Oracle Java SE JRE JAX-WS Sandbox Bypass Vulnerability

A vulnerability allowing untrusted Java applications or applets to bypass sandbox restrictions has been identified in the Java Runtime Environment (JRE) component of Oracle Java SE. This issue is present in versions 7 Update 7 and earlier. The vulnerability arises because the default Java security properties configuration did not restrict access to certain packages, specifically com.sun.org.glassfish.external and com.sun.org.glassfish.gmbal. Exploitation of this vulnerability could lead to unauthorized actions or access within the Java application environment, potentially allowing for the execution of malicious code or the manipulation of application data.

Impact

Exploitation of this vulnerability could allow an untrusted Java application or applet to bypass Java's built-in security restrictions, known as sandboxing. This could lead to unauthorized access to system resources or application data, and in some cases, allow for the execution of malicious code with the privileges of the user running the Java application or applet.

Remediation

Users can upgrade to Oracle Java SE 7 Update 9 or later. This update is available through the Oracle Java SE Critical Patch Update October 2012. Instructions for downloading the latest version can be found on the Oracle Java SE Downloads page. After updating, all running instances of Java must be restarted for the changes to take effect.