Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JRE 1.4.2

Last post 10-29-2009 3:33 PM by bpatten. 3 replies.

Page 1 of 1 (4 items)
	Sort Posts: Previous Next

10-18-2009 2:24 PM

vkundakci
Joined on 12-26-2008
Posts 27

Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JRE 1.4.2

Reply Contact

I am getting the above vulnerability audit starting a few days ago. I do not have JRE 1.4.2 installed. Verifying java version on my computer below:

C:\>java -version
java version "1.6.0_16"
Java(TM) SE Runtime Environment (build 1.6.0_16-b01)
Java HotSpot(TM) Client VM (build 14.2-b01, mixed mode, sharing)

Any idas?

The full audit message is below:

BID	35943, 35945, 35939, 35942, 35944
CVE	CVE-2009-2676, CVE-2009-2625, CVE-2009-2674, CVE-2009-2671, CVE-2009-0217, CVE-2009-2670, CVE-2009-2673, CVE-2009-2675, CVE-2009-2672
Description	Sun Java Runtime Environment (JRE) and Java Development Kit (JDK) contain multiple vulnerabilities that could allow connections to arbitrary hosts, web session hijacking, username disclosure, execution of untrusted Java Web Start applications with elevated privileges (e.g. thus allowing permissions to local files, or execution of local applications), spoofing of XML digital signatures, spoofing/manipulation of security dialogs, cause denial of service conditions, and/or execution of arbitrary code (via multiple vectors).
How To Fix	Install or apply the appropriate vendor-supplied fix: Note: JRE/JDK 1.4.x/1.3.x updates are available only through Sun Vintage Support or Java SE for Business contracts. Windows JRE/JDK 6.0: Upgrade to Update 15 or newer. JRE/JDK 5.0: Upgrade to Update 20 or newer. JRE/JDK 1.4.2: Upgrade to Update 22 or newer, or migrate to a newer version. JRE/JDK 1.3.1: Upgrade to Update 26 or newer, or migrate to a newer version. Linux JRE/JDK 6.0: Upgrade to Update 15 or newer. JRE/JDK 5.0: Upgrade to Update 20 or newer. JRE/JDK 1.4.2: Upgrade to Update 22 or newer, or migrate to a newer version. JRE/JDK 1.3.1: Upgrade to Update 26 or newer, or migrate to a newer version. Solaris JRE/JDK 6.0: Upgrade to Update 15 or newer. JRE/JDK 5.0: Upgrade to Update 20 or newer. JRE/JDK 1.4.2: Upgrade to Update 22 or newer, or migrate to a newer version. JRE/JDK 1.3.1: Upgrade to Update 26 or newer, or migrate to a newer version.
Links	Sun Alert - 263429 Java Downloads - JRE/JDK 5 Update 20 Release Notes - JRE 6 Update 15 Sun Alert - 263408 Sun Alert - 263489 Secunia Advisory - 36159 Java Downloads - JRE/JDK 6 Update 15 Sun Alert - 264648 Sun Alert - 263488 Release Notes - JRE 5 Update 20 Sun Alert - 263409 Sun Alert - 263490 Sun Alert - 263428
Risk	High

Filed under: jre

10-19-2009 9:31 AM In reply to

bpatten
Joined on 09-24-2007
Irvine, CA
Posts 125

Re: Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JRE 1.4.2

Reply Contact

Can you check to see what regkeys you have here:

HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Runtime Environment\ ?

Thank you.

10-22-2009 8:37 PM In reply to

vkundakci
Joined on 12-26-2008
Posts 27

Re: Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JRE 1.4.2

Reply Contact

There were 4 sub keys, 1.4, 1.4.0, 1.6, 1.6.0. The first 2 referred to a non-existant directory, C:\Program Files\Java\jre1.5.0_02, on my system. The latter 2 referred to C:\Program Files\Java\jre6 which does exist. I deleted the first two keys and reran the vulnerability scan. That seems to have fixed the problem. Thanks. /V

bpatten:

Can you check to see what regkeys you have here:

HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Runtime Environment\ ?

Thank you.

10-29-2009 3:33 PM In reply to

bpatten
Joined on 09-24-2007
Irvine, CA
Posts 125

Re: Sun JRE/JDK Multiple Vulnerabilities (20090804) - Windows - JRE 1.4.2

Reply Contact

Yep, a faulty uninstall will cause that. Its always recommended to do uninstall of software from Add/Remove Programs, otherwise registry keys and/or files will be left behind.

Glad you were able to address the issue and confirm neither the files were present and properly updating the regkeys.

Page 1 of 1 (4 items)

eEye Digital Security