Upstream information

CVE-2008-5353 at MITRE

Description

The Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier does not properly enforce context of ZoneInfo objects during deserialization, which allows remote attackers to run untrusted applets and applications in a privileged context, as demonstrated by "deserializing Calendar objects".

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having critical severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 10
Vector AV:N/AC:L/Au:N/C:C/I:C/A:C
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Complete
Integrity Impact Complete
Availability Impact Complete
SUSE Bugzilla entries: 456770 [RESOLVED / FIXED], 465624 [RESOLVED / FIXED], 471829 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server for SAP Applications 11
  • java-1_4_2-ibm >= 1.4.2_sr13-0.1.1
  • java-1_4_2-ibm-jdbc >= 1.4.2_sr13-0.1.1
  • java-1_4_2-ibm-plugin >= 1.4.2_sr13-0.1.1
Patchnames:
slessp0-java-1_4_2-ibm