CVE-2005-3904
CVSS7.5
发布时间 :2005-11-30 06:03:00
修订时间 :2011-03-07 21:27:21
NMCOS    

[原文]Unspecified vulnerability in Java Management Extensions (JMX) in Java JDK and JRE 5.0 Update 3, 1.4.2 and later, 1.3.1 and later allows remote attackers to escape the Java sandbox and access arbitrary files or execute arbitrary application via unknown attack vectors.


[CNNVD]SUN JDK和JRE JMX未明漏洞(CNNVD-200511-495)

        Java Development Kit(JDK),Java开发包。 Java Runtime Environment(JRE) java运行环境。
        Java JDK和JRE 5.0 Update 3,1.4.2及更高版本、1.3.1及更高版本中的Java Management Extensions (JMX)存在未明漏洞,可让远程攻击者通过未知的攻击方式避开Jave沙盒并访问任意文件,或执行任意应用程序。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sun:jre:1.3.0:update5Sun J2RE 1.3.0_05
cpe:/a:sun:jre:1.5.0Sun JRE 1.5.0
cpe:/a:sun:jre:1.4.2:update5
cpe:/a:sun:jdk:1.5.0_03::windows
cpe:/a:sun:jre:1.3.1:update8Sun J2RE 1.3.1_08
cpe:/a:sun:jre:1.5.0:update1Sun JRE 1.5.0_1 (JRE 5.0 Update 1)
cpe:/a:sun:jdk:1.5.0_03::solaris
cpe:/a:sun:jre:1.3.0:update4Sun J2RE 1.3.0_04
cpe:/a:sun:jre:1.4.2:update3
cpe:/a:sun:jre:1.3.0Sun J2RE 1.3.0
cpe:/a:sun:jre:1.4.2:update2
cpe:/a:sun:jre:1.4.2Sun JRE 1.4.2
cpe:/a:sun:jre:1.3.0:update1Sun J2RE 1.3.0_01
cpe:/a:sun:jre:1.5.0:update3Sun JRE 1.5.0_3 (JRE 5.0 Update 3)
cpe:/a:sun:jre:1.3.1:update15Sun J2RE 1.3.1_15
cpe:/a:sun:jre:1.3.1:update4Sun J2RE 1.3.1_04
cpe:/a:sun:jre:1.3.1Sun J2RE 1.3.1
cpe:/a:sun:jre:1.5.0:update2Sun JRE 1.5.0_2 (JRE 5.0 Update 2)
cpe:/a:sun:jre:1.3.0:update3Sun J2RE 1.3.0_03
cpe:/a:sun:jre:1.3.1:update1aSun JRE 1.3.1_01a
cpe:/a:sun:jdk:1.5.0_03::linux
cpe:/a:sun:jre:1.4.2:update7
cpe:/a:sun:jre:1.4.2:update1
cpe:/a:sun:jre:1.3.1:update1Sun JRE 1.3.1_01
cpe:/a:sun:jre:1.4.2:update8
cpe:/a:sun:jre:1.4.2:update4
cpe:/a:sun:jre:1.3.0:update2Sun J2RE 1.3.0_02
cpe:/a:sun:jre:1.4.2:update6
cpe:/a:sun:jre:1.4.1JRE 1.4.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3904
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3904
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200511-495
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/931684
(UNKNOWN)  CERT-VN  VU#931684
http://secunia.com/advisories/17748
(VENDOR_ADVISORY)  SECUNIA  17748
http://www.vupen.com/english/advisories/2005/2946
(UNKNOWN)  VUPEN  ADV-2005-2946
http://www.vupen.com/english/advisories/2005/2675
(UNKNOWN)  VUPEN  ADV-2005-2675
http://www.vupen.com/english/advisories/2005/2636
(UNKNOWN)  VUPEN  ADV-2005-2636
http://www.securityfocus.com/bid/15615
(UNKNOWN)  BID  15615
http://sunsolve.sun.com/searchproxy/document.do?assetkey=1-26-102017-1
(VENDOR_ADVISORY)  SUNALERT  102017
http://xforce.iss.net/xforce/xfdb/23252
(UNKNOWN)  XF  sun-jmx-elevate-privileges(23252)
http://www-1.ibm.com/support/docview.wss?uid=swg21225628
(UNKNOWN)  CONFIRM  http://www-1.ibm.com/support/docview.wss?uid=swg21225628
http://securitytracker.com/id?1015281
(UNKNOWN)  SECTRACK  1015281
http://secunia.com/advisories/18503
(UNKNOWN)  SECUNIA  18503
http://secunia.com/advisories/18092
(UNKNOWN)  SECUNIA  18092
http://secunia.com/advisories/17847
(UNKNOWN)  SECUNIA  17847
http://lists.apple.com/archives/security-announce/2005/Nov/msg00004.html
(UNKNOWN)  APPLE  APPLE-SA-2005-11-30

- 漏洞信息

SUN JDK和JRE JMX未明漏洞
高危 资料不足
2005-11-30 00:00:00 2005-11-30 00:00:00
远程  
        Java Development Kit(JDK),Java开发包。 Java Runtime Environment(JRE) java运行环境。
        Java JDK和JRE 5.0 Update 3,1.4.2及更高版本、1.3.1及更高版本中的Java Management Extensions (JMX)存在未明漏洞,可让远程攻击者通过未知的攻击方式避开Jave沙盒并访问任意文件,或执行任意应用程序。

- 公告与补丁

        暂无数据

- 漏洞信息

21235
Sun Java JRE Java Management Extensions (JMX) Unspecified Applet Privilege Escalation

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-11-28 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sun Java Runtime Environment Multiple Privilege Escalation Vulnerabilities
Unknown 15615
Yes No
2005-11-28 12:00:00 2006-04-19 08:26:00
Discovery is credited to Adam Gowdiak.

- 受影响的程序版本

Turbolinux Turbolinux Server 10.0 x86
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Desktop 10.0
Turbolinux Turbolinux FUJI
Turbolinux Turbolinux 10 F...
TurboLinux Personal
TurboLinux Multimedia
Turbolinux Home
Turbolinux Appliance Server Workgroup Edition 1.0
Turbolinux Appliance Server Hosting Edition 1.0
Turbolinux Appliance Server 1.0 Workgroup Edition
Turbolinux Appliance Server 1.0 Hosting Edition
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
Sun SDK (Windows Production Release) 1.4.2 _08
Sun SDK (Windows Production Release) 1.4.2 _05
Sun SDK (Windows Production Release) 1.4.2 _04
Sun SDK (Windows Production Release) 1.4.2 _03
Sun SDK (Windows Production Release) 1.4.2
Sun SDK (Windows Production Release) 1.4.1 _03
Sun SDK (Windows Production Release) 1.4.1 _02
Sun SDK (Windows Production Release) 1.4.1 _01
Sun SDK (Windows Production Release) 1.4.1
Sun SDK (Windows Production Release) 1.4 .0_4
Sun SDK (Windows Production Release) 1.4 .0_03
Sun SDK (Windows Production Release) 1.4 .0_02
Sun SDK (Windows Production Release) 1.4 .0_01
Sun SDK (Windows Production Release) 1.4
Sun SDK (Windows Production Release) 1.3.1 _15
Sun SDK (Windows Production Release) 1.3.1 _14
Sun SDK (Windows Production Release) 1.3.1 _13
Sun SDK (Windows Production Release) 1.3.1 _12
Sun SDK (Windows Production Release) 1.3.1 _11
Sun SDK (Windows Production Release) 1.3.1 _10
Sun SDK (Windows Production Release) 1.3.1 _09
Sun SDK (Windows Production Release) 1.3.1 _08
Sun SDK (Windows Production Release) 1.3.1 _07
Sun SDK (Windows Production Release) 1.3.1 _06
Sun SDK (Windows Production Release) 1.3.1 _05
Sun SDK (Windows Production Release) 1.3.1 _04
Sun SDK (Windows Production Release) 1.3.1 _03
Sun SDK (Windows Production Release) 1.3.1 _02
Sun SDK (Windows Production Release) 1.3.1 _01a
Sun SDK (Windows Production Release) 1.3 .0_05
Sun SDK (Windows Production Release) 1.3 .0_02
Sun SDK (Windows Production Release) 1.3 .0_02
Sun SDK (Solaris Production Release) 1.4.2 _08
Sun SDK (Solaris Production Release) 1.4.2 _05
Sun SDK (Solaris Production Release) 1.4.2 _04
Sun SDK (Solaris Production Release) 1.4.2 _03
Sun SDK (Solaris Production Release) 1.4.2
Sun SDK (Solaris Production Release) 1.4.1 _03
Sun SDK (Solaris Production Release) 1.4.1 _02
Sun SDK (Solaris Production Release) 1.4.1 _01
Sun SDK (Solaris Production Release) 1.4.1
Sun SDK (Solaris Production Release) 1.4 .0_4
Sun SDK (Solaris Production Release) 1.4 .0_03
Sun SDK (Solaris Production Release) 1.4 .0_02
Sun SDK (Solaris Production Release) 1.4
Sun SDK (Solaris Production Release) 1.3.1 _15
Sun SDK (Solaris Production Release) 1.3.1 _14
Sun SDK (Solaris Production Release) 1.3.1 _13
Sun SDK (Solaris Production Release) 1.3.1 _12
Sun SDK (Solaris Production Release) 1.3.1 _11
Sun SDK (Solaris Production Release) 1.3.1 _10
Sun SDK (Solaris Production Release) 1.3.1 _09
Sun SDK (Solaris Production Release) 1.3.1 _08
Sun SDK (Solaris Production Release) 1.3.1 _07
Sun SDK (Solaris Production Release) 1.3.1 _06
Sun SDK (Solaris Production Release) 1.3.1 _05
Sun SDK (Solaris Production Release) 1.3.1 _03
Sun SDK (Solaris Production Release) 1.3.1 _02
Sun SDK (Solaris Production Release) 1.3.1 _01
Sun SDK (Solaris Production Release) 1.3 _05
Sun SDK (Solaris Production Release) 1.3 _02
Sun SDK (Solaris Production Release) 1.3 .0_02
Sun SDK (Solaris Production Release) 1.3
Sun SDK (Linux Production Release) 1.4.2 _08
Sun SDK (Linux Production Release) 1.4.2 _05
Sun SDK (Linux Production Release) 1.4.2 _04
Sun SDK (Linux Production Release) 1.4.2 _03
Sun SDK (Linux Production Release) 1.4.2 _02
Sun SDK (Linux Production Release) 1.4.2 _01
Sun SDK (Linux Production Release) 1.4.2
Sun SDK (Linux Production Release) 1.4.1 _03
Sun SDK (Linux Production Release) 1.4.1 _02
Sun SDK (Linux Production Release) 1.4.1 _01
Sun SDK (Linux Production Release) 1.4.1
Sun SDK (Linux Production Release) 1.4 .0_4
Sun SDK (Linux Production Release) 1.4 .0_03
Sun SDK (Linux Production Release) 1.4 .0_02
Sun SDK (Linux Production Release) 1.4
Sun SDK (Linux Production Release) 1.3.1 _15
Sun SDK (Linux Production Release) 1.3.1 _14
Sun SDK (Linux Production Release) 1.3.1 _13
Sun SDK (Linux Production Release) 1.3.1 _12
Sun SDK (Linux Production Release) 1.3.1 _11
Sun SDK (Linux Production Release) 1.3.1 _10
Sun SDK (Linux Production Release) 1.3.1 _09
Sun SDK (Linux Production Release) 1.3.1 _08
Sun SDK (Linux Production Release) 1.3.1 _07
Sun SDK (Linux Production Release) 1.3.1 _06
Sun SDK (Linux Production Release) 1.3.1 _05
Sun SDK (Linux Production Release) 1.3.1 _03
Sun SDK (Linux Production Release) 1.3.1 _02
Sun SDK (Linux Production Release) 1.3.1 _01
Sun SDK (Linux Production Release) 1.3 _05
Sun SDK (Linux Production Release) 1.3 _02
Sun SDK (Linux Production Release) 1.3 .0_02
Sun JRE (Solaris Production Release) 1.3.1
Sun JRE (Solaris Production Release) 1.3 _04
Sun JRE (Solaris Production Release) 1.3 _03
Sun JRE (Solaris Production Release) 1.3 _01
Sun JRE (Linux Production Release) 1.5 _05
Sun JRE (Linux Production Release) 1.5 _04
Sun JRE (Linux Production Release) 1.5 _03
Sun JRE (Linux Production Release) 1.5 _02
Sun JRE (Linux Production Release) 1.5 _01
Sun JRE (Linux Production Release) 1.4.2 _09
Sun JRE (Linux Production Release) 1.4.2 _08
Sun JRE (Linux Production Release) 1.4.2 _07
Sun JRE (Linux Production Release) 1.3.1 _16
Sun JRE (Linux Production Release) 1.3.1 _15
Sun JRE (Linux Production Release) 1.3.1 _04
Sun JRE (Linux Production Release) 1.3.1 _01a
Sun JDK (Windows Production Release) 1.5 .0_03
Sun JDK (Solaris Production Release) 1.5 .0_03
Sun JDK (Linux Production Release) 1.5.0.0_03
Sun Java 2 Runtime Environment 1.5
Sun Java 2 Runtime Environment 1.4.2 _06
Sun Java 2 Runtime Environment 1.4.2 _05
Sun Java 2 Runtime Environment 1.4.2 _04
Sun Java 2 Runtime Environment 1.4.2 _03
+ Oracle Oracle10g Application Server 10.1 .0.2
+ Oracle Oracle10g Application Server 10.1 .0.2
+ Oracle Oracle10g Application Server 10.1 .0.2
+ Oracle Oracle10g Enterprise Edition 10.1 .0.2
+ Oracle Oracle10g Enterprise Edition 10.1 .0.2
+ Oracle Oracle10g Enterprise Edition 10.1 .0.2
+ Oracle Oracle10g Personal Edition 10.1 .0.2
+ Oracle Oracle10g Personal Edition 10.1 .0.2
+ Oracle Oracle10g Personal Edition 10.1 .0.2
+ Oracle Oracle10g Standard Edition 10.1 .0.2
Sun Java 2 Runtime Environment 1.4.2 _02
Sun Java 2 Runtime Environment 1.4.2 _01
Sun Java 2 Runtime Environment 1.4.2
Sun Java 2 Runtime Environment 1.4.1
Sun Java 2 Runtime Environment 1.3.1 _08
Sun Java 2 Runtime Environment 1.3.1 _01
Sun Java 2 Runtime Environment 1.3 _05
Sun Java 2 Runtime Environment 1.3 _02
Sun Java 2 Runtime Environment 1.3
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. SuSE Linux Openexchange Server 4.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 9.0 x86_64
S.u.S.E. Linux Professional 9.0
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
IBM Websphere Application Server 6.0.2
IBM Websphere Application Server 5.1.1 .9
IBM Websphere Application Server 5.1.1 .8
IBM Websphere Application Server 5.1.1 .7
IBM Websphere Application Server 5.1.1 .6
IBM Websphere Application Server 5.1.1 .5
IBM Websphere Application Server 5.1.1 .4
IBM Websphere Application Server 5.1.1 .3
IBM Websphere Application Server 5.1.1 .2
IBM Websphere Application Server 5.1.1 .10
IBM Websphere Application Server 5.1.1 .1
IBM Websphere Application Server 5.1.1
IBM Websphere Application Server 5.0.2 .9
IBM Websphere Application Server 5.0.2 .8
IBM Websphere Application Server 5.0.2 .7
IBM Websphere Application Server 5.0.2 .6
IBM Websphere Application Server 5.0.2 .5
IBM Websphere Application Server 5.0.2 .4
IBM Websphere Application Server 5.0.2 .3
IBM Websphere Application Server 5.0.2 .2
IBM Websphere Application Server 5.0.2 .16
IBM Websphere Application Server 5.0.2 .15
IBM Websphere Application Server 5.0.2 .14
IBM Websphere Application Server 5.0.2 .13
IBM Websphere Application Server 5.0.2 .12
IBM Websphere Application Server 5.0.2 .11
IBM Websphere Application Server 5.0.2 .10
IBM Websphere Application Server 5.0.2 .1
IBM Websphere Application Server 5.0.2
IBM Java SDK 1.4.2
IBM Java SDK 1.3.1
Gentoo Linux
Blackdown Java 2 Standard Edition SDK 1.4.2 -02
Blackdown Java 2 Standard Edition SDK 1.4.2 -01
Blackdown Java 2 Standard Edition SDK 1.4.2
Blackdown Java 2 Standard Edition SDK 1.4.1
Blackdown Java 2 Runtime Environment 1.4.2 -02
Blackdown Java 2 Runtime Environment 1.4.2 -01
Blackdown Java 2 Runtime Environment 1.4.2
Blackdown Java 2 Runtime Environment 1.4.1
Apple Mac OS X Server 10.4.5
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X 10.3.9
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Sun JRE (Linux Production Release) 1.3.1 _17
Sun Java 2 Runtime Environment 1.5 _06
Sun Java 2 Runtime Environment 1.4.2 _10
IBM Java SDK 1.4.2 SR3
IBM Java SDK 1.3.1 SR9

- 不受影响的程序版本

Sun JRE (Linux Production Release) 1.3.1 _17
Sun Java 2 Runtime Environment 1.5 _06
Sun Java 2 Runtime Environment 1.4.2 _10
IBM Java SDK 1.4.2 SR3
IBM Java SDK 1.3.1 SR9

- 漏洞讨论

Sun JRE is susceptible to various privilege-escalation vulnerabilities.

These issues can allow remote Java applications to read/write local files and execute arbitrary applications in the context of an affected user.

Further details are not available at this time. This BID will be updated as more information is disclosed.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

Fixes are available. Please see the referenced advisories for further information.


Apple Mac OS X Server 10.4.5

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站