Executive Summary

Summary
Title OpenJDK 6 vulnerabilities
Informations
Name USN-1553-1 First vendor Publication 2012-09-03
Vendor Ubuntu Last vendor Modification 2012-09-03
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS

Summary:

Two security issues were fixed in OpenJDK 6.

Software Description: - openjdk-6: Open Source Java implementation

Details:

It was discovered that the Beans component in OpenJDK 6 did not properly prevent access to restricted classes. A remote attacker could use this to create an untrusted Java applet or application that would bypass Java sandbox restrictions. (CVE-2012-1682)

It was discovered that functionality in the AWT component in OpenJDK 6 made it easier for a remote attacker, in conjunction with other vulnerabilities, to bypass Java sandbox restrictions. (CVE-2012-0547)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04 LTS:
icedtea-6-jre-cacao 6b24-1.11.4-1ubuntu0.12.04.1
icedtea-6-jre-jamvm 6b24-1.11.4-1ubuntu0.12.04.1
openjdk-6-jre 6b24-1.11.4-1ubuntu0.12.04.1
openjdk-6-jre-headless 6b24-1.11.4-1ubuntu0.12.04.1
openjdk-6-jre-lib 6b24-1.11.4-1ubuntu0.12.04.1
openjdk-6-jre-zero 6b24-1.11.4-1ubuntu0.12.04.1

Ubuntu 11.10:
icedtea-6-jre-cacao 6b24-1.11.4-1ubuntu0.11.10.1
icedtea-6-jre-jamvm 6b24-1.11.4-1ubuntu0.11.10.1
openjdk-6-jre 6b24-1.11.4-1ubuntu0.11.10.1
openjdk-6-jre-headless 6b24-1.11.4-1ubuntu0.11.10.1
openjdk-6-jre-lib 6b24-1.11.4-1ubuntu0.11.10.1
openjdk-6-jre-zero 6b24-1.11.4-1ubuntu0.11.10.1

Ubuntu 11.04:
icedtea-6-jre-cacao 6b24-1.11.4-1ubuntu0.11.04.1
icedtea-6-jre-jamvm 6b24-1.11.4-1ubuntu0.11.04.1
openjdk-6-jre 6b24-1.11.4-1ubuntu0.11.04.1
openjdk-6-jre-headless 6b24-1.11.4-1ubuntu0.11.04.1
openjdk-6-jre-lib 6b24-1.11.4-1ubuntu0.11.04.1
openjdk-6-jre-zero 6b24-1.11.4-1ubuntu0.11.04.1

Ubuntu 10.04 LTS:
icedtea-6-jre-cacao 6b24-1.11.4-1ubuntu0.10.04.1
openjdk-6-jre 6b24-1.11.4-1ubuntu0.10.04.1
openjdk-6-jre-headless 6b24-1.11.4-1ubuntu0.10.04.1
openjdk-6-jre-lib 6b24-1.11.4-1ubuntu0.10.04.1
openjdk-6-jre-zero 6b24-1.11.4-1ubuntu0.10.04.1

After a standard system update you need to restart any Java applets or applications to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1553-1
CVE-2012-0547, CVE-2012-1682

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.4-1ubuntu0.12.04.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.4-1ubuntu0.11.10.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.4-1ubuntu0.11.04.1
https://launchpad.net/ubuntu/+source/openjdk-6/6b24-1.11.4-1ubuntu0.10.04.1

Original Source

Url : http://www.ubuntu.com/usn/USN-1553-1

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:17793
 
Oval ID: oval:org.mitre.oval:def:17793
Title: USN-1553-1 -- openjdk-6 vulnerabilities
Description: Two security issues were fixed in OpenJDK 6.
Family: unix Class: patch
Reference(s): USN-1553-1
CVE-2012-1682
CVE-2012-0547
 Version: 7
Platform(s): Ubuntu 12.04
Ubuntu 11.10
Ubuntu 11.04
Ubuntu 10.04
 Product(s): openjdk-6
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19842
 
Oval ID: oval:org.mitre.oval:def:19842
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "toolkit internals references."
Family: unix Class: vulnerability
Reference(s): CVE-2012-0547
 Version: 10
Platform(s): HP-UX 11
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:19946
 
Oval ID: oval:org.mitre.oval:def:19946
Title: HP-UX Running Java, Remote Execution of Arbitrary Code, and Other Vulnerabilities
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "XMLDecoder security issue via ClassFinder."
Family: unix Class: vulnerability
Reference(s): CVE-2012-1682
 Version: 10
Platform(s): HP-UX 11
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21284
 
Oval ID: oval:org.mitre.oval:def:21284
Title: RHSA-2012:1221: java-1.6.0-openjdk security update (Critical)
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "XMLDecoder security issue via ClassFinder."
Family: unix Class: patch
Reference(s): RHSA-2012:1221-01
CESA-2012:1221
CVE-2012-0547
CVE-2012-1682
 Version: 29
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
 Product(s): java-1.6.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21371
 
Oval ID: oval:org.mitre.oval:def:21371
Title: RHSA-2012:1222: java-1.6.0-openjdk security update (Important)
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "XMLDecoder security issue via ClassFinder."
Family: unix Class: patch
Reference(s): RHSA-2012:1222-00
CESA-2012:1222
CVE-2012-0547
CVE-2012-1682
 Version: 29
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): java-1.6.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22761
 
Oval ID: oval:org.mitre.oval:def:22761
Title: ELSA-2012:1222: java-1.6.0-openjdk security update (Important)
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "XMLDecoder security issue via ClassFinder."
Family: unix Class: patch
Reference(s): ELSA-2012:1222-00
CVE-2012-0547
CVE-2012-1682
 Version: 13
Platform(s): Oracle Linux 5
 Product(s): java-1.6.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23805
 
Oval ID: oval:org.mitre.oval:def:23805
Title: ELSA-2012:1221: java-1.6.0-openjdk security update (Critical)
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "XMLDecoder security issue via ClassFinder."
Family: unix Class: patch
Reference(s): ELSA-2012:1221-01
CVE-2012-0547
CVE-2012-1682
 Version: 13
Platform(s): Oracle Linux 6
 Product(s): java-1.6.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27774
 
Oval ID: oval:org.mitre.oval:def:27774
Title: DEPRECATED: ELSA-2012-1221 -- java-1.6.0-openjdk security update (critical)
Description: [1:1.6.0.0-1.49.1.11.4] - Updated to latest IedTea6 1.11.4 - Resolves: rhbz#853345 [1:1.6.0.0-1.48.1.11.3] - Access gnome bridge jar is forced to have 644 permissions - Resolves: rhbz#828752 [1:1.6.0.0-1.47.1.11.3] - Modified patch3, java-1.6.0-openjdk-java-access-bridge-security.patch: - com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils. - packages added also to package.definition - Resolves: rhbz#828752 [1:1.6.0.0-1.46.1.11.3] - Updated to IcedTea6 1.11.3 - Removed upstreamed patch8 - java-1.6.0-openjdk-jirafix_2820_2821.patch - Modified patch3, java-1.6.0-openjdk-java-access-bridge-security.patch: - com.sun.org.apache.xerces.internal.utils.,com.sun.org.apache.xalan.internal.utils. - packages added to patch - Resolves: rhbz#828752
Family: unix Class: patch
Reference(s): ELSA-2012-1221
CVE-2012-0547
CVE-2012-1682
 Version: 4
Platform(s): Oracle Linux 6
 Product(s): java-1.6.0-openjdk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27790
 
Oval ID: oval:org.mitre.oval:def:27790
Title: DEPRECATED: ELSA-2012-1222 -- java-1.6.0-openjdk security update (important)
Description: [1.6.0.0-1.28.1.10.9.0.1.el5_8] - Add oracle-enterprise.patch [1:1.6.0.0-1.28.1.10.9] - Updated to latest IcedTea6 1.10.9 - Resolves: rhbz#846709 - Resolves: rhbz#853114 [1:1.6.0.0-1.27.1.10.8] - Access gnome bridge jar is forced to have 644 permissions - Resolves: rhbz#828749
Family: unix Class: patch
Reference(s): ELSA-2012-1222
CVE-2012-0547
CVE-2012-1682
 Version: 4
Platform(s): Oracle Linux 5
 Product(s): java-1.6.0-openjdk
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 269
Application 189
Application 20
Application 20

OpenVAS Exploits

Date Description
2012-12-13 Name : SuSE Update for java-1_6_0-openjdk openSUSE-SU-2012:1175-1 (java-1_6_0-openjdk)
File : nvt/gb_suse_2012_1175_1.nasl
2012-10-09 Name : Mandriva Update for java-1.6.0-openjdk MDVSA-2012:150-1 (java-1.6.0-openjdk)
File : nvt/gb_mandriva_MDVSA_2012_150_1.nasl
2012-09-21 Name : Java for Mac OS X 10.6 Update 10
File : nvt/gb_macosx_java_10_6_upd_10.nasl
2012-09-04 Name : CentOS Update for java CESA-2012:1221 centos6
File : nvt/gb_CESA-2012_1221_java_centos6.nasl
2012-09-04 Name : CentOS Update for java CESA-2012:1222 centos5
File : nvt/gb_CESA-2012_1222_java_centos5.nasl
2012-09-04 Name : CentOS Update for java CESA-2012:1223 centos6
File : nvt/gb_CESA-2012_1223_java_centos6.nasl
2012-09-04 Name : RedHat Update for java-1.6.0-openjdk RHSA-2012:1221-01
File : nvt/gb_RHSA-2012_1221-01_java-1.6.0-openjdk.nasl
2012-09-04 Name : RedHat Update for java-1.6.0-openjdk RHSA-2012:1222-01
File : nvt/gb_RHSA-2012_1222-01_java-1.6.0-openjdk.nasl
2012-09-04 Name : RedHat Update for java-1.7.0-openjdk RHSA-2012:1223-01
File : nvt/gb_RHSA-2012_1223-01_java-1.7.0-openjdk.nasl
2012-09-04 Name : Ubuntu Update for openjdk-6 USN-1553-1
File : nvt/gb_ubuntu_USN_1553_1.nasl
2012-09-03 Name : Oracle Java SE JRE AWT Component Unspecified Vulnerability - (Windows)
File : nvt/gb_oracle_java_se_jre_awt_comp_unspecified_vuln_win.nasl
2012-09-03 Name : Oracle Java SE JRE Multiple Remote Code Execution Vulnerabilities - (Windows)
File : nvt/gb_oracle_java_se_jre_mult_code_exec_vuln_win.nasl

Nessus® Vulnerability Scanner

Date Description
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1456.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1455.nasl - Type : ACT_GATHER_INFO
2014-06-30 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201406-32.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-592.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2012-601.nasl - Type : ACT_GATHER_INFO
2014-01-27 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201401-30.nasl - Type : ACT_GATHER_INFO
2013-09-04 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2012-119.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1222.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1223.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2012-1221.nasl - Type : ACT_GATHER_INFO
2013-02-22 Name : The remote Unix host contains a programming platform that is affected by mult...
File : oracle_java7_update6_unix.nasl - Type : ACT_GATHER_INFO
2013-02-22 Name : The remote host contains a runtime environment that contains methods that can...
File : oracle_java6_update35_unix.nasl - Type : ACT_GATHER_INFO
2013-01-25 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_java-1_6_0-openjdk-120905.nasl - Type : ACT_GATHER_INFO
2013-01-25 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_java-1_7_0-ibm-120919.nasl - Type : ACT_GATHER_INFO
2012-11-16 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1466.nasl - Type : ACT_GATHER_INFO
2012-10-31 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20121018_java_1_6_0_sun_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-10-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1392.nasl - Type : ACT_GATHER_INFO
2012-10-06 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2012-150.nasl - Type : ACT_GATHER_INFO
2012-09-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1289.nasl - Type : ACT_GATHER_INFO
2012-09-06 Name : The remote host has a version of Java that contains methods that can aid in f...
File : macosx_java_2012-005.nasl - Type : ACT_GATHER_INFO
2012-09-06 Name : The remote host has a version of Java that contains methods that can aid in f...
File : macosx_java_10_6_update10.nasl - Type : ACT_GATHER_INFO
2012-09-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1223.nasl - Type : ACT_GATHER_INFO
2012-09-05 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120903_java_1_6_0_openjdk_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-09-05 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120903_java_1_6_0_openjdk_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-09-05 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20120903_java_1_7_0_openjdk_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2012-09-04 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-1553-1.nasl - Type : ACT_GATHER_INFO
2012-09-04 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1223.nasl - Type : ACT_GATHER_INFO
2012-09-04 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1225.nasl - Type : ACT_GATHER_INFO
2012-09-04 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1222.nasl - Type : ACT_GATHER_INFO
2012-09-04 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2012-1221.nasl - Type : ACT_GATHER_INFO
2012-09-04 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1222.nasl - Type : ACT_GATHER_INFO
2012-09-04 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2012-1221.nasl - Type : ACT_GATHER_INFO
2012-08-31 Name : The remote host contains a runtime environment that contains methods that can...
File : oracle_java6_update35.nasl - Type : ACT_GATHER_INFO
2012-08-27 Name : The remote Windows host contains a programming platform that is affected by m...
File : oracle_java7_update6.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 12:00:39
  • Multiple Updates