Rapid7 Vulnerability & Exploit Database

CESA-2008:0156: java-1.5.0-bea security update

Free InsightVM Trial No credit card necessary
Watch Demo See how it all works
Back to Search

CESA-2008:0156: java-1.5.0-bea security update



The BEA WebLogic JRockit 1.5.0_14 JRE and SDK contain BEA WebLogic JRockitVirtual Machine 1.5.0_14 and are certified for the Java 5 Platform,Standard Edition, v1.5.0.A flaw in the applet caching mechanism of the Java Runtime Environment(JRE) did not correctly process the creation of network connections. Aremote attacker could use this flaw to create connections to services onmachines other than the one that the applet was downloaded from.(CVE-2007-5232)Untrusted Java Applets were able to drag and drop a file to a DesktopApplication. A user-assisted remote attacker could use this flaw to move orcopy arbitrary files. (CVE-2007-5239)The Java Runtime Environment (JRE) allowed untrusted Java Applets orapplications to display oversized windows. This could be used by remoteattackers to hide security warning banners. (CVE-2007-5240)Unsigned Java Applets communicating via a HTTP proxy could allow a remoteattacker to violate the Java security model. A cached, malicious Appletcould create network connections to services on other machines. (CVE-2007-5273)Two vulnerabilities in the Java Runtime Environment allowed an untrustedapplication or applet to elevate the assigned privileges. This could bemisused by a malicious website to read and write local files or executelocal applications in the context of the user running the Java process.(CVE-2008-0657)Those vulnerabilities concerned with applets can only be triggered injava-1.5.0-bea by calling the 'appletviewer' application. All users of java-1.5.0-bea should upgrade to these updated packages, whichcontain the BEA WebLogic JRockit 1.5.0_14 release that resolves these issues.


  • centos-upgrade-java-1-5-0-bea
  • centos-upgrade-java-1-5-0-bea-demo
  • centos-upgrade-java-1-5-0-bea-devel
  • centos-upgrade-java-1-5-0-bea-jdbc
  • centos-upgrade-java-1-5-0-bea-missioncontrol
  • centos-upgrade-java-1-5-0-bea-src

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center