Certain releases of the Sun Java Desktop System (JDS) for Linux include versions of the Java Runtime Environment (JRE) which contain a vulnerability in the Java Plug-in which may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet.

This issue is also described in Sun Alert 101749 at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1.

This issue can occur in the following releases:

Linux Platform

• Sun Java Desktop System (JDS) Release 2 without the updated RPMs patch 118752-02

Note: This issue only occurs with JDS JRE version j2re-1.4.2_07-b03 or earlier.

To determine the release of JDS for Linux installed on a system, the following command can be run:

    % cat /etc/sun-release
    Sun Java Desktop System, Release 2 -build 10b (GA)
    Assembled 30 March 2004

To determine the version of the JDS JRE, the following command can be run:

    % rpm -qf /usr/java/j2redefault/bin/java
    j2re-1.4.2_06-fcs

Or

    % java -fullversion
    java full version "1.4.2_06-b03"

There are no reliable symptoms that would indicate the described issue has been exploited.

There is no workaround. Please see the "Resolution" section below.

This issue is addressed in the following releases:

Linux Platform

• Sun Java Desktop System (JDS) Release 2 with the updated RPMs patch 118752-02

To download and install the updated RPMs from the update servers, select the following sequence from the "launch" menu:

    Launch >> Applications >> System Tools >> Online Update

For more information on obtaining updates see:

• http://wwws.sun.com/software/javadesktopsystem/faq.html#5q5
• http://wwws.sun.com/software/javadesktopsystem/faq.html#5q7

Change History

• Updated Impact section

This solution has no attachment