[VIM] Java Deployment Toolkit 0-day CVEs

Deapesh Misra deapesh at gmail.com
Wed Nov 24 11:27:29 CST 2010


I also have a doubt regarding these two CVEs:


Argument injection vulnerability in the URI handler in (a) Java NPAPI
plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and
other versions, when running on Windows and possibly on Linux, allows
remote attackers to execute arbitrary code via the (1) -J or (2)
-XXaltjvm argument to javaws.exe, which is processed by the launch
method. NOTE: some of these details are obtained from third party



Unspecified vulnerability in the Java Deployment Toolkit component in
Oracle Java SE and Java for Business JDK and JRE 6 Update 10 through
19 allows remote attackers to affect confidentiality, integrity, and
availability via unknown vectors.


CVE-2010-1423 is the 0-day issue which Tavis disclosed on April 9th
(and later reported by Ruben).
CVE-2010-0886 is for a out of band (OOB) patch from Oracle/Sun
released on April 15th

It seems like 0886 and 1423 are for the same vulnerability.

exploit-db.com labels the exploits for CVE-2010-1423 as CVE-2010-0886:

this was picked up by OSVDB too: http://osvdb.org/63798

As from the vendor's perspective, this release note from Oracle/Sun
seems to be the only valuable source of usable information:

I think these two CVEs are for the same issue.


More information about the VIM mailing list