ID CVE-2009-3884
Summary The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local files via vectors related to handling of zoneinfo (aka tz) files, aka Bug Id 6824265.
References
Vulnerable Configurations
  • cpe:2.3:a:sun:jre:1.5.0:update10:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update10:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_1:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_11:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_11:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_12:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_12:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_13:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_13:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_14:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_14:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_15:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_15:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_16:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_16:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_17:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_17:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_18:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_18:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_19:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_19:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_2:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_2:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_20:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_20:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:*:update_21:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:*:update_21:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_3:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_3:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_4:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_4:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_5:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_5:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_6:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_6:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_7:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_7:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_8:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_8:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.5.0:update_9:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.5.0:update_9:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_1:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_10:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_11:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_12:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_13:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_14:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_15:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_16:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_2:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_3:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_4:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_5:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_6:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_6:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_7:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_7:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_8:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_8:*:*:*:*:*:*
  • cpe:2.3:a:sun:jre:1.6.0:update_9:*:*:*:*:*:*
    cpe:2.3:a:sun:jre:1.6.0:update_9:*:*:*:*:*:*
  • cpe:2.3:a:sun:openjdk:*:*:*:*:*:*:*:*
    cpe:2.3:a:sun:openjdk:*:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 19-09-2017 - 01:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
oval via4
  • accepted 2013-04-29T04:15:19.468-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local files via vectors related to handling of zoneinfo (aka tz) files, aka Bug Id 6824265.
    family unix
    id oval:org.mitre.oval:def:11686
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local files via vectors related to handling of zoneinfo (aka tz) files, aka Bug Id 6824265.
    version 18
  • accepted 2014-01-20T04:01:30.641-05:00
    class vulnerability
    contributors
    • name J. Daniel Brown
      organization DTCC
    • name Chris Coffin
      organization The MITRE Corporation
    definition_extensions
    comment VMware ESX Server 4.0 is installed
    oval oval:org.mitre.oval:def:6293
    description The TimeZone.getTimeZone method in Sun Java SE 5.0 before Update 22 and 6 before Update 17, and OpenJDK, allows remote attackers to determine the existence of local files via vectors related to handling of zoneinfo (aka tz) files, aka Bug Id 6824265.
    family unix
    id oval:org.mitre.oval:def:6960
    status accepted
    submitted 2010-06-01T17:30:00.000-05:00
    title OpenJDK Zoneinfo File Existence Information Leak
    version 8
redhat via4
advisories
bugzilla
id 530300
title CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265)
oval
OR
  • comment Red Hat Enterprise Linux must be installed
    oval oval:com.redhat.rhba:tst:20070304026
  • AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • comment java-1.6.0-openjdk is earlier than 1:1.6.0.0-1.7.b09.el5
          oval oval:com.redhat.rhsa:tst:20091584001
        • comment java-1.6.0-openjdk is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377002
      • AND
        • comment java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-1.7.b09.el5
          oval oval:com.redhat.rhsa:tst:20091584003
        • comment java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377004
      • AND
        • comment java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-1.7.b09.el5
          oval oval:com.redhat.rhsa:tst:20091584005
        • comment java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377006
      • AND
        • comment java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-1.7.b09.el5
          oval oval:com.redhat.rhsa:tst:20091584007
        • comment java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377008
      • AND
        • comment java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-1.7.b09.el5
          oval oval:com.redhat.rhsa:tst:20091584009
        • comment java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377010
rhsa
id RHSA-2009:1584
released 2009-11-16
severity Important
title RHSA-2009:1584: java-1.6.0-openjdk security update (Important)
rpms
  • java-1.6.0-sun-1:1.6.0.17-1jpp.1.el4
  • java-1.6.0-sun-1:1.6.0.17-1jpp.2.el5
  • java-1.6.0-sun-demo-1:1.6.0.17-1jpp.1.el4
  • java-1.6.0-sun-demo-1:1.6.0.17-1jpp.2.el5
  • java-1.6.0-sun-devel-1:1.6.0.17-1jpp.1.el4
  • java-1.6.0-sun-devel-1:1.6.0.17-1jpp.2.el5
  • java-1.6.0-sun-jdbc-1:1.6.0.17-1jpp.1.el4
  • java-1.6.0-sun-jdbc-1:1.6.0.17-1jpp.2.el5
  • java-1.6.0-sun-plugin-1:1.6.0.17-1jpp.1.el4
  • java-1.6.0-sun-plugin-1:1.6.0.17-1jpp.2.el5
  • java-1.6.0-sun-src-1:1.6.0.17-1jpp.1.el4
  • java-1.6.0-sun-src-1:1.6.0.17-1jpp.2.el5
  • java-1.5.0-sun-0:1.5.0.22-1jpp.1.el4
  • java-1.5.0-sun-0:1.5.0.22-1jpp.1.el5
  • java-1.5.0-sun-demo-0:1.5.0.22-1jpp.1.el4
  • java-1.5.0-sun-demo-0:1.5.0.22-1jpp.1.el5
  • java-1.5.0-sun-devel-0:1.5.0.22-1jpp.1.el4
  • java-1.5.0-sun-devel-0:1.5.0.22-1jpp.1.el5
  • java-1.5.0-sun-jdbc-0:1.5.0.22-1jpp.1.el4
  • java-1.5.0-sun-jdbc-0:1.5.0.22-1jpp.1.el5
  • java-1.5.0-sun-plugin-0:1.5.0.22-1jpp.1.el4
  • java-1.5.0-sun-plugin-0:1.5.0.22-1jpp.1.el5
  • java-1.5.0-sun-src-0:1.5.0.22-1jpp.1.el4
  • java-1.5.0-sun-src-0:1.5.0.22-1jpp.1.el5
  • java-1.6.0-openjdk-1:1.6.0.0-1.7.b09.el5
  • java-1.6.0-openjdk-debuginfo-1:1.6.0.0-1.7.b09.el5
  • java-1.6.0-openjdk-demo-1:1.6.0.0-1.7.b09.el5
  • java-1.6.0-openjdk-devel-1:1.6.0.0-1.7.b09.el5
  • java-1.6.0-openjdk-javadoc-1:1.6.0.0-1.7.b09.el5
  • java-1.6.0-openjdk-src-1:1.6.0.0-1.7.b09.el5
  • java-1.5.0-sun-0:1.5.0.22-1jpp.1.el4
  • java-1.5.0-sun-devel-0:1.5.0.22-1jpp.1.el4
refmap via4
apple
  • APPLE-SA-2009-12-03-1
  • APPLE-SA-2009-12-03-2
confirm
gentoo GLSA-200911-02
mandriva MDVSA-2010:084
secunia
  • 37386
  • 37581
Last major update 19-09-2017 - 01:29
Published 09-11-2009 - 19:30
Last modified 19-09-2017 - 01:29
Back to Top