RHSA-2013:0752: java-1.7.0-openjdk security update

Description

These packages provide the OpenJDK 7 Java Runtime Environment and theOpenJDK 7 Software Development Kit.Multiple flaws were discovered in the font layout engine in the 2Dcomponent. An untrusted Java application or applet could possibly use theseflaws to trigger Java Virtual Machine memory corruption. (CVE-2013-1569,CVE-2013-2383, CVE-2013-2384)Multiple improper permission check issues were discovered in the Beans,Libraries, JAXP, and RMI components in OpenJDK. An untrusted Javaapplication or applet could use these flaws to bypass Java sandboxrestrictions. (CVE-2013-1558, CVE-2013-2422, CVE-2013-2436, CVE-2013-1518,CVE-2013-1557)The previous default value of the java.rmi.server.useCodebaseOnly propertypermitted the RMI implementation to automatically load classes fromremotely specified locations. An attacker able to connect to an applicationusing RMI could use this flaw to make the application execute arbitrarycode. (CVE-2013-1537)Note: The fix for CVE-2013-1537 changes the default value of the propertyto true, restricting class loading to the local CLASSPATH and locationsspecified in the java.rmi.server.codebase property. Refer to Red HatBugzilla bug 952387 for additional details.The 2D component did not properly process certain images. An untrusted Javaapplication or applet could possibly use this flaw to trigger Java VirtualMachine memory corruption. (CVE-2013-2420)It was discovered that the Hotspot component did not properly handlecertain intrinsic frames, and did not correctly perform access checks andMethodHandle lookups. An untrusted Java application or applet coulduse these flaws to bypass Java sandbox restrictions. (CVE-2013-2431,CVE-2013-2421, CVE-2013-2423)It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIOcomponent did not protect against modification of their state whileperforming certain native code operations. An untrusted Java application orapplet could possibly use these flaws to trigger Java Virtual Machinememory corruption. (CVE-2013-2429, CVE-2013-2430)The JDBC driver manager could incorrectly call the toString() method inJDBC drivers, and the ConcurrentHashMap class could incorrectly call thedefaultReadObject() method. An untrusted Java application or applet couldpossibly use these flaws to bypass Java sandbox restrictions.(CVE-2013-1488, CVE-2013-2426)The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectlyinvoke the system class loader. An untrusted Java application or appletcould possibly use this flaw to bypass certain Java sandbox restrictions.(CVE-2013-0401)Flaws were discovered in the Network component's InetAddress serialization,and the 2D component's font handling. An untrusted Java application orapplet could possibly use these flaws to crash the Java Virtual Machine.(CVE-2013-2417, CVE-2013-2419)The MBeanInstantiator class implementation in the OpenJDK JMX component didnot properly check class access before creating new instances. An untrustedJava application or applet could use this flaw to create instances ofnon-public classes. (CVE-2013-2424)It was discovered that JAX-WS could possibly create temporary files withinsecure permissions. A local attacker could use this flaw to accesstemporary files created by an application using JAX-WS. (CVE-2013-2415)This erratum also upgrades the OpenJDK package to IcedTea7 2.3.9. Refer tothe NEWS file, linked to in the References, for further information.All users of java-1.7.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.