Back to search

RHSA-2012:0729: java-1.6.0-openjdk security update

Severity CVSS Published Added Modified
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) June 15, 2012 June 18, 2012 September 06, 2015

Available Exploits 


These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit.Multiple flaws were discovered in the CORBA (Common Object Request BrokerArchitecture) implementation in Java. A malicious Java application orapplet could use these flaws to bypass Java sandbox restrictions or modifyimmutable object data. (CVE-2012-1711, CVE-2012-1719)It was discovered that the SynthLookAndFeel class from Swing did notproperly prevent access to certain UI elements from outside the currentapplication context. A malicious Java application or applet could use thisflaw to crash the Java Virtual Machine, or bypass Java sandboxrestrictions. (CVE-2012-1716)Multiple flaws were discovered in the font manager's layout lookupimplementation. A specially-crafted font file could cause the Java VirtualMachine to crash or, possibly, execute arbitrary code with the privilegesof the user running the virtual machine. (CVE-2012-1713)Multiple flaws were found in the way the Java HotSpot Virtual Machineverified the bytecode of the class file to be executed. A specially-craftedJava application or applet could use these flaws to crash the Java VirtualMachine, or bypass Java sandbox restrictions. (CVE-2012-1723,CVE-2012-1725)It was discovered that the Java XML parser did not properly handle certainXML documents. An attacker able to make a Java application parse aspecially-crafted XML file could use this flaw to make the XML parser enteran infinite loop. (CVE-2012-1724)It was discovered that the Java security classes did not properly handleCertificate Revocation Lists (CRL). CRL containing entries with duplicatecertificate serial numbers could have been ignored. (CVE-2012-1718)It was discovered that various classes of the Java Runtime library couldcreate temporary files with insecure permissions. A local attacker coulduse this flaw to gain access to the content of such temporary files.(CVE-2012-1717)Note: If the web browser plug-in provided by the icedtea-web package wasinstalled, the issues exposed via Java applets could have been exploitedwithout user interaction if a user visited a malicious website.This erratum also upgrades the OpenJDK package to IcedTea6 1.11.3. Refer tothe NEWS file, linked to in the References, for further information.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now




Related Vulnerabilities