Executive Summary
Summary | |
---|---|
Title | java-1.6.0-openjdk security update |
Informations | |||
---|---|---|---|
Name | RHSA-2011:0176 | First vendor Publication | 2011-01-25 |
Vendor | RedHat | Last vendor Modification | 2011-01-25 |
Severity (Vendor) | Moderate | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated java-1.6.0-openjdk packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux (v. 5 server) - i386, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 3. Description: These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. The javaws command can be used to launch Java Web Start applications. A public static field declaration allowed untrusted JNLP (Java Network Launching Protocol) applications to read privileged data. A remote attacker could directly or indirectly read the values of restricted system properties, such as "user.name", "user.home", and "java.home", which untrusted applications should not be allowed to read. (CVE-2010-3860) It was found that JNLPSecurityManager could silently return without throwing an exception when permission was denied. If the javaws command was used to launch a Java Web Start application that relies on this exception being thrown, it could result in that application being run with elevated privileges, allowing it to bypass security manager restrictions and gain access to privileged functionality. (CVE-2010-4351) Note: The RHSA-2010:0339 java-1.6.0-openjdk update installed javaws by mistake. As part of the fixes for CVE-2010-3860 and CVE-2010-4351, this update removes javaws. Red Hat would like to thank the TippingPoint Zero Day Initiative project for reporting CVE-2010-4351. The original issue reporter wishes to stay anonymous. This erratum also upgrades the OpenJDK package to IcedTea6 1.7.7. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 645843 - CVE-2010-3860 IcedTea System property information leak via public static 663680 - CVE-2010-4351 IcedTea jnlp security manager bypass |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2011-0176.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
50 % | CWE-264 | Permissions, Privileges, and Access Controls |
50 % | CWE-200 | Information Exposure |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:21749 | |||
Oval ID: | oval:org.mitre.oval:def:21749 | ||
Title: | RHSA-2011:0176: java-1.6.0-openjdk security update (Moderate) | ||
Description: | The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7, 1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent attackers to bypass the intended security policy by creating instances of ClassLoader. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2011:0176-01 CESA-2011:0176 CVE-2010-3860 CVE-2010-4351 | Version: | 29 |
Platform(s): | Red Hat Enterprise Linux 5 CentOS Linux 5 | Product(s): | java-1.6.0-openjdk |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:22663 | |||
Oval ID: | oval:org.mitre.oval:def:22663 | ||
Title: | ELSA-2011:0176: java-1.6.0-openjdk security update (Moderate) | ||
Description: | The JNLP SecurityManager in IcedTea (IcedTea.so) 1.7 before 1.7.7, 1.8 before 1.8.4, and 1.9 before 1.9.4 for Java OpenJDK returns from the checkPermission method instead of throwing an exception in certain circumstances, which might allow context-dependent attackers to bypass the intended security policy by creating instances of ClassLoader. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011:0176-01 CVE-2010-3860 CVE-2010-4351 | Version: | 13 |
Platform(s): | Oracle Linux 5 | Product(s): | java-1.6.0-openjdk |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:27537 | |||
Oval ID: | oval:org.mitre.oval:def:27537 | ||
Title: | DEPRECATED: ELSA-2011-0176 -- java-1.6.0-openjdk security update (moderate) | ||
Description: | [1:1.6.0.0-1.17.b17.0.1.el5] - Add oracle-enterprise.patch [1:1.6.0.0-1.17.b17.el5] - Updated to 1.7.7 tarball - Resolves: bz668487 - Also resolves bz668488 | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2011-0176 CVE-2010-3860 CVE-2010-4351 | Version: | 4 |
Platform(s): | Oracle Linux 5 | Product(s): | java-1.6.0-openjdk |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-07-30 | Name : CentOS Update for java CESA-2011:0176 centos5 x86_64 File : nvt/gb_CESA-2011_0176_java_centos5_x86_64.nasl |
2011-08-09 | Name : CentOS Update for java CESA-2011:0176 centos5 i386 File : nvt/gb_CESA-2011_0176_java_centos5_i386.nasl |
2011-05-12 | Name : Debian Security Advisory DSA 2224-1 (openjdk-6) File : nvt/deb_2224_1.nasl |
2011-04-01 | Name : Mandriva Update for java-1.6.0-openjdk MDVSA-2011:054 (java-1.6.0-openjdk) File : nvt/gb_mandriva_MDVSA_2011_054.nasl |
2011-02-04 | Name : Ubuntu Update for openjdk-6, openjdk-6b18 vulnerabilities USN-1055-1 File : nvt/gb_ubuntu_USN_1055_1.nasl |
2011-01-31 | Name : RedHat Update for java-1.6.0-openjdk RHSA-2011:0176-01 File : nvt/gb_RHSA-2011_0176-01_java-1.6.0-openjdk.nasl |
2011-01-31 | Name : Ubuntu Update for openjdk-6, openjdk-6b18 vulnerability USN-1052-1 File : nvt/gb_ubuntu_USN_1052_1.nasl |
2011-01-21 | Name : Fedora Update for java-1.6.0-openjdk FEDORA-2011-0500 File : nvt/gb_fedora_2011_0500_java-1.6.0-openjdk_fc13.nasl |
2011-01-21 | Name : Fedora Update for java-1.6.0-openjdk FEDORA-2011-0521 File : nvt/gb_fedora_2011_0521_java-1.6.0-openjdk_fc14.nasl |
2010-12-09 | Name : Fedora Update for java-1.6.0-openjdk FEDORA-2010-18393 File : nvt/gb_fedora_2010_18393_java-1.6.0-openjdk_fc14.nasl |
2010-12-09 | Name : Ubuntu Update for openjdk-6 vulnerability USN-1024-1 File : nvt/gb_ubuntu_USN_1024_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
70605 | OpenJDK IcedTea JNLP SecurityManager checkPermission Method Exception Bypass Java OpenJDK contains a flaw related to the 'JNLPSecurityManager' class not properly enforcing security policies in the 'IcedTea.so' component. This may allow a context-dependent attacker to use a crafted website or applet to execute arbitrary code. |
69675 | IcedTea Multiple Variable Public Declaration Remote Information Disclosure IcedTea contains a flaw that may lead to an unauthorized information disclosure. Â Multiple sensitive variables are declared public, which will disclose user.name, user.home and java.home information to a remote attacker. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-06-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201406-32.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_java-1_6_0-openjdk-110118.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : suse_11_3_java-1_6_0-openjdk-101202.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2011-0176.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20110125_java_1_6_0_openjdk_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_java-1_6_0-openjdk-101202.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_java-1_6_0-openjdk-110118.nasl - Type : ACT_GATHER_INFO |
2011-05-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_2_java-1_6_0-openjdk-101202.nasl - Type : ACT_GATHER_INFO |
2011-04-21 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2224.nasl - Type : ACT_GATHER_INFO |
2011-04-15 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2011-0176.nasl - Type : ACT_GATHER_INFO |
2011-03-28 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2011-054.nasl - Type : ACT_GATHER_INFO |
2011-02-02 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1055-1.nasl - Type : ACT_GATHER_INFO |
2011-01-27 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1052-1.nasl - Type : ACT_GATHER_INFO |
2011-01-26 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2011-0176.nasl - Type : ACT_GATHER_INFO |
2011-01-20 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0521.nasl - Type : ACT_GATHER_INFO |
2011-01-20 | Name : The remote Fedora host is missing a security update. File : fedora_2011-0500.nasl - Type : ACT_GATHER_INFO |
2010-12-02 | Name : The remote Fedora host is missing a security update. File : fedora_2010-18393.nasl - Type : ACT_GATHER_INFO |
2010-12-01 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-1024-1.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:54:17 |
|
2013-05-11 00:51:59 |
|