Description
Java Runtime Environment (JRE) Bytecode Verifier allows remote attackers to escape the Java sandbox and execute commands via an applet containing an illegal cast operation, as seen in (1) Microsoft VM build 3802 and earlier as used in Internet Explorer 4.x and 5.x, (2) Netscape 6.2.1 and earlier, and possibly other implementations that use vulnerable versions of SDK or JDK, aka a variant of the "Virtual Machine Verifier" vulnerability.
Products
- HP Java JRE-JDK 1.1.8
- HP Java JRE-JDK 1.2.2
- HP Java JRE-JDK 1.3
- Microsoft Virtual Machine 3802
- Sun JDK 1.1.8 _14
- Sun JDK 1.1.8 _008
- Sun JRE 1.1.8 _14
- Sun JRE 1.1.8 _008
- Sun JRE 1.2.2_010
- Sun J2RE 1.3.0_05
- Sun JRE 1.3.0 Update 5 for Linux
- Sun JRE 1.3.0 Update 5 for Solaris
- Sun JRE 1.3.0 Update 5 for Windows
- Sun JRE 1.3.1_01
- Sun JRE 1.3.1 Update 1 for Linux
- Sun JRE 1.3.1 Update 1 for Solaris
- Sun JRE 1.3.1_01a
- Sun JRE 1.3.1 Update1a for Windows
- Sun SDK 1.2.2_010
- Sun SDK 1.2.2_10
- Sun SDK 1.3.1_01
- Sun SDK 1.3.1_01a
- Sun SDK 1.3_05
Questions to Ask Vendors
- Can you confirm whether your systems are affected by CVE-2002-0076, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2002-0076 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions
- Check out the advisory links provided below.
References