[e-lang] CVE-2009-2475
David Wagner
daw at cs.berkeley.edu
Tue Aug 11 23:45:13 EDT 2009
Does anyone know anything more about the Java vulnerability
CVE-2009-2475? The only information I could find (see below)
refers to problems with mutable static variables.
Would Joe-E have prevented these flaws? (Joe-E bans mutable
static variables.)
Several, potential information leaks were found in various mutable static
variables. These could be exploited in application scenarios that execute
untrusted scripting code.
https://bugzilla.redhat.com/show_bug.cgi?id=513215
Sun Java SE 5.0 before Update 20 and 6 before Update 15,
and OpenJDK, might allow context-dependent attackers to obtain
sensitive information via vectors involving static variables that
are declared without the final keyword, related to (1) LayoutQueue,
(2) Cursor.predefined, (3) AccessibleResourceBundle.getContents,
(4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5)
ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) the imageio plugins, (7)
DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types, (9)
AbstractSaslImpl.logger, (10) Synth.Region.uiToRegionMap/lowerCaseNameMap,
(11) the Introspector class and a cache of BeanInfo, and (12) JAX-WS,
a different vulnerability than CVE-2009-2673.
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2475
More information about the e-lang
mailing list