Dear Mr. Crowther, Thank you for your quick response. We are using JDK 1.6.0_07. I do not have any idea about those vulnerabilities. I just follow the link: http://tomcat.apache.org/security-5.html and search for the vulnerabilities that are fixed in Tomcat 5.5.27 one by one and found the items that I've listed in my previous mail. Are those vulnerabilities fixed in 5.5.27 also related to Java? I just wanted to know, if we need to upgrade the Tomcat or not and for this decision I need to test these vulnerabilities somehow.
P.S.: I do not know much about these topics.Could you please consult me? Thank you very much. Gözde On Thu, Oct 23, 2008 at 3:24 PM, Peter Crowther <[EMAIL PROTECTED] > wrote: > Which JDK are you using, and do those vulnerabilities apply to that > *specific* JDK? > > They are all Java vuls, not Tomcat vuls. > > - Peter > > > -----Original Message----- > > From: Gozde Aytan [mailto:[EMAIL PROTECTED] > > Sent: 23 October 2008 12:32 > > To: users@tomcat.apache.org > > Subject: Tomcat 5.5.26 Vulnerability - Test > > > > Dear all, > > > > In our project, we are using Tomcat 5.5.26 and as it is > > reported that some > > vulnerabilities have been found. So, I just want to test our > > system if these > > vulnerabilties are exploited in our side or not. But I do not > > know how to > > test? Is there someone else who could help me in testing (how > > to generate) > > any of the following cases below? If at least one of them can > > be tested and > > resulted failure, that means Tomcat will be upgraded. > > > > Any help will be appreciated. > > Thanks. > > > > 1) An error in the Java Runtime Environment Virtual Machine > > can be exploited > > by a malicious, untrusted applet to read and write local > > files and execute > > local applications. > > > > 2) An error in the Java Management Extensions (JMX) > > management agent can be > > exploited by a JMX client to perform certain unauthorized > > operations on a > > system running JMX with local monitoring enabled. > > > > 3) Two errors within the scripting language support in the > > Java Runtime > > Environment can be exploited by malicious, untrusted applets to access > > information from another applet, read and write local files, > > and execute > > local applications. > > > > 4) Boundary errors in Java Web Start can be exploited by an > > untrusted Java > > Web Start applications to cause buffer overflows. > > > > 5) Three errors in Java Web Start can be exploited by an > > untrusted Java Web > > Start applications to create or delete arbitrary files with > > the privileges > > of the user running the untrusted Java Web Start application, or to > > determine the location of the Java Web Start cache. > > > > 6) An error in the implementation of Secure Static Versioning > > allows applets > > to run on an older release of JRE. > > > > 7) Errors in the Java Runtime Environment can be exploited by > > an untrusted > > applet to bypass the same origin policy and establish socket > > connections to > > certain services running on the local host. > > > > 8) An error in the Java Runtime Environment when processing > > certain XML data > > can be exploited to allow unauthorized access to certain URL > > resources or > > cause a DoS. > > Successful exploitation requires the JAX-WS client or service > > in a trusted > > application to process the malicious XML data. > > > > 9) An error in the Java Runtime Environment when processing > > certain XML data > > can be exploited by an untrusted applet or application to > > gain unauthorized > > access to certain URL resources. > > > > 10) A boundary error when processing fonts in the Java > > Runtime Environment > > can be exploited to cause a buffer overflow. > > > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
