CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
EPSS
Percentile
96.3%
The remote host is using an unmanaged version of Sun Java Runtime Environment that has vulnerabilities in its Java Runtime Plug-in, a web browser add-on used to display Java applets :
An untrusted applet may escalate its privileges in order to read, write or execute files on the remote system.
An untrusted applet may interfere with trusted applets loaded on the same page.
A remote attacker could exploit these by tricking a user into visiting a maliciously crafted web page.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(64835);
script_version("1.8");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2004-1029");
script_bugtraq_id(11726, 11766, 12317);
script_xref(name:"SECUNIA", value:"13271");
script_name(english:"Sun Java JRE Plug-in Capability Arbitrary Package Access (Unix)");
script_set_attribute(attribute:"synopsis", value:
"The remote Unix host has an application that is affected by a security
bypass vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote host is using an unmanaged version of Sun Java Runtime
Environment that has vulnerabilities in its Java Runtime Plug-in, a web
browser add-on used to display Java applets :
- An untrusted applet may escalate its privileges in
order to read, write or execute files on the remote system.
- An untrusted applet may interfere with trusted applets
loaded on the same page.
A remote attacker could exploit these by tricking a user into visiting a
maliciously crafted web page.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Nov/1059");
# https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=158
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0d0f6ddb");
# http://web.archive.org/web/20080509045543/http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e3d3f10");
script_set_attribute(attribute:"solution", value:
"Upgrade to JDK 1.3.1_13 / JRE 1.4.2_06 or later.");
script_set_attribute(attribute:"agent", value:"unix");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(264);
script_set_attribute(attribute:"vuln_publication_date", value:"2004/11/22");
script_set_attribute(attribute:"patch_publication_date", value:"2004/11/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:jre");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2013-2022 Tenable Network Security, Inc.");
script_dependencies("sun_java_jre_installed_unix.nasl");
script_require_keys("Host/Java/JRE/Installed");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
# Check each installed JRE.
installs = get_kb_list_or_exit("Host/Java/JRE/Unmanaged/*");
info = "";
vuln = 0;
vuln2 = 0;
installed_versions = "";
granular = "";
foreach install (list_uniq(keys(installs)))
{
ver = install - "Host/Java/JRE/Unmanaged/";
if (ver !~ "^[0-9.]+") continue;
installed_versions = installed_versions + " & " + ver;
if (ver =~ "^1\.(3\.(0.*|1[^_].*|1_[0-9][^0-9].*|1_1[0-2].*)|4\.([0-1]\..*|2_0[0-5].*))")
{
dirs = make_list(get_kb_list(install));
vuln += max_index(dirs);
foreach dir (dirs)
info += '\n Path : ' + dir;
info += '\n Installed version : ' + ver;
info += '\n Fixed version : 1.3.1_13 / 1.4.2_06\n';
}
else if (ver =~ "^[\d\.]+$")
{
dirs = make_list(get_kb_list(install));
foreach dir (dirs)
granular += "The Oracle Java version "+ver+" at "+dir+" is not granular enough to make a determination."+'\n';
}
else
{
dirs = make_list(get_kb_list(install));
vuln2 += max_index(dirs);
}
}
# Report if any were found to be vulnerable.
if (info)
{
if (report_verbosity)
{
if (vuln > 1) s = "s of Sun's JRE are";
else s = " of Sun's JRE is";
report = string(
"\n",
"The following vulnerable instance", s, " installed on the\n",
"remote host :\n",
info
);
security_hole(port:0, extra:report);
}
else security_hole(0);
if (granular) exit(0, granular);
}
else
{
if (granular) exit(0, granular);
installed_versions = substr(installed_versions, 3);
if (vuln2 > 1)
exit(0, "The Java "+installed_versions+" installs on the remote host are not affected.");
else
exit(0, "The Java "+installed_versions+" install on the remote host is not affected.");
}