• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Sun Java Virtual Machine Slash Path Security Model Circumvention Vulnerability

Solution:
HP has released an advisory (HPSBUX0311-295) to address this issue. HP suggests the following manual updates:

Java 1.4.1.04 or later (T1456AA (JDK 1.4), T1457AA (JRE 1.4))
Java 1.3.1.11 or later (B9788AA (JDK 1.3), B9789AA (JRE 1,3))
Java 1.2.1.16 or later (B8110AA (JDK 1.2), B8111AA (JRE 1.2))

These updates may be obtained from www.hp.com/go/java. HP revised their advisory to include details about HP-UX 11.04 (VVOS). This issue affects HP-UX 11.04 (VVOS) with Virtualvault A.04.50 or Virtualvault A.04.60 or Virtualvault A.04.70 installed. These platforms are only affected if Java has been downloaded and integrated on Virtualvault. Further details may be found in the advisory.

This issue is addressed in the following SDK and JRE versions of Windows Production Releases, Solaris OE Production Releases and Linux Production Releases:

SDK and JRE 1.4.1_04 and later
SDK and JRE 1.3.1_09 and later
SDK and JRE 1.2.2_016 and later

Solaris Operating Environment (OE) Reference Releases SDK and JRE 1.2.2_016 and later also include fixes.

Fixes are available at the following location:

http://java.sun.com/j2se/

See referenced advisory for additional details.

HP has released an update the their original advisory stating that more HP-UX versions are affected that were originally reported. Please see the referenced advisory for more information.