Local File Disclosure Weakness in Sun Java SE and OpenJDK Products
CVE-2009-3884

Currently unrated

Key Information:

Vendor: Oracle
Status: Jre; Openjdk
Vendor: CVE Published:; 9 November 2009

Summary

The TimeZone.getTimeZone method in Sun Java SE versions prior to Update 22 and Java SE 6 prior to Update 17, along with OpenJDK, contains a security flaw that enables remote attackers to ascertain the existence of local files. This vulnerability arises from improper handling of zoneinfo (tz) files, which could potentially expose sensitive filesystem information.

References

https://bugzilla.redhat.com/show_bug.cgi?id=530300

x_refsource_CONFIRM

http://support.apple.com/kb/HT3970

x_refsource_CONFIRM

http://support.apple.com/kb/HT3969

x_refsource_CONFIRM

Timeline

Vulnerability published
Nov 9, 2009
Vulnerability Reserved
Nov 5, 2009