Vulnerability & Exploit Database

Back to search

RHSA-2009:0377: java-1.6.0-openjdk security update

Severity CVSS Published Added Modified
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) March 25, 2009 September 12, 2009 July 04, 2017

Description

These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE)contains the software and tools that users need to run applications writtenusing the Java programming language.A flaw was found in the way that the Java Virtual Machine (JVM) handledtemporary font files. A malicious applet could use this flaw to use largeamounts of disk space, causing a denial of service. (CVE-2006-2426)A memory leak flaw was found in LittleCMS (embedded in OpenJDK). Anapplication using color profiles could use excessive amounts of memory, andpossibly crash after using all available memory, if used to openspecially-crafted images. (CVE-2009-0581)Multiple integer overflow flaws which could lead to heap-based bufferoverflows, as well as multiple insufficient input validation flaws, werefound in the way LittleCMS handled color profiles. An attacker could usethese flaws to create a specially-crafted image file which could cause aJava application to crash or, possibly, execute arbitrary code when opened.(CVE-2009-0723, CVE-2009-0733)A null pointer dereference flaw was found in LittleCMS. An applicationusing color profiles could crash while converting a specially-crafted imagefile. (CVE-2009-0793)A flaw in the Java API for XML Web Services (JAX-WS) service endpointhandling could allow a remote attacker to cause a denial of service on theserver application hosting the JAX-WS service endpoint. (CVE-2009-1101)A flaw in the way the Java Runtime Environment initialized LDAP connectionscould allow a remote, authenticated user to cause a denial of service onthe LDAP service. (CVE-2009-1093)A flaw in the Java Runtime Environment LDAP client could allow maliciousdata from an LDAP server to cause arbitrary code to be loaded and then runon an LDAP client. (CVE-2009-1094)Several buffer overflow flaws were found in the Java Runtime Environmentunpack200 functionality. An untrusted applet could extend its privileges,allowing it to read and write local files, as well as to execute localapplications with the privileges of the user running the applet.(CVE-2009-1095, CVE-2009-1096)A flaw in the Java Runtime Environment Virtual Machine code generationfunctionality could allow untrusted applets to extend their privileges. Anuntrusted applet could extend its privileges, allowing it to read and writelocal files, as well as execute local applications with the privilegesof the user running the applet. (CVE-2009-1102)A buffer overflow flaw was found in the splash screen processing. A remoteattacker could extend privileges to read and write local files, as well asto execute local applications with the privileges of the user running thejava process. (CVE-2009-1097)A buffer overflow flaw was found in how GIF images were processed. A remoteattacker could extend privileges to read and write local files, as well asexecute local applications with the privileges of the user running thejava process. (CVE-2009-1098)Note: The flaws concerning applets in this advisory, CVE-2009-1095,CVE-2009-1096, and CVE-2009-1102, can only be triggered injava-1.6.0-openjdk by calling the "appletviewer" application.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial

References

Solution

redhat-upgrade-java-1-6-0-openjdk

Related Vulnerabilities