content/security/cves/CVE-2006-2199.html - openoffice-org - Git at Google

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
 "http://www.w3.org/TR/html4/loose.dtd">
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
 <title>CVE-2006-2199</title>
   <style type="text/css">
 /*<![CDATA[*/
     hr { display: block }
   /*]]>*/
   </style>

 </head>

 <body>
 <h2>Java Applets, CVE-2006-2199</h2>
 <h3>Java Applets </h3>
 <ul><li><strong>Synopsis:</strong> Security Vulnerability With Java Applets in OpenOffice.org </li>
     <li> <strong>Issue ID:</strong> 66862</li>
     <li> <strong>State:</strong> Resolved</li>
 </ul>
 <h4><strong>1. Impact</strong></h4>
 <p>A security vulnerability related to OpenOffice.org documents may allow certain Java applets to break through the &quot;sandbox&quot; and therefore have full access to system resources with current user privileges. The offending Applets may be constructed to destroy/replace files, read or send private data, and/or cause additional security issues.</p>
 <p>This issue is also described in
 <br>
 CVE-2006-2199,
 <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2199">http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2199</a>,
 <br>Sun Alert 102475
 <a href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-102475-1">
 http://sunsolve.sun.com/search/document.do?assetkey=1-26-102475-1</a>
 </p>
 <h4><strong>2. Contributing Factors</strong></h4>
 <p>This issue can occur in the following releases:</p>
 <p><strong>OpenOffice.org 1.1.x, OpenOffice.org 2.0.x</strong></p>
 <h4><strong>3. Symptoms</strong></h4>
 <p>There are no predictable symptoms that would indicate the described issue has been exploited.</p>
 <h4><strong>4. Relief/Workaround</strong></h4>
 <p>To work around the described issue, disable support for Java Applets (for OpenOffice.org) by doing the following:</p>
 <p><strong>OpenOffice.org 1.x :</strong></p>
 <p>In options dialog: Select --&gt; Tools/Options/OpenOffice.org/Security --&gt; uncheck &quot;Enable Applets&quot;</p>
 <p><strong>OpenOffice.org 2.x </strong></p>
 <p>There is no longer a User Interface (UI) for configuring this option in OpenOffice.org 2.0; the change must be done in configuration files with a text editor. Add the following into your OpenOffice.org settings (typically) for this file <code>&quot;~/.openoffice2.0/user/registry/data/org/openoffice/Office/Common.xcu&quot;:</code></p>
 <p><code>&lt;node oor:name=&quot;Java&quot;&gt;<br>
 &lt;node oor:name=&quot;Applet&quot;&gt;<br>
 &lt;prop oor:name=&quot;Enable&quot; oor:type=&quot;xs:boolean&quot;&gt;<br>
 &lt;value&gt;false&lt;/value&gt;<br>
 &lt;/prop&gt;<br>
 &lt;/node&gt;<br>
 &lt;/node&gt;</code></p>
 <h4>5. Resolution</h4>
 <p>This issue is addressed in the following releases:</p>
 <p><strong>OpenOffice.org 1.1.5 Patch, OpenOffice.org 2.0.3</strong></p>
 <p><strong>Notes:</strong></p>
 <p>With the updated versions for OpenOffice.org, support for Java applets in OpenOffice.org will be disabled.</p>
 <p>&nbsp;</p>
     <hr />
     <p>
       <a href="//security/">Security Home</a> ->
         <a href="//security/bulletin.html">Bulletin</a> ->
         <a href="//security/cves/CVE-2006-2199.html">CVE-2006-2199</a>
     </p>
 </body>
 </html>
	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
	"http://www.w3.org/TR/html4/loose.dtd">
	<html>
	<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
	<title>CVE-2006-2199</title>
	<style type="text/css">
	/<![CDATA[/
	hr { display: block }
	/]]>/
	</style>

	</head>

	<body>
	<h2>Java Applets, CVE-2006-2199</h2>
	<h3>Java Applets </h3>
	<ul><li><strong>Synopsis:</strong> Security Vulnerability With Java Applets in OpenOffice.org </li>
	<li> <strong>Issue ID:</strong> 66862</li>
	<li> <strong>State:</strong> Resolved</li>
	</ul>
	<h4><strong>1. Impact</strong></h4>
	<p>A security vulnerability related to OpenOffice.org documents may allow certain Java applets to break through the "sandbox" and therefore have full access to system resources with current user privileges. The offending Applets may be constructed to destroy/replace files, read or send private data, and/or cause additional security issues.</p>
	<p>This issue is also described in
	<br>
	CVE-2006-2199,
	<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2199">http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2199</a>,
	<br>Sun Alert 102475
	<a href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-102475-1">
	http://sunsolve.sun.com/search/document.do?assetkey=1-26-102475-1</a>
	</p>
	<h4><strong>2. Contributing Factors</strong></h4>
	<p>This issue can occur in the following releases:</p>
	<p><strong>OpenOffice.org 1.1.x, OpenOffice.org 2.0.x</strong></p>
	<h4><strong>3. Symptoms</strong></h4>
	<p>There are no predictable symptoms that would indicate the described issue has been exploited.</p>
	<h4><strong>4. Relief/Workaround</strong></h4>
	<p>To work around the described issue, disable support for Java Applets (for OpenOffice.org) by doing the following:</p>
	<p><strong>OpenOffice.org 1.x :</strong></p>
	<p>In options dialog: Select --> Tools/Options/OpenOffice.org/Security --> uncheck "Enable Applets"</p>
	<p><strong>OpenOffice.org 2.x </strong></p>
	<p>There is no longer a User Interface (UI) for configuring this option in OpenOffice.org 2.0; the change must be done in configuration files with a text editor. Add the following into your OpenOffice.org settings (typically) for this file <code>"~/.openoffice2.0/user/registry/data/org/openoffice/Office/Common.xcu":</code></p>
	<p><code><node oor:name="Java"><br>
	<node oor:name="Applet"><br>
	<prop oor:name="Enable" oor:type="xs:boolean"><br>
	<value>false</value><br>
	</prop><br>
	</node><br>
	</node></code></p>
	<h4>5. Resolution</h4>
	<p>This issue is addressed in the following releases:</p>
	<p><strong>OpenOffice.org 1.1.5 Patch, OpenOffice.org 2.0.3</strong></p>
	<p><strong>Notes:</strong></p>
	<p>With the updated versions for OpenOffice.org, support for Java applets in OpenOffice.org will be disabled.</p>
	<p> </p>
	<hr />
	<p>
	<a href="//security/">Security Home</a> ->
	<a href="//security/bulletin.html">Bulletin</a> ->
	<a href="//security/cves/CVE-2006-2199.html">CVE-2006-2199</a>
	</p>
	</body>
	</html>