Rapid7 VulnDB

RHSA-2011:0281: java-1.6.0-openjdk security update

Back to Search

RHSA-2011:0281: java-1.6.0-openjdk security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
02/17/2011
Created
07/25/2018
Added
02/24/2011
Modified
07/04/2017

Description

These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit.A flaw was found in the Swing library. Forged TimerEvents could be used tobypass SecurityManager checks, allowing access to otherwise blocked filesand directories. (CVE-2010-4465)A flaw was found in the HotSpot component in OpenJDK. Certain bytecodeinstructions confused the memory management within the Java Virtual Machine(JVM), which could lead to heap corruption. (CVE-2010-4469)A flaw was found in the way JAXP (Java API for XML Processing) componentswere handled, allowing them to be manipulated by untrusted applets. Thiscould be used to elevate privileges and bypass secure XML processingrestrictions. (CVE-2010-4470)It was found that untrusted applets could create and place cache entries inthe name resolution cache. This could allow an attacker targetedmanipulation over name resolution until the OpenJDK VM is restarted.(CVE-2010-4448)It was found that the Java launcher provided by OpenJDK did not check theLD_LIBRARY_PATH environment variable for insecure empty path elements. Alocal attacker able to trick a user into running the Java launcher whileworking from an attacker-writable directory could use this flaw to load anuntrusted library, subverting the Java security model. (CVE-2010-4450)A flaw was found in the XML Digital Signature component in OpenJDK.Untrusted code could use this flaw to replace the Java Runtime Environment(JRE) XML Digital Signature Transform or C14N algorithm implementations tointercept digital signature operations. (CVE-2010-4472)Note: All of the above flaws can only be remotely triggered in OpenJDK bycalling the "appletviewer" application.This update also provides one defense in depth patch. (BZ#676019)All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

Solution(s)

  • redhat-upgrade-java-1-6-0-openjdk
  • redhat-upgrade-java-1-6-0-openjdk-debuginfo
  • redhat-upgrade-java-1-6-0-openjdk-demo
  • redhat-upgrade-java-1-6-0-openjdk-devel
  • redhat-upgrade-java-1-6-0-openjdk-javadoc
  • redhat-upgrade-java-1-6-0-openjdk-src

References

  • redhat-upgrade-java-1-6-0-openjdk
  • redhat-upgrade-java-1-6-0-openjdk-debuginfo
  • redhat-upgrade-java-1-6-0-openjdk-demo
  • redhat-upgrade-java-1-6-0-openjdk-devel
  • redhat-upgrade-java-1-6-0-openjdk-javadoc
  • redhat-upgrade-java-1-6-0-openjdk-src

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;