[Question]
Rhino script engine vulnerability of JDK and JRE shown in the URL below exist, does it affect intra-mart?
http://www.intellilink.co.jp/article/vulner/111202.html (Japanese)
[Answer]
Indicated vulnerability is that any Java code can be executed by detouring security manager on restricted execution environment called Java applet such as client.
Here is specific example. Vulnerability of CVE-2011-3544 is as follows;
1. Attackers create applet to start execution file to take any kind of actions to own site.
2. Make users (victims) to lead to 1. site and execute Java applet
3. Execution file to take any kind of actions (normally against to be rejected by security manager ) will be executed using this vulnerability on PC of users
This is not that type of vulnerability which receives damage on Java server (intra-mart server) using Rhino.
However, please note that you might receive attack on above vulnerability if you browse suspicious site on server.
-- Target ------------------------------------------------------------------------------------
iWP/Web System Construction Platform/WebPlatform/AppFramework
-------------------------------------------------------------------------------------------------
FAQID:337
Vulnerability of Rhino script engine of Oracle Java SE JDK and JRE
