Oracle Java SE / JRE contains a flaw in the Deployment subcomponent. The issue is triggered when a JNLP file requests <all-permissions/> while referencing trusted JAR files. With a specially crafted JNLP file, a context-dependent attacker can manipulate system properties and execute arbitrary code.

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory in the references section.

• Security Tracker: 1027153
• CVE ID: 2012-1721 (see also: NVD)
• Secunia Advisory ID: 49472 49542 49565 49569 50239 50479 50495 50503 50607 50629 50723 50828 51059 51158 51256 51453 51681 51682 52437 53006
• Bugtraq ID: 53959
• Related OSVDB ID: 82874 82876 82877 82878 82879 82880 82881 82882 82883 82884 82885 82886
• Vendor Specific Advisory URL: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03441075
  http://support.apple.com/kb/HT5319
  http://support.attachmate.com/techdocs/2560.html
  http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html
  http://www.vmware.com/security/advisories/VMSA-2012-0013.html
  http://www.xerox.com/download/security/security-bulletin/16aeb-4cd3628b94080/cert_XRX12-009_v1.1.pdf
  http://www.xerox.com/download/security/security-bulletin/16cd0-4ccb9d5fd3580/cert_XRX12-010_FFPSv8_v1.1.pdf
  https://www-304.ibm.com/connections/blogs/PSIRT/entry/rational_method_composer_security_vulnerability_multiple_security_vulnerabilities_in_ibm_jre_6_cve_2012_1713_cve_2012_1716_cve_2012_1717_cve_2012_1718_cve_2012_1719_cve_2012_1720_cve_2012_1721_cve_2012
  https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_multiple_vulnerabilities_in_rational_synergy19
• Vendor Specific News/Changelog Entry: http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00032.html
  http://lists.opensuse.org/opensuse-security-announce/2012-09/msg00035.html
  http://www-01.ibm.com/support/docview.wss?uid=swg21633991
  http://www-01.ibm.com/support/docview.wss?uid=swg21633992
  http://www.ibm.com/developerworks/java/jdk/alerts/
  http://www.ibm.com/support/docview.wss?uid=swg21614441
  http://www.ibm.com/support/docview.wss?uid=swg21617984
  http://www.ibm.com/support/docview.wss?uid=swg21618977
  http://www.ibm.com/support/docview.wss?uid=swg21620862
  http://www.ibm.com/support/docview.wss?uid=swg24033779
  https://www-304.ibm.com/support/docview.wss?uid=swg21618977
• Packet Storm: http://packetstormsecurity.org/files/119007/Zero-Day-Initiative-Advisory-12-189.html
• Mail List Post: http://seclists.org/fulldisclosure/2012/Dec/205
• Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-12-189
• RedHat RHSA: RHSA-2012:0734 RHSA-2012:1019 RHSA-2012:1238 RHSA-2012:1289

• Not Available