Security hole in Java may expose servers

A Sun advisory warns customers of a vulnerability in Java versions 1.1 and 1.2, but says Internet Explorer and Netscape aren't affected.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Sun Microsystems has revealed a security hole in several versions of a critical component of Java that could allow an attacker to run harmful programs on a victim's computer.

The vulnerability appears in versions of the Java Runtime Environment that Sun has released for servers running Windows, Linux and Sun's Solaris operating systems. However, the company asserts that the flaw doesn't affect the Java components included in Microsoft's Internet Explorer and Netscape's Navigator browsers.

Sun posted the bulletin to Bugtraq late Wednesday. Sun could not immediately be reached for comment.

The advisory stressed that, most likely, the flaw should affect only a few of the servers running Java.?The circumstances necessary to exploit this vulnerability are relatively rare,? the company said in the bulletin.

Specifically, a person must have already given Java the permission to execute at least one other command because permission to run commands is not given by default.

In a separate advisory, Hewlett-Packard warned customers as early as last week that several of its servers, including the HP9000, 700/800, and e3000, may have the vulnerable code and recommended that people upgrade their Java components.

Sun did not know whether the security flaw affected other companies' Java technology but has notified its licensees of the possibility, Sun said.

The problem affects various releases of versions 1.1 and 1.2 of the Java Runtime Environment. The company asks people to upgrade their Java software to version 1.2.2_006 or higher.

Sun's newest suite of Java components, known as Java 2, does not have the security hole, the company said.