• Close
  • Back to search

    RHSA-2012:1384: java-1.6.0-openjdk security update

    Severity CVSS Published Added Modified
    10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) October 15, 2012 November 08, 2012 September 06, 2015

    Description

    These packages provide the OpenJDK 6 Java Runtime Environment and theOpenJDK 6 Software Development Kit.Multiple improper permission check issues were discovered in the Beans,Swing, and JMX components in OpenJDK. An untrusted Java application orapplet could use these flaws to bypass Java sandbox restrictions.(CVE-2012-5086, CVE-2012-5084, CVE-2012-5089)Multiple improper permission check issues were discovered in the Scripting,JMX, Concurrency, Libraries, and Security components in OpenJDK. Anuntrusted Java application or applet could use these flaws to bypasscertain Java sandbox restrictions. (CVE-2012-5068, CVE-2012-5071,CVE-2012-5069, CVE-2012-5073, CVE-2012-5072)It was discovered that java.util.ServiceLoader could create an instance ofan incompatible class while performing provider lookup. An untrusted Javaapplication or applet could use this flaw to bypass certain Java sandboxrestrictions. (CVE-2012-5079)It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLSimplementation did not properly handle handshake records containing anoverly large data length value. An unauthenticated, remote attacker couldpossibly use this flaw to cause an SSL/TLS server to terminate with anexception. (CVE-2012-5081)It was discovered that the JMX component in OpenJDK could perform certainactions in an insecure manner. An untrusted Java application or appletcould possibly use this flaw to disclose sensitive information.(CVE-2012-5075)A bug in the Java HotSpot Virtual Machine optimization code could cause itto not perform array initialization in certain cases. An untrusted Javaapplication or applet could use this flaw to disclose portions of thevirtual machine's memory. (CVE-2012-4416)It was discovered that the SecureRandom class did not properly protectagainst the creation of multiple seeders. An untrusted Java application orapplet could possibly use this flaw to disclose sensitive information.(CVE-2012-5077)It was discovered that the java.io.FilePermission class exposed the hashcode of the canonicalized path name. An untrusted Java application orapplet could possibly use this flaw to determine certain system paths, suchas the current working directory. (CVE-2012-3216)This update disables Gopher protocol support in the java.net package bydefault. Gopher support can be enabled by setting the newly introducedproperty, "jdk.net.registerGopherProtocol", to true. (CVE-2012-5085)Note: If the web browser plug-in provided by the icedtea-web package wasinstalled, the issues exposed via Java applets could have been exploitedwithout user interaction if a user visited a malicious website.This erratum also upgrades the OpenJDK package to IcedTea6 1.11.5. Refer tothe NEWS file, linked to in the References, for further information.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

    Free Nexpose Download

    Discover, prioritize, and remediate security risks today!

     Download now

    References

    Solution

    linuxrpm-upgrade-rhel60-ix86-java-1.6.0-openjdk

    Related Vulnerabilities