Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Vulnerability in Java J2EE

Dec 17, 2003 1:05AM PST

Impact: Execution of arbitrary code via network
Vendor Confirmed: Yes
Version(s): 1.4 (with PointBase 4.6)

Description: A vulnerability was reported in the Java J2EE reference implementation when running the included PointBase database. A remote user can inject SQL commands to execute arbitrary binaries on the target system.

Illegalaccess.org reported that a remote user can run specially crafted SQL statements to cause arbitrary executables on the target system to be executed.

The vulnerability is due to inadequate security settings and library bugs in the sun.* and org.apache.* packages in jdk 1.4.2_02 when running pointbase without a fine-tuned security manager, according to the report.

A remote user may also be able to cause denial of service conditions or gain information about the target system, the report said.

The vendor was reportedly notified on November 29, 2003.

Impact: A remote user can cause arbitrary binaries on the target system to be executed.

Solution: No solution was available at the time of this entry. Accordiing to the report, the vendor has indicated that this is not a flaw in J2EE.

A potential workaround is described in the Source Message.

Vendor URL: java.sun.com/j2ee/index.jsp
Cause: Access control error, Configuration error
Underlying OS: Windows (Any)
Underlying OS Comments: Tested on Windows XP
Reported By: Marc Schoenefeld

http://www.securitytracker.com/alerts/2003/Dec/1008491.html

Discussion is locked