Impact: Execution of arbitrary code via network
Vendor Confirmed: Yes
Version(s): 1.4 (with PointBase 4.6)
Description: A vulnerability was reported in the Java J2EE reference implementation when running the included PointBase database. A remote user can inject SQL commands to execute arbitrary binaries on the target system.
Illegalaccess.org reported that a remote user can run specially crafted SQL statements to cause arbitrary executables on the target system to be executed.
The vulnerability is due to inadequate security settings and library bugs in the sun.* and org.apache.* packages in jdk 1.4.2_02 when running pointbase without a fine-tuned security manager, according to the report.
A remote user may also be able to cause denial of service conditions or gain information about the target system, the report said.
The vendor was reportedly notified on November 29, 2003.
Impact: A remote user can cause arbitrary binaries on the target system to be executed.
Solution: No solution was available at the time of this entry. Accordiing to the report, the vendor has indicated that this is not a flaw in J2EE.
A potential workaround is described in the Source Message.
Vendor URL: java.sun.com/j2ee/index.jsp
Cause: Access control error, Configuration error
Underlying OS: Windows (Any)
Underlying OS Comments: Tested on Windows XP
Reported By: Marc Schoenefeld
http://www.securitytracker.com/alerts/2003/Dec/1008491.html

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic