Sun warns of security hole in Java

A security vulnerability has been discovered in components of Sun Microsystems Inc.'s Java software, leaving some servers that run Java open to potential attack, according to a security bulletin issued by Sun and posted on the Bugtraq security list. [Note to Editors: New information appears in bold.]The problem affects various releases of versions 1.1 and 1.2 of the Java Runtime Environment for Linux, Microsoft Corp.'s Windows and Sun's own Solaris operating system, the company said in the bulletin. "To the best of Sun's knowledge" the security hole doesn't affect Microsoft Corp.'s Internet Explorer browser or Netscape's Navigator software, the Sun bulletin said.

In order for the security hole to be exploited, permission must be granted by a computer to run at least one Java command, according to the bulletin. "Since no permission is granted by default, the circumstances necessary to exploit this vulnerability are relatively rare," Sun said.

The Palo Alto, California-based vendor did not rule out that the bug may effect Java-based technology created by other vendors, but said it has notified Java licensees and made the fix available to them. Sun did not immediately return a call seeking further information.

The flaw has already been fixed in Sun's new Java 2 Platform, the company said. However, it does also affect certain releases of the Java Development Kit version 1.1. 6 and 1.1.7B.

Users are advised to upgrade to newer releases of the Java Runtime Environment and the Java Developer Kit. More detailed information can be found in the archive section of Buqtraq, which can be accessed at http://www.securityfocus.com/.

Hewlett-Packard Co. followed soon after by issuing a warning that "improper permission may be granted in some cases" on its own HP9000 Series 700/800 servers. The warning applies to servers running the HP-UX operating system releases 10.20, 10.24, 11.00, 11.04 and 11.11.

HP said fixes for the vulnerable versions were available for download immediately from its Web site.

Sun, in Palo Alto, California, can be contacted at +1-650-960-1300, or online at http://www.sun.com/. HP, based in Palo Alto, California, can be reached at +1-650-857-1501 or on the Web at http://www.hp.com/.

Join the newsletter!

Error: Please check your email address.

More about Hewlett-Packard AustraliaMicrosoftSecurityFocusSun Microsystems

Show Comments