Java Applets, CVE-2006-2199
Java Applets
- Synopsis: Security Vulnerability With Java Applets in OpenOffice.org
- Issue ID: 66862
- State: Resolved
1. Impact
A security vulnerability related to OpenOffice.org documents may allow certain Java applets to break through the "sandbox" and therefore have full access to system resources with current user privileges. The offending Applets may be constructed to destroy/replace files, read or send private data, and/or cause additional security issues.
This issue is also described in
CVE-2006-2199,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-2199,
Sun Alert 102475
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102475-1
2. Contributing Factors
This issue can occur in the following releases:
OpenOffice.org 1.1.x, OpenOffice.org 2.0.x
3. Symptoms
There are no predictable symptoms that would indicate the described issue has been exploited.
4. Relief/Workaround
To work around the described issue, disable support for Java Applets (for OpenOffice.org) by doing the following:
OpenOffice.org 1.x :
In options dialog: Select --> Tools/Options/OpenOffice.org/Security --> uncheck "Enable Applets"
OpenOffice.org 2.x
There is no longer a User Interface (UI) for configuring this option in OpenOffice.org 2.0; the change must be done in configuration files with a text editor. Add the following into your OpenOffice.org settings (typically) for this file "~/.openoffice2.0/user/registry/data/org/openoffice/Office/Common.xcu":
<node oor:name="Java">
<node oor:name="Applet">
<prop oor:name="Enable" oor:type="xs:boolean">
<value>false</value>
</prop>
</node>
</node>
5. Resolution
This issue is addressed in the following releases:
OpenOffice.org 1.1.5 Patch, OpenOffice.org 2.0.3
Notes:
With the updated versions for OpenOffice.org, support for Java applets in OpenOffice.org will be disabled.
