security update (Important)
  • rhsa
    id RHSA-2009:0392
rpms
  • java-1.6.0-openjdk-1:1.6.0.0-0.30.b09.el5
  • java-1.6.0-openjdk-demo-1:1.6.0.0-0.30.b09.el5
  • java-1.6.0-openjdk-devel-1:1.6.0.0-0.30.b09.el5
  • java-1.6.0-openjdk-javadoc-1:1.6.0.0-0.30.b09.el5
  • java-1.6.0-openjdk-src-1:1.6.0.0-0.30.b09.el5
refmap via4
bid 34240
bugtraq 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components
confirm
gentoo GLSA-200911-02
hp
  • HPSBMA02429
  • HPSBUX02429
  • SSRT090058
mandriva
  • MDVSA-2009:137
  • MDVSA-2009:162
sectrack 1021919
secunia
  • 34489
  • 34496
  • 34632
  • 35223
  • 35255
  • 37386
  • 37460
sunalert 254610
suse
  • SUSE-SA:2009:016
  • SUSE-SA:2009:029
ubuntu USN-748-1
vupen
  • ADV-2009-1426
  • ADV-2009-3316
Last major update 10-10-2018 - 19:34
Published 25-03-2009 - 23:30
Back to Top