Vulnerability & Exploit Database

Back to search

RHSA-2012:1386: java-1.7.0-openjdk security update

Severity CVSS Published Added Modified
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) October 15, 2012 November 08, 2012 September 06, 2015

Available Exploits 

Description

These packages provide the OpenJDK 7 Java Runtime Environment and theOpenJDK 7 Software Development Kit.Multiple improper permission check issues were discovered in the Beans,Libraries, Swing, and JMX components in OpenJDK. An untrusted Javaapplication or applet could use these flaws to bypass Java sandboxrestrictions. (CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5084,CVE-2012-5089)The default Java security properties configuration did not restrict accessto certain com.sun.org.glassfish packages. An untrusted Java applicationor applet could use these flaws to bypass Java sandbox restrictions. Thisupdate lists those packages as restricted. (CVE-2012-5076, CVE-2012-5074)Multiple improper permission check issues were discovered in the Scripting,JMX, Concurrency, Libraries, and Security components in OpenJDK. Anuntrusted Java application or applet could use these flaws to bypasscertain Java sandbox restrictions. (CVE-2012-5068, CVE-2012-5071,CVE-2012-5069, CVE-2012-5073, CVE-2012-5072)It was discovered that java.util.ServiceLoader could create an instance ofan incompatible class while performing provider lookup. An untrusted Javaapplication or applet could use this flaw to bypass certain Java sandboxrestrictions. (CVE-2012-5079)It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLSimplementation did not properly handle handshake records containing anoverly large data length value. An unauthenticated, remote attacker couldpossibly use this flaw to cause an SSL/TLS server to terminate with anexception. (CVE-2012-5081)It was discovered that the JMX component in OpenJDK could perform certainactions in an insecure manner. An untrusted Java application or appletcould possibly use these flaws to disclose sensitive information.(CVE-2012-5070, CVE-2012-5075)A bug in the Java HotSpot Virtual Machine optimization code could cause itto not perform array initialization in certain cases. An untrusted Javaapplication or applet could use this flaw to disclose portions of thevirtual machine's memory. (CVE-2012-4416)It was discovered that the SecureRandom class did not properly protectagainst the creation of multiple seeders. An untrusted Java application orapplet could possibly use this flaw to disclose sensitive information.(CVE-2012-5077)It was discovered that the java.io.FilePermission class exposed the hashcode of the canonicalized path name. An untrusted Java application orapplet could possibly use this flaw to determine certain system paths, suchas the current working directory. (CVE-2012-3216)This update disables Gopher protocol support in the java.net package bydefault. Gopher support can be enabled by setting the newly introducedproperty, "jdk.net.registerGopherProtocol", to true. (CVE-2012-5085)This erratum also upgrades the OpenJDK package to IcedTea7 2.3.3. Refer tothe NEWS file, linked to in the References, for further information.All users of java-1.7.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

linuxrpm-upgrade-rhel60-ix86-java-1.7.0-openjdk

Related Vulnerabilities