Rapid7 Vulnerability & Exploit Database

RHSA-2011:0857: java-1.6.0-openjdk security update

Back to Search

RHSA-2011:0857: java-1.6.0-openjdk security update



These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit.Integer overflow flaws were found in the way Java2D parsed JPEG images anduser-supplied fonts. An attacker could use these flaws to execute arbitrarycode with the privileges of the user running an untrusted applet orapplication. (CVE-2011-0862)It was found that the MediaTracker implementation created Componentinstances with unnecessary access privileges. A remote attacker could usethis flaw to elevate their privileges by utilizing an untrusted applet orapplication that uses Swing. (CVE-2011-0871)A flaw was found in the HotSpot component in OpenJDK. Certain bytecodeinstructions confused the memory management within the Java Virtual Machine(JVM), resulting in an applet or application crashing. (CVE-2011-0864)An information leak flaw was found in the NetworkInterface class. Anuntrusted applet or application could use this flaw to access informationabout available network interfaces that should only be available toprivileged code. (CVE-2011-0867)An incorrect float-to-long conversion, leading to an overflow, was foundin the way certain objects (such as images and text) were transformed inJava2D. A remote attacker could use this flaw to crash an untrusted appletor application that uses Java2D. (CVE-2011-0868)It was found that untrusted applets and applications could misuse a SOAPconnection to incorrectly set global HTTP proxy settings instead ofsetting them in a local scope. This flaw could be used to intercept HTTPrequests. (CVE-2011-0869)A flaw was found in the way signed objects were deserialized. If trustedand untrusted code were running in the same Java Virtual Machine (JVM), andboth were deserializing the same signed object, the untrusted code couldmodify said object by using this flaw to bypass the validation checks onsigned objects. (CVE-2011-0865)Note: All of the above flaws can only be remotely triggered in OpenJDK bycalling the "appletviewer" application.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which provide OpenJDK 6 b20 / IcedTea 1.9.8 and resolve theseissues. All running instances of OpenJDK Java must be restarted for theupdate to take effect.


  • redhat-upgrade-java-1-6-0-openjdk
  • redhat-upgrade-java-1-6-0-openjdk-demo
  • redhat-upgrade-java-1-6-0-openjdk-devel
  • redhat-upgrade-java-1-6-0-openjdk-javadoc
  • redhat-upgrade-java-1-6-0-openjdk-src

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center