RHSA-2013:0752: java-1.7.0-openjdk security update
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | April 17, 2013 | April 22, 2013 | July 04, 2017 |
Available Exploits 
Description
These packages provide the OpenJDK 7 Java Runtime Environment and theOpenJDK 7 Software Development Kit.Multiple flaws were discovered in the font layout engine in the 2Dcomponent. An untrusted Java application or applet could possibly use theseflaws to trigger Java Virtual Machine memory corruption. (CVE-2013-1569,CVE-2013-2383, CVE-2013-2384)Multiple improper permission check issues were discovered in the Beans,Libraries, JAXP, and RMI components in OpenJDK. An untrusted Javaapplication or applet could use these flaws to bypass Java sandboxrestrictions. (CVE-2013-1558, CVE-2013-2422, CVE-2013-2436, CVE-2013-1518,CVE-2013-1557)The previous default value of the java.rmi.server.useCodebaseOnly propertypermitted the RMI implementation to automatically load classes fromremotely specified locations. An attacker able to connect to an applicationusing RMI could use this flaw to make the application execute arbitrarycode. (CVE-2013-1537)Note: The fix for CVE-2013-1537 changes the default value of the propertyto true, restricting class loading to the local CLASSPATH and locationsspecified in the java.rmi.server.codebase property. Refer to Red HatBugzilla bug 952387 for additional details.The 2D component did not properly process certain images. An untrusted Javaapplication or applet could possibly use this flaw to trigger Java VirtualMachine memory corruption. (CVE-2013-2420)It was discovered that the Hotspot component did not properly handlecertain intrinsic frames, and did not correctly perform access checks andMethodHandle lookups. An untrusted Java application or applet coulduse these flaws to bypass Java sandbox restrictions. (CVE-2013-2431,CVE-2013-2421, CVE-2013-2423)It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIOcomponent did not protect against modification of their state whileperforming certain native code operations. An untrusted Java application orapplet could possibly use these flaws to trigger Java Virtual Machinememory corruption. (CVE-2013-2429, CVE-2013-2430)The JDBC driver manager could incorrectly call the toString() method inJDBC drivers, and the ConcurrentHashMap class could incorrectly call thedefaultReadObject() method. An untrusted Java application or applet couldpossibly use these flaws to bypass Java sandbox restrictions.(CVE-2013-1488, CVE-2013-2426)The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectlyinvoke the system class loader. An untrusted Java application or appletcould possibly use this flaw to bypass certain Java sandbox restrictions.(CVE-2013-0401)Flaws were discovered in the Network component's InetAddress serialization,and the 2D component's font handling. An untrusted Java application orapplet could possibly use these flaws to crash the Java Virtual Machine.(CVE-2013-2417, CVE-2013-2419)The MBeanInstantiator class implementation in the OpenJDK JMX component didnot properly check class access before creating new instances. An untrustedJava application or applet could use this flaw to create instances ofnon-public classes. (CVE-2013-2424)It was discovered that JAX-WS could possibly create temporary files withinsecure permissions. A local attacker could use this flaw to accesstemporary files created by an application using JAX-WS. (CVE-2013-2415)This erratum also upgrades the OpenJDK package to IcedTea7 2.3.9. Refer tothe NEWS file, linked to in the References, for further information.All users of java-1.7.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.
Scan For This Vulnerability
Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities
References
- APPLE-APPLE-SA-2013-04-16-2
- BID-59131
- BID-59159
- BID-59166
- BID-59179
- BID-59190
- CERT-TA13-107A
- CVE-2013-0401
- CVE-2013-1488
- CVE-2013-1518
- CVE-2013-1537
- CVE-2013-1557
- CVE-2013-1558
- CVE-2013-1569
- CVE-2013-2383
- CVE-2013-2384
- CVE-2013-2415
- CVE-2013-2417
- CVE-2013-2419
- CVE-2013-2420
- CVE-2013-2421
- CVE-2013-2422
- CVE-2013-2423
- CVE-2013-2424
- CVE-2013-2426
- CVE-2013-2429
- CVE-2013-2430
- CVE-2013-2431
- CVE-2013-2436
- OVAL-OVAL15708
- OVAL-OVAL16011
- OVAL-OVAL16258
- OVAL-OVAL16297
- OVAL-OVAL16314
- OVAL-OVAL16410
- OVAL-OVAL16446
- OVAL-OVAL16511
- OVAL-OVAL16527
- OVAL-OVAL16540
- OVAL-OVAL16543
- OVAL-OVAL16549
- OVAL-OVAL16561
- OVAL-OVAL16564
- OVAL-OVAL16578
- OVAL-OVAL16597
- OVAL-OVAL16683
- OVAL-OVAL16688
- OVAL-OVAL16697
- OVAL-OVAL16700
- OVAL-OVAL16702
- OVAL-OVAL19087
- OVAL-OVAL19107
- OVAL-OVAL19158
- OVAL-OVAL19203
- OVAL-OVAL19291
- OVAL-OVAL19294
- OVAL-OVAL19327
- OVAL-OVAL19341
- OVAL-OVAL19354
- OVAL-OVAL19385
- OVAL-OVAL19386
- OVAL-OVAL19451
- OVAL-OVAL19463
- OVAL-OVAL19524
- OVAL-OVAL19526
- OVAL-OVAL19536
- OVAL-OVAL19549
- OVAL-OVAL19550
- OVAL-OVAL19556
- OVAL-OVAL19570
- OVAL-OVAL19594
- OVAL-OVAL19641
- OVAL-OVAL19656
- OVAL-OVAL19672
- OVAL-OVAL19704
- OVAL-OVAL19705
- OVAL-OVAL19715
- OVAL-OVAL19725
- REDHAT-RHSA-2013:0752
- REDHAT-RHSA-2013:0757
- REDHAT-RHSA-2013:0758
- REDHAT-RHSA-2013:1455
- REDHAT-RHSA-2013:1456
Solution Reference
Java Security UpdateSolution
redhat-upgrade-java-1-7-0-openjdkRelated Vulnerabilities
- Java CPU April 2013 Java Runtime Environment RMI vulnerability (CVE-2013-1537)
- Oracle Solaris 11: CVE-2013-2422: Vulnerability in Java 6, Java 7
- Apple Java security update for CVE-2013-2422
- Alpine Linux: CVE-2013-2419: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Amazon Linux AMI: Security patch for java-1.6.0-openjdk (ALAS-2013-185) (multiple CVEs)
- SUSE Linux Security Vulnerability: CVE-2013-2429
- Alpine Linux: CVE-2013-2430: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Gentoo Linux: CVE-2013-1488: Oracle JRE/JDK: Multiple vulnerabilities
- SUSE Linux Security Vulnerability: CVE-2013-1569
- RHSA-2013:0855: java-1.5.0-ibm security update
- Alpine Linux: CVE-2013-2426: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Gentoo Linux: CVE-2013-2421: Oracle JRE/JDK: Multiple vulnerabilities
- Gentoo Linux: CVE-2013-2420: Oracle JRE/JDK: Multiple vulnerabilities
- Alpine Linux: CVE-2013-2417: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- SUSE Linux Security Vulnerability: CVE-2013-2415
- HP-UX: CVE-2013-2430: Running Java5 Runtime Environment (JRE) and Java Developer Kit (JDK), Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- Alpine Linux: CVE-2013-2383: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Java CPU April 2013 Java Runtime Environment 2D vulnerability (CVE-2013-2420)
- RHSA-2013:0757: java-1.7.0-oracle security update
- Apple Java security update for CVE-2013-2420
- Java CPU April 2013 Java Runtime Environment JAX-WS vulnerability (CVE-2013-2415)
- Alpine Linux: CVE-2013-2431: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Alpine Linux: CVE-2013-1537: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Oracle Solaris 11: CVE-2013-2430: Vulnerability in Java 6, Java 7
- Gentoo Linux: CVE-2013-2429: Oracle JRE/JDK: Multiple vulnerabilities
- Oracle Solaris 11: CVE-2013-2420: Vulnerability in Java 6, Java 7
- HP-UX: CVE-2013-2424: Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- Java CPU April 2013 Java Runtime Environment Networking vulnerability (CVE-2013-2417)
- Oracle Solaris 11: CVE-2013-2419: Vulnerability in Java 6, Java 7, Localization (L10N)
- Java CPU April 2013 Java Runtime Environment 2D vulnerability (CVE-2013-2384)
- HP-UX: CVE-2013-2422: Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- Gentoo Linux: CVE-2013-1537: Oracle JRE/JDK: Multiple vulnerabilities
- Java CPU April 2013 Java Runtime Environment HotSpot vulnerability (CVE-2013-2421)
- Cent OS: CVE-2013-2384: CESA-2013:0770 (java-1.6.0-openjdk)
- Java CPU April 2013 Java Runtime Environment 2D vulnerability (CVE-2013-2383)
- Alpine Linux: CVE-2013-2415: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Apple Java security update for CVE-2013-1569
- SUSE Linux Security Vulnerability: CVE-2013-2421
- Apple Java security update for CVE-2013-2424
- SUSE Linux Security Vulnerability: CVE-2013-2422
- Java CPU April 2013 Java Runtime Environment Libraries vulnerability (CVE-2013-1488)
- SUSE Linux Security Vulnerability: CVE-2013-2436
- SUSE Linux Security Vulnerability: CVE-2013-2417
- HP-UX: CVE-2013-1537: Running Java5 Runtime Environment (JRE) and Java Developer Kit (JDK), Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- Oracle Solaris 11: CVE-2013-1488: Vulnerability in Java 7
- Alpine Linux: CVE-2013-2422: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- SUSE Linux Security Vulnerability: CVE-2013-2420
- Java CPU April 2013 Java Runtime Environment JAXP vulnerability (CVE-2013-1518)
- HP-UX: CVE-2013-2383: Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- HP-UX: CVE-2013-2420: Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- Oracle Solaris 11: CVE-2013-1569: Vulnerability in Java 6, Java 7, Localization (L10N)
- SUSE Linux Security Vulnerability: CVE-2013-2423
- HP-UX: CVE-2013-2419: Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- Gentoo Linux: CVE-2013-1518: Oracle JRE/JDK: Multiple vulnerabilities
- RHSA-2013:0751: java-1.7.0-openjdk security update
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
- Gentoo Linux: CVE-2013-2422: Oracle JRE/JDK: Multiple vulnerabilities
- Apple Java security update for CVE-2013-1557
- Oracle Solaris 11: CVE-2013-2383: Vulnerability in Java 6, Java 7, Localization (L10N)
- Java CPU April 2013 Java Runtime Environment ImageIO vulnerability (CVE-2013-2429)
- Alpine Linux: CVE-2013-1557: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Cent OS: CVE-2013-2424: CESA-2013:0770 (java-1.6.0-openjdk)
- ELSA-2013-0751 Critical: Oracle Linux java-1.7.0-openjdk security update
- Alpine Linux: CVE-2013-2429: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Oracle Solaris 11: CVE-2013-1557: Vulnerability in Java 6, Java 7
- Alpine Linux: CVE-2013-1488: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Oracle Solaris 11: CVE-2013-2423: Vulnerability in Java 7
- Java CPU April 2013 Java Runtime Environment Libraries vulnerability (CVE-2013-2422)
- Apple Java security update for CVE-2013-2419
- Cent OS: CVE-2013-1569: CESA-2013:0770 (java-1.6.0-openjdk)
- Oracle Solaris 11: CVE-2013-0401: Vulnerability in Java 6, Java 7
- RHSA-2013:0823: java-1.6.0-ibm security update
- SUSE Linux Security Vulnerability: CVE-2013-2426
- HP-UX: CVE-2013-1558: Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- Gentoo Linux: CVE-2013-2431: Oracle JRE/JDK: Multiple vulnerabilities
- SUSE Linux Security Vulnerability: CVE-2013-2424
- Alpine Linux: CVE-2013-2420: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- HP-UX: CVE-2013-2417: Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- ELSA-2013-0752 Important: Oracle Linux java-1.7.0-openjdk security update
- Gentoo Linux: CVE-2013-2426: Oracle JRE/JDK: Multiple vulnerabilities
- Oracle Solaris 11: CVE-2013-2431: Vulnerability in Java 7
- HP-UX: CVE-2013-1518: Running Java5 Runtime Environment (JRE) and Java Developer Kit (JDK), Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- Java CPU April 2013 Java Runtime Environment JMX vulnerability (CVE-2013-2424)
- Apple Java security update for CVE-2013-1537
- RHSA-2013:0758: java-1.6.0-sun security update
- USN-1806-1: OpenJDK 7 vulnerabilities
- SUSE Linux Security Vulnerability: CVE-2013-2383
- Amazon Linux AMI: Security patch for java-1.7.0-openjdk (ALAS-2013-183) (multiple CVEs)
- USN-2522-3: ICU vulnerabilities
- Java CPU April 2013 Java Runtime Environment Libraries vulnerability (CVE-2013-2426)
- HP-UX: CVE-2013-1569: Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
- Oracle Solaris 11: CVE-2013-1558: Vulnerability in Java 6, Java 7
- Cent OS: CVE-2013-2419: CESA-2013:0770 (java-1.6.0-openjdk)
- Java CPU April 2013 Java Runtime Environment Libraries vulnerability (CVE-2013-2436)
- Oracle Solaris 11: CVE-2013-2426: Vulnerability in Java 7
- Gentoo Linux: CVE-2013-1558: Oracle JRE/JDK: Multiple vulnerabilities
- Oracle Solaris 11: CVE-2013-2436: Vulnerability in Java 7
- ELSA-2013-0770 Important: Oracle Linux java-1.6.0-openjdk security update
- Alpine Linux: CVE-2013-2424: Multiple vulnerabilities in openjdk6 < 1.11.10 allows remote code execution
- Java CPU April 2013 Java Runtime Environment Hotspot vulnerability (CVE-2013-2423)