Executive Summary
Summary | |
---|---|
Title | java-1.6.0-ibm security update |
Informations | |||
---|---|---|---|
Name | RHSA-2009:0369 | First vendor Publication | 2009-03-25 |
Vendor | RedHat | Last vendor Modification | 2009-03-25 |
Severity (Vendor) | Critical | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary. This update has been rated as having critical security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: RHEL Desktop Supplementary (v. 5 client) - i386, x86_64 RHEL Supplementary (v. 5 server) - i386, ppc, s390x, x86_64 Red Hat Desktop version 4 Extras - i386, x86_64 Red Hat Enterprise Linux AS version 4 Extras - i386, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux ES version 4 Extras - i386, x86_64 Red Hat Enterprise Linux WS version 4 Extras - i386, x86_64 3. Description: The IBM® 1.6.0 Java™ release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. These vulnerabilities are summarized on the IBM "Security alerts" page listed in the References section. (CVE-2008-5340, CVE-2008-5341, CVE-2008-5342, CVE-2008-5343, CVE-2008-5351, CVE-2008-5356, CVE-2008-5357, CVE-2008-5358) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR4 Java release. All running instances of IBM Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 472213 - CVE-2008-5351 OpenJDK UTF-8 decoder accepts non-shortest form sequences (4486841) 472218 - CVE-2008-5356 OpenJDK Font processing vulnerability (6733336) 472231 - CVE-2008-5357 OpenJDK Truetype Font processing vulnerability (6751322) 472234 - CVE-2008-5358 OpenJDK Buffer Overflow in GIF image processing (6766136) 474773 - CVE-2008-5340 Java WebStart privilege escalation 474786 - CVE-2008-5341 Java Web Start exposes username and the pathname of the JWS cache 474789 - CVE-2008-5342 Java Web Start BasicService displays local files in the browser 474790 - CVE-2008-5343 Java WebStart allows hidden code privilege escalation |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2009-0369.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
29 % | CWE-264 | Permissions, Privileges, and Access Controls |
29 % | CWE-200 | Information Exposure |
29 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
14 % | CWE-189 | Numeric Errors (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:5924 | |||
Oval ID: | oval:org.mitre.oval:def:5924 | ||
Title: | Sun Java Web Start and Java Plug-in JAR File Privilege Escalation Vulnerability | ||
Description: | Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows remote attackers to make unauthorized network connections and hijack HTTP sessions via a crafted file that validates as both a GIF and a Java JAR file, aka "GIFAR" and CR 6707535. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-5343 | Version: | 1 |
Platform(s): | VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:6212 | |||
Oval ID: | oval:org.mitre.oval:def:6212 | ||
Title: | Java Runtime Environment UTF-8 Decoding Bug May Let Users Bypass Access Restrictions | ||
Description: | Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier accepts UTF-8 encodings that are not the "shortest" form, which makes it easier for attackers to bypass protection mechanisms for other applications that rely on shortest-form UTF-8 encodings. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-5351 | Version: | 1 |
Platform(s): | VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:6319 | |||
Oval ID: | oval:org.mitre.oval:def:6319 | ||
Title: | Sun Java Runtime Environment GIF images code execution | ||
Description: | Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier might allow remote attackers to execute arbitrary code via a crafted GIF file that triggers memory corruption during display of the splash screen, possibly related to splashscreen.dll. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-5358 | Version: | 1 |
Platform(s): | VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:6359 | |||
Oval ID: | oval:org.mitre.oval:def:6359 | ||
Title: | Unspecified vulnerability in the BasicService for Java Web Start (JWS) and Java Plug-in | ||
Description: | Unspecified vulnerability in the BasicService for Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted downloaded applications to cause local files to be displayed in the browser of the user of the untrusted application via unknown vectors, aka 6767668. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-5342 | Version: | 3 |
Platform(s): | VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:6494 | |||
Oval ID: | oval:org.mitre.oval:def:6494 | ||
Title: | Sun Java Runtime Environment TrueType font buffer overflow | ||
Description: | Heap-based buffer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-5356 | Version: | 1 |
Platform(s): | VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:6505 | |||
Oval ID: | oval:org.mitre.oval:def:6505 | ||
Title: | Sun Java Runtime Environment TrueType font integer overflow | ||
Description: | Integer overflow in Java Runtime Environment (JRE) for Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; SDK and JRE 1.4.2_18 and earlier; and SDK and JRE 1.3.1_23 and earlier might allow remote attackers to execute arbitrary code via a crafted TrueType font file, which triggers a heap-based buffer overflow. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-5357 | Version: | 1 |
Platform(s): | VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:6529 | |||
Oval ID: | oval:org.mitre.oval:def:6529 | ||
Title: | Java Runtime Environment (JRE) Buffer Overflow in Processing Image Files and Fonts Lets Remote Users Gain Privileges on the Target System | ||
Description: | Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier, and JDK and JRE 5.0 Update 16 and earlier, allows untrusted JWS applications to obtain the pathname of the JWS cache and the application username via unknown vectors, aka CR 6727071. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-5341 | Version: | 1 |
Platform(s): | VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:6627 | |||
Oval ID: | oval:org.mitre.oval:def:6627 | ||
Title: | Sun Java Multiple Code Execution and Security Bypass Vulnerabilities | ||
Description: | Unspecified vulnerability in Java Web Start (JWS) and Java Plug-in with Sun JDK and JRE 6 Update 10 and earlier; JDK and JRE 5.0 Update 16 and earlier; and SDK and JRE 1.4.2_18 and earlier allows untrusted JWS applications to gain privileges to access local files or applications via unknown vectors, aka 6727081. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2008-5340 | Version: | 1 |
Platform(s): | VMWare ESX Server 3.5 | Product(s): | |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2010-05-28 | Name : Java for Mac OS X 10.5 Update 3 File : nvt/macosx_java_for_10_5_upd_3.nasl |
2010-05-28 | Name : Java for Mac OS X 10.5 Update 4 File : nvt/macosx_java_for_10_5_upd_4.nasl |
2009-10-13 | Name : SLES10: Security update for IBM Java 1.4.2 File : nvt/sles10_java-1_4_2-ibm0.nasl |
2009-10-13 | Name : SLES10: Security update for Sun Java 1.4.2 File : nvt/sles10_java-1_4_2-sun.nasl |
2009-10-13 | Name : SLES10: Security update for IBM Java 1.5.0 File : nvt/sles10_java-1_5_0-ibm2.nasl |
2009-10-11 | Name : SLES11: Security update for IBM Java 1.4.2 File : nvt/sles11_java-1_4_2-ibm.nasl |
2009-10-11 | Name : SLES11: Security update for IBM Java 1.6.0 File : nvt/sles11_java-1_6_0-ibm.nasl |
2009-10-10 | Name : SLES9: Security update for IBM Java2 JRE and SDK File : nvt/sles9p5046860.nasl |
2009-10-10 | Name : SLES9: Security update for IBM Java5 JRE and SDK File : nvt/sles9p5041763.nasl |
2009-10-10 | Name : SLES9: Security update for Sun Java File : nvt/sles9p5040565.nasl |
2009-05-20 | Name : SuSE Security Summary SUSE-SR:2009:010 File : nvt/suse_sr_2009_010.nasl |
2009-05-05 | Name : HP-UX Update for Java HPSBUX02411 File : nvt/gb_hp_ux_HPSBUX02411.nasl |
2009-04-28 | Name : RedHat Security Advisory RHSA-2009:0445 File : nvt/RHSA_2009_0445.nasl |
2009-03-31 | Name : RedHat Security Advisory RHSA-2009:0369 File : nvt/RHSA_2009_0369.nasl |
2009-03-13 | Name : SuSE Security Summary SUSE-SR:2009:006 File : nvt/suse_sr_2009_006.nasl |
2009-03-13 | Name : Ubuntu USN-731-1 (apache2) File : nvt/ubuntu_731_1.nasl |
2009-03-13 | Name : Ubuntu USN-732-1 (dash) File : nvt/ubuntu_732_1.nasl |
2009-02-16 | Name : Fedora Update for java-1.6.0-openjdk FEDORA-2008-10913 File : nvt/gb_fedora_2008_10913_java-1.6.0-openjdk_fc10.nasl |
2009-02-16 | Name : Fedora Update for java-1.6.0-openjdk FEDORA-2008-10860 File : nvt/gb_fedora_2008_10860_java-1.6.0-openjdk_fc9.nasl |
2009-02-02 | Name : Ubuntu USN-710-1 (xine-lib) File : nvt/ubuntu_710_1.nasl |
2009-02-02 | Name : Ubuntu USN-711-1 (ktorrent) File : nvt/ubuntu_711_1.nasl |
2009-02-02 | Name : Ubuntu USN-712-1 (vim) File : nvt/ubuntu_712_1.nasl |
2009-02-02 | Name : Ubuntu USN-713-1 (openjdk-6) File : nvt/ubuntu_713_1.nasl |
2009-01-20 | Name : RedHat Security Advisory RHSA-2009:0016 File : nvt/RHSA_2009_0016.nasl |
2009-01-13 | Name : SuSE Security Advisory SUSE-SA:2009:001 (Sun Java) File : nvt/suse_sa_2009_001.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
50517 | Sun Java JDK / JRE TrueType Font Processing Integer Overflow |
50516 | Sun Java JDK / JRE TrueType Font Processing Heap Overflow |
50515 | Sun Java JDK / JRE GIF Image Decoding Memory Corruption |
50514 | Sun Java JDK / JRE Java Web Start BasicService Arbitrary File Access |
50512 | Sun Java JDK / JRE Jave Web Start / Plug-in HTTP Session Hijacking |
50511 | Sun Java JDK / JRE Java Web Start SingleInstanceImpl Class SI_FILEDIR Propert... |
50509 | Sun Java JDK / JRE Java Web Start Application file: Protocol Arbitrary File A... |
50502 | Sun Java JDK / JRE UTF-8 Decoder Non-shortest Form Sequence Handling Weakness |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2009-10-22 | IAVM : 2009-A-0105 - Multiple Vulnerabilities in VMware Products Severity : Category I - VMSKEY : V0021867 |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-03-03 | Name : The remote host is missing a security-related patch. File : vmware_VMSA-2009-0014_remote.nasl - Type : ACT_GATHER_INFO |
2013-02-22 | Name : The remote Unix host contains a runtime environment that is affected by multi... File : sun_java_jre_244986_unix.nasl - Type : ACT_GATHER_INFO |
2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0466.nasl - Type : ACT_GATHER_INFO |
2009-12-14 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_40374.nasl - Type : ACT_GATHER_INFO |
2009-12-14 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_40375.nasl - Type : ACT_GATHER_INFO |
2009-11-18 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200911-02.nasl - Type : ACT_GATHER_INFO |
2009-10-19 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2009-0014.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12321.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_java-1_5_0-ibm-5960.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_java-1_4_2-sun-5852.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_6_0-ibm-090405.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_java-1_4_2-ibm-090405.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12387.nasl - Type : ACT_GATHER_INFO |
2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12336.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0445.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0369.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2009-0016.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-1025.nasl - Type : ACT_GATHER_INFO |
2009-08-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-1018.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_5_0-sun-081217.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_java-1_6_0-sun-081217.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_5_0-sun-081217.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-openjdk-090303.nasl - Type : ACT_GATHER_INFO |
2009-07-21 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-sun-081217.nasl - Type : ACT_GATHER_INFO |
2009-07-09 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_rel9.nasl - Type : ACT_GATHER_INFO |
2009-06-17 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_10_5_update4.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10913.nasl - Type : ACT_GATHER_INFO |
2009-04-23 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-713-1.nasl - Type : ACT_GATHER_INFO |
2009-02-13 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_rel8.nasl - Type : ACT_GATHER_INFO |
2009-02-13 | Name : The remote host has a version of Java that is affected by multiple vulnerabil... File : macosx_java_10_5_update3.nasl - Type : ACT_GATHER_INFO |
2009-01-07 | Name : The remote openSUSE host is missing a security update. File : suse_java-1_5_0-sun-5875.nasl - Type : ACT_GATHER_INFO |
2009-01-07 | Name : The remote openSUSE host is missing a security update. File : suse_java-1_6_0-sun-5876.nasl - Type : ACT_GATHER_INFO |
2008-12-08 | Name : The remote Fedora host is missing a security update. File : fedora_2008-10860.nasl - Type : ACT_GATHER_INFO |
2008-12-04 | Name : The remote Windows host contains a runtime environment that is affected by mu... File : sun_java_jre_244986.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:52:22 |
|