CVE-2009-3864 — Omission of Security-relevant Information in JDK

CWE-223 — Omission of Security-relevant Information5 documents5 sources

Severity

7.5HIGHNVD

EPSS

8.6%

top 7.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SUN JDK SUN JRE

Timeline

PublishedNov 5

Latest updateMay 2

Description

The Java Update functionality in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5.0 before Update 22 and JDK and JRE 6 before Update 17, when a non-English version of Windows is used, does not retrieve available new JRE versions, which allows remote attackers to leverage vulnerabilities in older releases of this software, aka Bug Id 6869694.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDsun/jdk1.5.0, 1.6.0+1

▶NVDsun/jre1.5.0, 1.6.0+1

Patches

Patch: sunsolve.sun.com ↗Patch: www.securityfocus.com ↗Patch: www.vupen.com ↗

🔴Vulnerability Details

GHSA

GHSA-9f95-v5qr-4cqr: The Java Update functionality in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5↗2022-05-02

▶

CVEList

CVE-2009-3864: The Java Update functionality in Java Runtime Environment (JRE) in Sun Java SE in JDK and JRE 5↗2009-11-05

▶

📋Vendor Advisories

Red Hat

java-1.6.0-sun: Updates availability notification system failure (6869694)↗2009-11-04

▶

💬Community

Bugzilla

CVE-2009-3864 java-1.5.0-sun, java-1.6.0-sun: Updates availability notification system failure (6869694)↗2009-11-05

▶