Vulnerability CVE-2008-0657

Vulnerability Name:

CVE-2008-0657 (CCN-40298)

Assigned:

2008-02-05

Published:

2008-02-05

Updated:

2017-09-29

Summary:

Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs.

CVSS v3 Severity:

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

5.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
4.3 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-264

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2008-0657

Source: BEA
Type: UNKNOWN
BEA08-201.00

Source: SUSE
Type: UNKNOWN
SUSE-SA:2008:025

Source: CCN
Type: RHSA-2008-0123
Critical: java-1.5.0-sun security update

Source: CCN
Type: RHSA-2008-0156
Moderate: java-1.5.0-bea security update

Source: CCN
Type: RHSA-2008-0210
Critical: java-1.5.0-ibm security update

Source: CCN
Type: RHSA-2008-0638
Low: Red Hat Network Satellite Server IBM Java Runtime security update

Source: CCN
Type: SA28795
Sun JRE Applet Handling Two Vulnerabilities

Source: SECUNIA
Type: Patch, Vendor Advisory
28795

Source: SECUNIA
Type: UNKNOWN
28888

Source: SECUNIA
Type: UNKNOWN
29214

Source: SECUNIA
Type: UNKNOWN
29498

Source: CCN
Type: SA29841
BEA JRockit Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
29841

Source: SECUNIA
Type: UNKNOWN
29858

Source: SECUNIA
Type: UNKNOWN
29897

Source: CCN
Type: SA30676
VMware ESX Server update for Tomcat and Java JRE

Source: SECUNIA
Type: UNKNOWN
30676

Source: SECUNIA
Type: UNKNOWN
30780

Source: SECUNIA
Type: UNKNOWN
31497

Source: GENTOO
Type: UNKNOWN
GLSA-200804-28

Source: CCN
Type: SECTRACK ID: 1019308
Java Runtime Environment Lets Remote Applets and Applications Gain Elevated Privileges

Source: SUNALERT
Type: UNKNOWN
231261

Source: CCN
Type: Sun Alert ID: 231261
Two Vulnerabilities in the Java Runtime Environment May Independently Allow an Untrusted Application or Applet to Elevate Privileges

Source: CCN
Type: ASA-2008-060
java-1.5.0-sun security update (RHSA-2008-0123)

Source: CCN
Type: ASA-2008-073
Two Vulnerabilities in the Java Runtime Environment May Independently Allow an Untrusted Application or Applet to Elevate Privileges (Sun 231261)

Source: CCN
Type: ASA-2008-104
java-1.5.0-bea security update (RHSA-2008-0156)

Source: CCN
Type: ASA-2008-147
java-1.5.0-ibm security update (RHSA-2008-0210)

Source: CCN
Type: GLSA 200804-28
JRockit: Multiple vulnerabilities

Source: CCN
Type: GLSA-200804-20
Sun JDK/JRE: Multiple vulnerabilities

Source: GENTOO
Type: UNKNOWN
GLSA-200804-20

Source: GENTOO
Type: UNKNOWN
GLSA-200806-11

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0123

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0156

Source: REDHAT
Type: UNKNOWN
RHSA-2008:0210

Source: BID
Type: UNKNOWN
27650

Source: CCN
Type: BID-27650
Sun Java RunTime Environment Read and Write Permission Multiple Privilege Escalation Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1019308

Source: CCN
Type: VMSA-2008-0010
Updated Tomcat and Java JRE packages for VMware ESX 3.5

Source: CONFIRM
Type: UNKNOWN
http://www.vmware.com/security/advisories/VMSA-2008-0010.html

Source: VUPEN
Type: UNKNOWN
ADV-2008-0429

Source: VUPEN
Type: UNKNOWN
ADV-2008-1252

Source: VUPEN
Type: UNKNOWN
ADV-2008-1856

Source: XF
Type: UNKNOWN
sun-jre-unspecified-privilege-escalation(40298)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:11505

Source: CCN
Type: BEA08-201.00
Multiple Security Vulnerabilities in the Java Runtime Environment

Source: SUSE
Type: SUSE-SA:2008:025
IBM Java security update

Vulnerable Configuration:

Configuration 1:

cpe:/a:sun:jre:*:update13:*:*:*:*:*:* (Version <= 1.5.0)

OR cpe:/a:sun:jre:*:update1:*:*:*:*:*:* (Version <= 1.6.0)

Configuration 2:

cpe:/a:sun:jdk:*:*:*:*:*:*:*:* (Version <= 5.0_update13)

OR cpe:/a:sun:jre:*:update1:*:*:*:*:*:* (Version <= 1.6.0)

Configuration RedHat 1:

cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:sun:jre:1.5.0:-:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update3:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.6.0:-:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:-:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update10:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update11:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update7:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update8:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update9:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update10:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update11:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:-:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update1:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update11_b03:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update12:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update2:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update3:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update4:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update5:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update6:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update7:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update7_b03:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update8:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update9:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.6.0:update1:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update1:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update12:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update13:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update2:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update4:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update5:*:*:*:*:*:*

OR cpe:/a:sun:jre:1.5.0:update6:*:*:*:*:*:*

OR cpe:/a:sun:jdk:1.5.0:update13:*:*:*:*:*:*

AND

cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

OR cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*

OR cpe:/o:novell:suse_linux_enterprise_server:10:sp2:itanium_ia64:*:*:*:*:*

OR cpe:/a:novell:open_enterprise_server:*:*:*:*:*:*:*:*

OR cpe:/a:vmware:esx_server:3.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20080657	V	CVE-2008-0657	2022-05-20
oval:org.mitre.oval:def:22529	P	ELSA-2008:0210: java-1.5.0-ibm security update (Critical)	2014-05-26
oval:org.mitre.oval:def:22586	P	ELSA-2008:0123: java-1.5.0-sun security update (Critical)	2014-05-26
oval:org.mitre.oval:def:22691	P	ELSA-2008:0156: java-1.5.0-bea security update (Moderate)	2014-05-26
oval:org.mitre.oval:def:11505	V	Multiple unspecified vulnerabilities in the Java Runtime Environment in Sun JDK and JRE 6 Update 1 and earlier, and 5.0 Update 13 and earlier, allow context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs.	2010-09-06
oval:com.redhat.rhsa:def:20080210	P	RHSA-2008:0210: java-1.5.0-ibm security update (Critical)	2008-04-03
oval:com.redhat.rhsa:def:20080123	P	RHSA-2008:0123: java-1.5.0-sun security update (Critical)	2008-03-20
oval:com.redhat.rhsa:def:20080156	P	RHSA-2008:0156: java-1.5.0-bea security update (Moderate)	2008-03-05

BACK