Rapid7 Vulnerability & Exploit Database

RHSA-2009:0377: java-1.6.0-openjdk security update

Back to Search

RHSA-2009:0377: java-1.6.0-openjdk security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
03/25/2009
Created
07/25/2018
Added
09/12/2009
Modified
07/04/2017

Description

These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit. The Java Runtime Environment (JRE)contains the software and tools that users need to run applications writtenusing the Java programming language.A flaw was found in the way that the Java Virtual Machine (JVM) handledtemporary font files. A malicious applet could use this flaw to use largeamounts of disk space, causing a denial of service. (CVE-2006-2426)A memory leak flaw was found in LittleCMS (embedded in OpenJDK). Anapplication using color profiles could use excessive amounts of memory, andpossibly crash after using all available memory, if used to openspecially-crafted images. (CVE-2009-0581)Multiple integer overflow flaws which could lead to heap-based bufferoverflows, as well as multiple insufficient input validation flaws, werefound in the way LittleCMS handled color profiles. An attacker could usethese flaws to create a specially-crafted image file which could cause aJava application to crash or, possibly, execute arbitrary code when opened.(CVE-2009-0723, CVE-2009-0733)A null pointer dereference flaw was found in LittleCMS. An applicationusing color profiles could crash while converting a specially-crafted imagefile. (CVE-2009-0793)A flaw in the Java API for XML Web Services (JAX-WS) service endpointhandling could allow a remote attacker to cause a denial of service on theserver application hosting the JAX-WS service endpoint. (CVE-2009-1101)A flaw in the way the Java Runtime Environment initialized LDAP connectionscould allow a remote, authenticated user to cause a denial of service onthe LDAP service. (CVE-2009-1093)A flaw in the Java Runtime Environment LDAP client could allow maliciousdata from an LDAP server to cause arbitrary code to be loaded and then runon an LDAP client. (CVE-2009-1094)Several buffer overflow flaws were found in the Java Runtime Environmentunpack200 functionality. An untrusted applet could extend its privileges,allowing it to read and write local files, as well as to execute localapplications with the privileges of the user running the applet.(CVE-2009-1095, CVE-2009-1096)A flaw in the Java Runtime Environment Virtual Machine code generationfunctionality could allow untrusted applets to extend their privileges. Anuntrusted applet could extend its privileges, allowing it to read and writelocal files, as well as execute local applications with the privilegesof the user running the applet. (CVE-2009-1102)A buffer overflow flaw was found in the splash screen processing. A remoteattacker could extend privileges to read and write local files, as well asto execute local applications with the privileges of the user running thejava process. (CVE-2009-1097)A buffer overflow flaw was found in how GIF images were processed. A remoteattacker could extend privileges to read and write local files, as well asexecute local applications with the privileges of the user running thejava process. (CVE-2009-1098)Note: The flaws concerning applets in this advisory, CVE-2009-1095,CVE-2009-1096, and CVE-2009-1102, can only be triggered injava-1.6.0-openjdk by calling the "appletviewer" application.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

Solution(s)

  • redhat-upgrade-java-1-6-0-openjdk
  • redhat-upgrade-java-1-6-0-openjdk-demo
  • redhat-upgrade-java-1-6-0-openjdk-devel
  • redhat-upgrade-java-1-6-0-openjdk-javadoc
  • redhat-upgrade-java-1-6-0-openjdk-src

References

  • redhat-upgrade-java-1-6-0-openjdk
  • redhat-upgrade-java-1-6-0-openjdk-demo
  • redhat-upgrade-java-1-6-0-openjdk-devel
  • redhat-upgrade-java-1-6-0-openjdk-javadoc
  • redhat-upgrade-java-1-6-0-openjdk-src

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;