A security vulnerability in the JMX RMI-IIOP API may allow a local user who is able to create a JMX RMI-IIOP server application to gain unauthorized access to certain local data if a remote user who has privileges to access that data connects to that server application.

Note: JMX RMI-IIOP stands for:

• JMX: Java Management Extensions Remote API
• RMI-IIOP: Remote Method Invocation over Internet Inter-ORB Protocol

This issue can occur in the following releases:

SPARC Platform

• Java Dynamic Management Kit unbundled product 5.1 (for Solaris 8, 9, and 10) with JDK 5.0 update 4 and earlier, or JDK 1.4 or earlier without patch 119044-03
• Solaris 10 with JDK 5.0 update 4 and earlier, or JDK 1.4 or earlier without patch 124939-03

x86 Platform

• Java Dynamic Management Kit unbundled product 5.1 (for Solaris 8, 9, and 10) with JDK 5.0 update 4 and earlier, or JDK 1.4 or earlier without patch 119044-03
• Solaris 10 with JDK 5.0 update 4 and earlier, or JDK 1.4 or earlier without patch 124939-03

Windows Platform

• Java Dynamic Management Kit 5.1 unbundled product with JDK 5.0 update 4 and earlier, or JDK 1.4 or earlier without patch 119045-03

Linux Platform

• Java Dynamic Management Kit 5.1 unbundled product with JDK 5.0 update 4 and earlier, or JDK 1.4 or earlier without patch 119046-03

Note 1: This issue only affects systems which host applications deployed with the JMX RMI-IIOP API which is part of the Java Dynamic Management Kit product. This issue applies to JMX agents deployed under all of the following conditions:

1. A SecurityManager has been installed to give different code different permissions, and
2. Some of the deployed JMX MBeans are not accessible to all code, and
3. Some code has enough permissions to create a JMX RMI-IIOP connector but not enough to access the protected MBeans.

In this case, the code covered by (3) may be able to access the protected MBeans despite the restrictions defined in (2).

Note 2: Java Dynamic Management Kit 5.0 does not include the Java Management Extensions Remote API and is therefore not impacted by this issue.

There are no predictable symptoms that would indicate the described vulnerability has been exploited.

There is no workaround for this issue. Please see the Resolution section below.

This issue is addressed in the following releases:

SPARC Platform

• Java Dynamic Management Kit unbundled product 5.1 (for Solaris 8, 9, and 10) with JDK 5.0 update 5 and later, or JDK 1.4 or earlier with patch 119044-03 or later
• Solaris 10 with JDK 5.0 update 5 and later, or JDK 1.4 or earlier with patch 124939-03 or later

x86 Platform

• Java Dynamic Management Kit unbundled product 5.1 (for Solaris 8, 9, and 10) with JDK 5.0 update 5 and later, or JDK 1.4 or earlier with patch 119044-03 or later
• Solaris 10 with JDK 5.0 update 5 and later, or JDK 1.4 or earlier with patch 124939-03 or later

Windows Platform

• Java Dynamic Management Kit 5.1 unbundled product with JDK 5.0 update 5 and later, or JDK 1.4 or earlier with patch 119045-03 or later

Linux Platform

• Java Dynamic Management Kit 5.1 unbundled product with JDK 5.0 update 5 and later, or JDK 1.4 or earlier with patch 119046-03 or later

Note: When the JDMK product is used with JDK 5.0, this issue must be resolved within the JDK by upgrading to JDK 5.0 Update 5 or later. The JDMK is not impacted when used with JDK 5.0 Update 5 or later.

The latest JDK5.0 update is available for download at:

• http://java.sun.com/j2se/1.5.0/download.jsp

When the JDMK product is used with JDK 1.4 or earlier, this issue must be resolved within the JDMK product by installing one of the patches listed above. Solaris 10 is shipped with JDMK 5.1, and systems which make use of this bundled product with JDK 1.4 or earlier should install patch 124939-03 to address this issue.

This solution has no attachment