Rapid7 Vulnerability & Exploit Database

RHSA-2011:1380: java-1.6.0-openjdk security update

Back to Search

RHSA-2011:1380: java-1.6.0-openjdk security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
10/19/2011
Created
07/25/2018
Added
10/27/2011
Modified
07/04/2017

Description

These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit.A flaw was found in the Java RMI (Remote Method Invocation) registryimplementation. A remote RMI client could use this flaw to executearbitrary code on the RMI server running the registry. (CVE-2011-3556)A flaw was found in the Java RMI registry implementation. A remote RMIclient could use this flaw to execute code on the RMI server withunrestricted privileges. (CVE-2011-3557)A flaw was found in the IIOP (Internet Inter-Orb Protocol) deserializationcode. An untrusted Java application or applet running in a sandbox coulduse this flaw to bypass sandbox restrictions by deserializingspecially-crafted input. (CVE-2011-3521)It was found that the Java ScriptingEngine did not properly restrict theprivileges of sandboxed applications. An untrusted Java application orapplet running in a sandbox could use this flaw to bypass sandboxrestrictions. (CVE-2011-3544)A flaw was found in the AWTKeyStroke implementation. An untrusted Javaapplication or applet running in a sandbox could use this flaw to bypasssandbox restrictions. (CVE-2011-3548)An integer overflow flaw, leading to a heap-based buffer overflow, wasfound in the Java2D code used to perform transformations of graphic shapesand images. An untrusted Java application or applet running in a sandboxcould use this flaw to bypass sandbox restrictions. (CVE-2011-3551)An insufficient error checking flaw was found in the unpacker for JAR filesin pack200 format. A specially-crafted JAR file could use this flaw tocrash the Java Virtual Machine (JVM) or, possibly, execute arbitrary codewith JVM privileges. (CVE-2011-3554)It was found that HttpsURLConnection did not perform SecurityManager checksin the setSSLSocketFactory method. An untrusted Java application or appletrunning in a sandbox could use this flaw to bypass connection restrictionsdefined in the policy. (CVE-2011-3560)A flaw was found in the way the SSL 3 and TLS 1.0 protocols used blockciphers in cipher-block chaining (CBC) mode. An attacker able to perform achosen plain text attack against a connection mixing trusted and untrusteddata could use this flaw to recover portions of the trusted data sent overthe connection. (CVE-2011-3389)Note: This update mitigates the CVE-2011-3389 issue by splitting the firstapplication data record byte to a separate SSL/TLS protocol record. Thismitigation may cause compatibility issues with some SSL/TLS implementationsand can be disabled using the jsse.enableCBCProtection boolean property.This can be done on the command line by appending the flag"-Djsse.enableCBCProtection=false" to the java command.An information leak flaw was found in the InputStream.skip implementation.An untrusted Java application or applet could possibly use this flaw toobtain bytes skipped by other threads. (CVE-2011-3547)A flaw was found in the Java HotSpot virtual machine. An untrusted Javaapplication or applet could use this flaw to disclose portions of the VMmemory, or cause it to crash. (CVE-2011-3558)The Java API for XML Web Services (JAX-WS) implementation in OpenJDK wasconfigured to include the stack trace in error messages sent to clients. Aremote client could possibly use this flaw to obtain sensitive information.(CVE-2011-3553)It was found that Java applications running with SecurityManagerrestrictions were allowed to use too many UDP sockets by default. Ifmultiple instances of a malicious application were started at the sametime, they could exhaust all available UDP sockets on the system.(CVE-2011-3552)This erratum also upgrades the OpenJDK package to IcedTea6 1.9.10. Refer tothe NEWS file, linked to in the References, for further information.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

Solution(s)

  • redhat-upgrade-java-1-6-0-openjdk
  • redhat-upgrade-java-1-6-0-openjdk-debuginfo
  • redhat-upgrade-java-1-6-0-openjdk-demo
  • redhat-upgrade-java-1-6-0-openjdk-devel
  • redhat-upgrade-java-1-6-0-openjdk-javadoc
  • redhat-upgrade-java-1-6-0-openjdk-src

References

  • redhat-upgrade-java-1-6-0-openjdk
  • redhat-upgrade-java-1-6-0-openjdk-debuginfo
  • redhat-upgrade-java-1-6-0-openjdk-demo
  • redhat-upgrade-java-1-6-0-openjdk-devel
  • redhat-upgrade-java-1-6-0-openjdk-javadoc
  • redhat-upgrade-java-1-6-0-openjdk-src

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;