RHSA-2015:0085: java-1.6.0-openjdk security update
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 10 | (AV:N/AC:L/Au:N/C:C/I:C/A:C) | January 21, 2015 | January 27, 2015 | March 21, 2018 |
Available Exploits 
Description
The java-1.6.0-openjdk packages provide the OpenJDK 6 Java RuntimeEnvironment and the OpenJDK 6 Java Software Development Kit.A flaw was found in the way the Hotspot component in OpenJDK verifiedbytecode from the class files. An untrusted Java application or appletcould possibly use this flaw to bypass Java sandbox restrictions.(CVE-2014-6601)Multiple improper permission check issues were discovered in the JAX-WS,and RMI components in OpenJDK. An untrusted Java application or appletcould use these flaws to bypass Java sandbox restrictions. (CVE-2015-0412,CVE-2015-0408)A flaw was found in the way the Hotspot garbage collector handled phantomreferences. An untrusted Java application or applet could use this flaw tocorrupt the Java Virtual Machine memory and, possibly, execute arbitrarycode, bypassing Java sandbox restrictions. (CVE-2015-0395)A flaw was found in the way the DER (Distinguished Encoding Rules) decoderin the Security component in OpenJDK handled negative length values. Aspecially crafted, DER-encoded input could cause a Java application toenter an infinite loop when decoded. (CVE-2015-0410)A flaw was found in the way the SSL 3.0 protocol handled padding bytes whendecrypting messages that were encrypted using block ciphers in cipher blockchaining (CBC) mode. This flaw could possibly allow a man-in-the-middle(MITM) attacker to decrypt portions of the cipher text using a paddingoracle attack. (CVE-2014-3566)Note: This update disables SSL 3.0 by default to address this issue.The jdk.tls.disabledAlgorithms security property can be used to re-enableSSL 3.0 support if needed. For additional information, refer to the Red HatBugzilla bug linked to in the References section.It was discovered that the SSL/TLS implementation in the JSSE component inOpenJDK failed to properly check whether the ChangeCipherSpec was receivedduring the SSL/TLS connection handshake. An MITM attacker could possiblyuse this flaw to force a connection to be established without encryptionbeing enabled. (CVE-2014-6593)An information leak flaw was found in the Swing component in OpenJDK. Anuntrusted Java application or applet could use this flaw to bypass certainJava sandbox restrictions. (CVE-2015-0407)A NULL pointer dereference flaw was found in the MulticastSocketimplementation in the Libraries component of OpenJDK. An untrusted Javaapplication or applet could possibly use this flaw to bypass certain Javasandbox restrictions. (CVE-2014-6587)Multiple boundary check flaws were found in the font parsing code in the 2Dcomponent in OpenJDK. A specially crafted font file could allow anuntrusted Java application or applet to disclose portions of the JavaVirtual Machine memory. (CVE-2014-6585, CVE-2014-6591)Multiple insecure temporary file use issues were found in the way theHotspot component in OpenJDK created performance statistics and error logfiles. A local attacker could possibly make a victim using OpenJDKoverwrite arbitrary files using a symlink attack. (CVE-2015-0383)The CVE-2015-0383 issue was discovered by Red Hat.All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.
Scan For This Vulnerability
Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities
References
- APPLE-APPLE-SA-2014-10-16-1
- APPLE-APPLE-SA-2014-10-16-3
- APPLE-APPLE-SA-2014-10-16-4
- APPLE-APPLE-SA-2014-10-20-1
- APPLE-APPLE-SA-2014-10-20-2
- APPLE-APPLE-SA-2015-01-27-4
- APPLE-APPLE-SA-2015-09-16-2
- BID-70574
- BID-72155
- BID-72168
- BID-72169
- BID-72173
- BID-72175
- CERT-TA14-290A
- CERT-VN-577193
- CVE-2014-3566
- CVE-2014-6585
- CVE-2014-6587
- CVE-2014-6591
- CVE-2014-6593
- CVE-2014-6601
- CVE-2015-0383
- CVE-2015-0395
- CVE-2015-0407
- CVE-2015-0408
- CVE-2015-0410
- CVE-2015-0412
- DEBIAN-DSA-3053
- DEBIAN-DSA-3144
- DEBIAN-DSA-3147
- DEBIAN-DSA-3253
- DISA_SEVERITY-Category I
- DISA_VMSKEY-V0058513
- DISA_VMSKEY-V0058515
- DISA_VMSKEY-V0058517
- DISA_VMSKEY-V0061081
- IAVM-2015-A-0154
- IAVM-2015-B-0012
- IAVM-2015-B-0013
- IAVM-2015-B-0014
- NETBSD-NetBSD-SA2014-015
- REDHAT-RHSA-2014:1652
- REDHAT-RHSA-2014:1653
- REDHAT-RHSA-2014:1692
- REDHAT-RHSA-2014:1876
- REDHAT-RHSA-2014:1877
- REDHAT-RHSA-2014:1880
- REDHAT-RHSA-2014:1881
- REDHAT-RHSA-2014:1882
- REDHAT-RHSA-2014:1920
- REDHAT-RHSA-2014:1948
- REDHAT-RHSA-2015:0068
- REDHAT-RHSA-2015:0079
- REDHAT-RHSA-2015:0080
- REDHAT-RHSA-2015:0085
- REDHAT-RHSA-2015:0086
- REDHAT-RHSA-2015:0136
- REDHAT-RHSA-2015:0264
- REDHAT-RHSA-2015:0698
- REDHAT-RHSA-2015:1545
- REDHAT-RHSA-2015:1546
- XF-100140
- XF-100142
- XF-100143
- XF-100148
- XF-100150
- XF-100151
Solution Reference
Java Security UpdateSolution
redhat-upgrade-java-1-6-0-openjdkRelated Vulnerabilities
- Gentoo Linux: CVE-2015-0412: IcedTea: Multiple vulnerabilities
- Palo Alto Networks PAN-SA-2014-0005 (CVE-2014-3566): SSL 3.0 MITM Attack
- HP-UX: CVE-2015-0408: JRE and JDK Vulnerability on HPUX
- SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
- OS X security update 2015-001 for AFP Server (CVE-2014-3566)
- Oracle Solaris 11: CVE-2014-3566: Vulnerability in Multiple Components
- Juniper Junos OS: 2014-10 Out of Cycle Security Bulletin: Multiple products affected by SSL "POODLE" vulnerability (JSA10656) (CVE-2014-3566)
- IBM WebSphere Application Server: CVE-2014-3566: IBM Potential Security Vulnerabilities fixed in IBM WebSphere Application Server
- OS X update for OpenSSL (CVE-2014-3566)
- Cent OS: CVE-2014-6587: CESA-2015:0085 (java-1.6.0-openjdk)
- HP-UX: CVE-2014-6593: Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
- RHSA-2015:0067: java-1.7.0-openjdk security update
- Amazon Linux AMI: Security patch for nss (ALAS-2014-429) (CVE-2014-3566)
- Java CPU January 2015 Java SE RMI vulnerability (CVE-2015-0408)
- SUSE: CVE-2014-6585: SUSE Linux Security Advisory
- HP-UX: CVE-2014-3566: Running OpenSSL, Remote Denial of Service (DoS), Unauthorized Access, Man-in-the-Middle (MitM) Attack
- ELSA-2014-1653 Moderate: Oracle Linux openssl security update
- Cisco IOS: CVE-2014-3566: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability
- IBM AIX: java_feb2015_advisory (CVE-2014-6587): Vulnerability in IBM Java SDK affects AIX
- Gentoo Linux: CVE-2014-6591: IcedTea: Multiple vulnerabilities
- Amazon Linux AMI: Security patch for java-1.6.0-openjdk (ALAS-2015-480) (multiple CVEs)
- HP-UX: CVE-2015-0383: Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
- Java CPU January 2015 Java SE, Java SE Embedded, JRockit Security vulnerability (CVE-2015-0410)
- ELSA-2015-0067 Critical: Oracle Linux java-1.7.0-openjdk security update
- Gentoo Linux: CVE-2014-6585: IcedTea: Multiple vulnerabilities
- IBM HTTP Server: CVE-2014-3566: IBM HTTP Server should disable weak SSL protocols and ciphers by default
- Gentoo Linux: CVE-2015-0383: IcedTea: Multiple vulnerabilities
- Gentoo Linux: CVE-2015-0395: IcedTea: Multiple vulnerabilities
- USN-2486-1: OpenJDK 6 vulnerabilities
- IBM AIX: java_feb2015_advisory (CVE-2014-6591): Vulnerability in IBM Java SDK affects AIX
- Cent OS: CVE-2015-0383: CESA-2015:0085 (java-1.6.0-openjdk)
- OpenSSL SSL 3.0 Fallback protection (CVE-2014-3566)
- Gentoo Linux: CVE-2014-6587: IcedTea: Multiple vulnerabilities
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
- Java CPU January 2015 Java SE Hotspot vulnerability (CVE-2014-6601)
- IBM WebSphere Application Server: CVE-2014-6593: IBM Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server January 2015 CPU
- RHSA-2014:1882: java-1.7.0-ibm security update
- SUSE: CVE-2015-0383: SUSE Linux Security Advisory
- RHSA-2015:0080: java-1.8.0-oracle security update
- ELSA-2015-0069 Important: Oracle Linux java-1.8.0-openjdk security update
- DSA-3147-1 openjdk-6 -- security update
- HP-UX: CVE-2014-6601: Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
- Oracle Solaris 11: CVE-2014-6591: Vulnerability in Localization (L10N)
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 7
- HP Systems Insight Manager - HPSBMU03261 (CVE-2014-3566): OpenSSL on Linux and Windows, Remote Disclosure of Information
- Debian: CVE-2014-3566: lighttpd -- security update
- RHSA-2014:1881: java-1.5.0-ibm security update
- F5 Networks: K15702 (CVE-2014-3566): SSLv3 vulnerability CVE-2014-3566
- Sun Patch: Indexing and Search Service 1u5-29.15600: core patch
- Amazon Linux AMI: Security patch for java-1.8.0-openjdk (ALAS-2015-571) (multiple CVEs)
- IBM AIX: java_feb2015_advisory (CVE-2015-0407): Vulnerability in IBM Java SDK affects AIX
- Java CPU January 2015 Java SE Swing vulnerability (CVE-2015-0407)
- TLS/SSL Server Supports SSLv3
- Gentoo Linux: CVE-2015-0408: IcedTea: Multiple vulnerabilities
- RHSA-2015:0086: java-1.6.0-sun security update
- Amazon Linux AMI: Security patch for java-1.8.0-openjdk (ALAS-2015-472) (multiple CVEs)
- Sun Patch: SunOS 5.10: wanboot patch
- Gentoo Linux: CVE-2015-0407: IcedTea: Multiple vulnerabilities
- IBM AIX: java_feb2015_advisory (CVE-2014-6585): Vulnerability in IBM Java SDK affects AIX
- RHSA-2015:0263: Red Hat Satellite IBM Java Runtime security update
- DSA-3323-1 icu -- security update
- ELSA-2015-0085 Important: Oracle Linux java-1.6.0-openjdk security update
- Java CPU January 2015 Java SE, Java SE Embedded, JRockit JSSE vulnerability (CVE-2014-6593)
- RHSA-2015:0079: java-1.7.0-oracle security update
- Gentoo Linux: CVE-2014-6593: IcedTea: Multiple vulnerabilities
- HP-UX: CVE-2015-0410: Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
- Cent OS: CVE-2014-3566: CESA-2015:0085 (java-1.6.0-openjdk)
- FreeBSD: davmail -- fix potential CVE-2014-3566 vulnerability (POODLE) (CVE-2014-3566)
- RHSA-2015:1545: node.js security update
- DSA-3144-1 openjdk-7 -- security update
- RHSA-2015:0068: java-1.7.0-openjdk security update
- IBM WebSphere Application Server: CVE-2015-0410: IBM Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server January 2015 CPU
- SUSE: CVE-2014-6593: SUSE Linux Security Advisory
- Sun Patch: SunOS 5.10_x86: openssl patch
- USN-2522-3: ICU vulnerabilities
- HP-UX: CVE-2015-0412: Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
- ELSA-2015-0068 Important: Oracle Linux java-1.7.0-openjdk security update
- Gentoo Linux: CVE-2014-6601: IcedTea: Multiple vulnerabilities
- HP System Management Homepage - HPSBMU03260 (CVE-2014-3566): OpenSSL on Linux and Windows, Remote Disclosure of Information
- Java CPU January 2015 Java SE JAX-WS vulnerability (CVE-2015-0412)
- Cisco NX-OS: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability (Multiple CVEs)
- IBM AIX: java_feb2015_advisory (CVE-2015-0410): Vulnerability in IBM Java SDK affects AIX
- Java CPU January 2015 Java SE Libraries vulnerability (CVE-2014-6587)
- FreeBSD: (Multiple Advisories) (CVE-2014-3566): lynx -- multiple vulnerabilities
- Cent OS: CVE-2014-6585: CESA-2015:0085 (java-1.6.0-openjdk)
- ELSA-2014-1652 Important: Oracle Linux openssl security update
- Sun Patch: VM Server for SPARC 3.1: ldmd patch
- Cisco SAN-OS: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability (CVE-2014-3566)
- HP-UX: CVE-2015-0407: JRE and JDK Vulnerability on HPUX
- IBM AIX: java_feb2015_advisory, java_oct2014_advisory, nettcp_advisory, openssl_advisory11 (CVE-2014-3566): Vulnerability in IBM Java SDK affects AIX
- RHSA-2014:1877: java-1.6.0-ibm security update
- RHSA-2014:1880: java-1.7.1-ibm security update
- SUSE: CVE-2014-6587: SUSE Linux Security Advisory
- Gentoo Linux: CVE-2015-0410: Oracle JRE/JDK: Multiple vulnerabilities
- Gentoo Linux: CVE-2014-3566: Asterisk: Multiple Vulnerabilities
- Jenkins Advisory 2014-10-15: CVE-2014-3566: Poodle vulnerability
- HP-UX: CVE-2015-0395: Potential security vulnerabilities have been identified in the Java Runtime Environment (JRE) and the Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
- USN-2522-1: ICU vulnerabilities
- Java CPU January 2015 Java SE, Java SE Embedded, JRockit JSSE vulnerability (CVE-2014-3566)
- Java CPU January 2015 Java SE 2D vulnerability (CVE-2014-6585)