Sign-up

ID

VAR-200912-0425


CVE

CVE-2009-2843


TITLE

Mac OS X For Java Vulnerable to arbitrary code execution

Trust: 0.8

sources: JVNDB: JVNDB-2009-002414

DESCRIPTION

Java for Mac OS X 10.5 before Update 6 and 10.6 before Update 1 accepts expired certificates for applets, which makes it easier for remote attackers to execute arbitrary code via an applet. Successful exploits will allow attackers to bypass certain security restrictions and trick users into running untrusted Java applets with the privileges of trusted applets. The issue affects the following: Mac OS X v10.5.8 Mac OS X Server v10.5.8 Mac OS X v10.6.2 Mac OS X Server v10.6.2. Mac OS is an operating system that runs on Apple's Macintosh series of computers. ---------------------------------------------------------------------- Do you have VARM strategy implemented? (Vulnerability Assessment Remediation Management) If not, then implement it through the most reliable vulnerability intelligence source on the market. Implement it through Secunia. This fixes some vulnerabilities, which can be exploited by malicious people to potentially disclose sensitive information, bypass certain security restrictions, cause a DoS (Denial of Service), or to compromise a user's system. SOLUTION: Apply updates. http://support.apple.com/kb/DL971 PROVIDED AND/OR DISCOVERED BY: 2) The vendor credits Simon Heimlicher, ETH Zurich. ORIGINAL ADVISORY: Apple: http://support.apple.com/kb/HT3969 http://support.apple.com/kb/HT3970 OTHER REFERENCES: SA37231: http://secunia.com/advisories/37231/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2009-2843 // JVNDB: JVNDB-2009-002414 // BID: 37206 // VULHUB: VHN-40289 // PACKETSTORM: 83457

AFFECTED PRODUCTS

vendor:applemodel:mac os xscope:eqversion:10.5.8

Trust: 1.6

vendor:applemodel:mac os x serverscope:eqversion:10.5.8

Trust: 1.6

vendor:applemodel:mac os xscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os x serverscope:eqversion:v10.5.8

Trust: 0.8

vendor:applemodel:mac os serverscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:mac os serverscope:eqversion:x10.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.8

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.7

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.5

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.4

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.3

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.2

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5.1

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.6

Trust: 0.3

vendor:applemodel:mac osscope:eqversion:x10.5

Trust: 0.3

sources: BID: 37206 // JVNDB: JVNDB-2009-002414 // CNNVD: CNNVD-200912-091 // NVD: CVE-2009-2843

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-2843
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-2843
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200912-091
value: MEDIUM

Trust: 0.6

VULHUB: VHN-40289
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2009-2843
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: CVE-2009-2843
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-40289
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-40289 // JVNDB: JVNDB-2009-002414 // CNNVD: CNNVD-200912-091 // NVD: CVE-2009-2843

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.9

sources: VULHUB: VHN-40289 // JVNDB: JVNDB-2009-002414 // NVD: CVE-2009-2843

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200912-091

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-200912-091

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-002414

PATCH
title:HT3969url:http://support.apple.com/kb/HT3969
Trust: 0.8
title:HT3970url:http://support.apple.com/kb/HT3970
Trust: 0.8
title:HT3970url:http://support.apple.com/kb/HT3970?viewlocale=ja_JP
Trust: 0.8
title:HT3969url:http://support.apple.com/kb/HT3969?viewlocale=ja_JP
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-002414

EXTERNAL IDS
db:NVDid:CVE-2009-2843
Trust: 2.8
db:BIDid:37206
Trust: 2.8
db:SECUNIAid:37581
Trust: 2.6
db:JVNDBid:JVNDB-2009-002414
Trust: 0.8
db:CNNVDid:CNNVD-200912-091
Trust: 0.7
db:APPLEid:APPLE-SA-2009-12-03-1
Trust: 0.6
db:APPLEid:APPLE-SA-2009-12-03-2
Trust: 0.6
db:VULHUBid:VHN-40289
Trust: 0.1
db:PACKETSTORMid:83457
Trust: 0.1
sources:
            
            
            VULHUB: VHN-40289 // 
            
            
            
            BID: 37206 // 
            
            
            
            JVNDB: JVNDB-2009-002414 // 
            
            
            
            PACKETSTORM: 83457 // 
            
            
            
            CNNVD: CNNVD-200912-091 // 
            
            
            
            NVD: CVE-2009-2843

REFERENCES
url:http://www.securityfocus.com/bid/37206
Trust: 2.5
url:http://secunia.com/advisories/37581
Trust: 2.5
url:http://support.apple.com/kb/ht3969
Trust: 1.8
url:http://support.apple.com/kb/ht3970
Trust: 1.8
url:http://lists.apple.com/archives/security-announce/2009/dec/msg00000.html
Trust: 1.7
url:http://lists.apple.com/archives/security-announce/2009/dec/msg00001.html
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-2843
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-2843
Trust: 0.8
url:http://software.cisco.com/download/navigator.html?mdfid=283613663
Trust: 0.3
url:http://support.apple.com/kb/dl972
Trust: 0.1
url:http://support.apple.com/kb/dl971
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/business_solutions/
Trust: 0.1
url:http://secunia.com/advisories/37581/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/37231/
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-40289 // 
            
            
            
            BID: 37206 // 
            
            
            
            JVNDB: JVNDB-2009-002414 // 
            
            
            
            PACKETSTORM: 83457 // 
            
            
            
            CNNVD: CNNVD-200912-091 // 
            
            
            
            NVD: CVE-2009-2843

CREDITS
Simon Heimlicher of ETH Zurich
Trust: 0.3
sources:
            
            
            BID: 37206

SOURCES
db:VULHUBid:VHN-40289
db:BIDid:37206
db:JVNDBid:JVNDB-2009-002414
db:PACKETSTORMid:83457
db:CNNVDid:CNNVD-200912-091
db:NVDid:CVE-2009-2843

LAST UPDATE DATE
2025-04-10T21:21:40.959000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-40289date:2011-01-04T00:00:00
db:BIDid:37206date:2009-12-04T16:04:00
db:JVNDBid:JVNDB-2009-002414date:2010-01-18T00:00:00
db:CNNVDid:CNNVD-200912-091date:2009-12-09T00:00:00
db:NVDid:CVE-2009-2843date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-40289date:2009-12-08T00:00:00
db:BIDid:37206date:2009-12-03T00:00:00
db:JVNDBid:JVNDB-2009-002414date:2010-01-18T00:00:00
db:PACKETSTORMid:83457date:2009-12-04T17:37:42
db:CNNVDid:CNNVD-200912-091date:2009-12-08T00:00:00
db:NVDid:CVE-2009-2843date:2009-12-08T17:30:00.500