Rapid7 Vulnerability & Exploit Database

RHSA-2011:1100: icedtea-web security update

Back to Search

RHSA-2011:1100: icedtea-web security update

Severity
7
CVSS
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Published
07/27/2011
Created
07/25/2018
Added
07/29/2011
Modified
07/04/2017

Description

The IcedTea-Web project provides a Java web browser plug-in and animplementation of Java Web Start, which is based on the Netx project. Italso contains a configuration tool for managing deployment settings for theplug-in and Web Start implementations.A flaw was discovered in the JNLP (Java Network Launching Protocol)implementation in IcedTea-Web. An unsigned Java Web Start applicationcould use this flaw to manipulate the content of a Security Warningdialog box, to trick a user into granting the application unintended accesspermissions to local files. (CVE-2011-2514)An information disclosure flaw was discovered in the JNLP implementation inIcedTea-Web. An unsigned Java Web Start application or Java applet coulduse this flaw to determine the path to the cache directory used to storedownloaded Java class and archive files, and therefore determine the user'slogin name. (CVE-2011-2513)All icedtea-web users should upgrade to these updated packages, whichcontain backported patches to correct these issues.

Solution(s)

  • redhat-upgrade-icedtea-web
  • redhat-upgrade-icedtea-web-debuginfo
  • redhat-upgrade-icedtea-web-javadoc

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;