Rapid7 Vulnerability & Exploit Database

RHSA-2011:0176: java-1.6.0-openjdk security update

Back to Search

RHSA-2011:0176: java-1.6.0-openjdk security update

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
01/20/2011
Created
07/25/2018
Added
01/31/2011
Modified
07/04/2017

Description

These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit. The javaws command can be used tolaunch Java Web Start applications.A public static field declaration allowed untrusted JNLP (Java NetworkLaunching Protocol) applications to read privileged data. A remote attackercould directly or indirectly read the values of restricted systemproperties, such as "user.name", "user.home", and "java.home", whichuntrusted applications should not be allowed to read. (CVE-2010-3860)It was found that JNLPSecurityManager could silently return withoutthrowing an exception when permission was denied. If the javaws command wasused to launch a Java Web Start application that relies on this exceptionbeing thrown, it could result in that application being run with elevatedprivileges, allowing it to bypass security manager restrictions and gainaccess to privileged functionality. (CVE-2010-4351)Note: The RHSA-2010:0339 java-1.6.0-openjdk update installed javaws bymistake. As part of the fixes for CVE-2010-3860 and CVE-2010-4351, thisupdate removes javaws.Red Hat would like to thank the TippingPoint Zero Day Initiative projectfor reporting CVE-2010-4351. The original issue reporter wishes to stayanonymous.This erratum also upgrades the OpenJDK package to IcedTea6 1.7.7. Refer tothe NEWS file, linked to in the References, for further information.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

Solution(s)

  • redhat-upgrade-java-1-6-0-openjdk
  • redhat-upgrade-java-1-6-0-openjdk-demo
  • redhat-upgrade-java-1-6-0-openjdk-devel
  • redhat-upgrade-java-1-6-0-openjdk-javadoc
  • redhat-upgrade-java-1-6-0-openjdk-src

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;