Pagoda Blog


Oracle Java JRE 1.7 allows untrusted code

August 28, 2012

 

Overview

Oracle Java Runtime Environment (JRE) 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions.

Description

The Oracle Java Runtime Environment (JRE) 1.7 allows users to run Java applications in a browser or as standalone programs. Oracle has made the JRE available for multiple operating systems.

The Java JRE plug-in provides its own Security Manager. Typically, a web applet runs with a security manager provided by the browser or Java Web Start plugin. Oracle's document states"If there is a security manager already installed, this method first calls the security manager's checkPermission method with aRuntimePermission("setSecurityManager")permission to ensure it's safe to replace the existing security manager. This may result in throwing a SecurityException". 

More here: http://www.kb.cert.org/vuls/id/636312




Return to Pagoda Blog Main Page