JNLP Injection Exploit?

[Bill_V]

Is OpenWebStart vulnerable to the exploit(s) detailed here: https://cybir.com/wp-content/uploads/20 ... elease.pdf
If so, is there a patch coming, or a is there a way to configure it so that it's not vulnerable?
Thanks in advance.

[Janak Mulani]

Hi

We have seen this document earlier.

OWS allows you to specify a server whitelist for downloading jnlp and jars so that you can download signed files jnlp and jars from a trusted server using https.