[原文]Oracle Java Virtual Machine (JVM ) for Oracle 8.1.7 and Oracle Application Server 9iAS Release 220.127.116.11.1 allows remote attackers to read arbitrary files via the .jsp and .sqljsp file extensions when the server is configured to use the <<ALL FILES>> FilePermission.
[CNNVD]Oracle和Oracle Application Server Oracle Java Virtual Machine (JVM)读取任意文件漏洞(CNNVD-200105-073)
Oracle Java Virtual Machine (JVM) contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered by inappropriate file permission settings within a web domain: FilePermission granted to <<ALL FILES>>. This permits arbitrary file disclosure via .jsp and .sqljsp, resulting in a loss of confidentiality.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: grant permission to the explicit document root file path only.