Vulnerability Name:

CVE-2009-1105 (CCN-49458)

Assigned:2009-03-24
Published:2009-03-24
Updated:2018-10-10
Summary:The Java Plug-in in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 6 Update 12, 11, and 10 allows user-assisted remote attackers to cause a trusted applet to run in an older JRE version, which can be used to exploit vulnerabilities in that older version, aka CR 6706490.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
6.8 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-Other
Vulnerability Consequences:Other
References:Source: MITRE
Type: CNA
CVE-2009-1105

Source: HP
Type: UNKNOWN
SSRT090058

Source: CCN
Type: HP Security Bulletin HPSBMA02445 SSRT090058 rev.1
HP Serviceguard Manager, Remote Execution of Arbitrary Code, Denial of Service (DoS)

Source: APPLE
Type: UNKNOWN
APPLE-SA-2010-05-18-1

Source: SUSE
Type: UNKNOWN
SUSE-SA:2009:016

Source: SUSE
Type: UNKNOWN
SUSE-SA:2009:036

Source: HP
Type: UNKNOWN
HPSBUX02429

Source: CCN
Type: RHSA-2009-0392
Critical: java-1.6.0-sun security update

Source: CCN
Type: RHSA-2009-1038
Critical: java-1.5.0-ibm security update

Source: CCN
Type: RHSA-2009-1198
Critical: java-1.6.0-ibm security update

Source: CCN
Type: RHSA-2010-0043
Low: Red Hat Network Satellite Server IBM Java Runtime security update

Source: CCN
Type: SA34451
Sun Java JDK / JRE Multiple Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
34496

Source: SECUNIA
Type: UNKNOWN
35156

Source: SECUNIA
Type: UNKNOWN
35255

Source: SECUNIA
Type: UNKNOWN
36185

Source: SECUNIA
Type: UNKNOWN
37386

Source: CCN
Type: SA37460
VMware Products Update for Multiple Packages

Source: SECUNIA
Type: UNKNOWN
37460

Source: CCN
Type: SA39819
Apple Mac OS X update for Java

Source: SECUNIA
Type: UNKNOWN
39819

Source: GENTOO
Type: UNKNOWN
GLSA-200911-02

Source: CCN
Type: SECTRACK ID: 1021920
Java Plug-in Bugs Lets Remote Users Gain Privileges

Source: CCN
Type: Sun Alert ID: 254611
Multiple Security Vulnerabilities in Java Plug-in May Allow Privileges to be Escalated

Source: SUNALERT
Type: Patch, Vendor Advisory
254611

Source: CONFIRM
Type: UNKNOWN
http://support.apple.com/kb/HT4171

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2009-108.htm

Source: CCN
Type: ASA-2009-108
java-1.6.0-sun security update (RHSA-2009-0392)

Source: CCN
Type: ASA-2009-125
Multiple Security Vulnerabilities in Java Plug-in May Allow Privileges to be Escalated (Sun 254611)

Source: CCN
Type: ASA-2009-182
java-1.5.0-ibm security update (RHSA-2009-1038)

Source: REDHAT
Type: UNKNOWN
RHSA-2009:0392

Source: REDHAT
Type: UNKNOWN
RHSA-2009:1038

Source: BUGTRAQ
Type: UNKNOWN
20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components

Source: BID
Type: UNKNOWN
34240

Source: CCN
Type: BID-34240
Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1021920

Source: CONFIRM
Type: UNKNOWN
http://www.vmware.com/security/advisories/VMSA-2009-0016.html

Source: VUPEN
Type: UNKNOWN
ADV-2009-1426

Source: VUPEN
Type: UNKNOWN
ADV-2009-3316

Source: VUPEN
Type: UNKNOWN
ADV-2010-1191

Source: XF
Type: UNKNOWN
jre-plugin-weak-security(49458)

Source: XF
Type: UNKNOWN
jre-plugin-weak-security(49458)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:6642

Source: REDHAT
Type: UNKNOWN
RHSA-2009:1198

Source: SUSE
Type: SUSE-SA:2009:016
Sun Java Security Update

Source: SUSE
Type: SUSE-SA:2009:036
IBM Java 6 SR 5 update

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sun:java:*:*:*:*:*:*:*:*

    • Configuration RedHat 1:
  • cpe:/a:redhat:rhel_extras:5:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:sun:jdk:1.6.0:update10:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.6.0:update12:*:*:*:*:*:*
  • OR cpe:/a:sun:jdk:1.6.0:update11:*:*:*:*:*:*
  • AND
  • cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
  • OR cpe:/a:redhat:rhel_extras:4:*:*:*:*:*:*:*
  • OR cpe:/a:redhat:rhel_application_server:2:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:10.3:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:11.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20091105
    V
    		CVE-2009-1105
    2022-05-20
    oval:org.mitre.oval:def:21833
    P
    		ELSA-2009:0392: java-1.6.0-sun security update (Critical)
    2014-05-26
    oval:org.mitre.oval:def:22725
    P
    		ELSA-2009:1038: java-1.5.0-ibm security update (Critical)
    2014-05-26
    oval:org.mitre.oval:def:22876
    P
    		ELSA-2009:1198: java-1.6.0-ibm security update (Critical)
    2014-05-26
    oval:org.mitre.oval:def:6642
    V
    		Sun Java Runtime Environment Java Plug-in weak security
    2014-01-20
    oval:com.redhat.rhsa:def:20091198
    P
    		RHSA-2009:1198: java-1.6.0-ibm security update (Critical)
    2009-08-06
    oval:com.redhat.rhsa:def:20091038
    P
    		RHSA-2009:1038: java-1.5.0-ibm security update (Critical)
    2009-05-18
    oval:com.redhat.rhsa:def:20090392
    P
    		RHSA-2009:0392: java-1.6.0-sun security update (Critical)
    2009-03-26
    BACK
    sun java *
    sun jdk 1.6.0 update10
    sun jdk 1.6.0 update12
    sun jdk 1.6.0 update11
    redhat linux advanced workstation 2.1
    redhat rhel extras 4
    redhat rhel application server 2
    novell opensuse 10.3
    novell opensuse 11.0