1. Home
  2. Security Advisories
  3. Amazon Linux
  4. ALAS-2012-137

[ALAS-2012-137] Amazon Linux - ALAS-2012-137: important priority package update for java-1.7.0-openjdk

Severity Important
Affected Packages 11
CVEs 9
Info Packages References Vulnerabilities

Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2012-5086:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans.
Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
Multiple improper permission check issues were discovered in the Beans, Libraries, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions.
865428:
CVE-2012-5086 OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917)

CVE-2012-5085:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote authenticated users to have an unspecified impact via unknown vectors related to Networking. NOTE: the Oracle CPU states that this issue has a 0.0 CVSS score. If so, then this is not a vulnerability and this issue should not be included in CVE.
This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true.
865541:
CVE-2012-5085 OpenJDK: disable Gopher support by default (Gopher, 7189567)

CVE-2012-5081:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect availability, related to JSSE.
It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception.
865370:
CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286)

CVE-2012-5079:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect integrity via unknown vectors related to Libraries.
It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
865568:
CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919)

CVE-2012-5077:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Security.
It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
865354:
CVE-2012-5077 OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656)

CVE-2012-5075:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, and 5.0 Update 36 and earlier allows remote attackers to affect confidentiality, related to JMX.
It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information.
865363:
CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888)

CVE-2012-5068:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions.
865348:
CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535)

CVE-2012-4416:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, and 6 Update 35 and earlier, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Hotspot.
A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory.
856124:
CVE-2012-4416 OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606)

CVE-2012-3216:
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Libraries.
It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory.
865346:
CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398)

Package Affected Version
pkg:rpm/amazonlinux/java-1.7.0-openjdk?arch=x86_64&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
pkg:rpm/amazonlinux/java-1.7.0-openjdk?arch=i686&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
pkg:rpm/amazonlinux/java-1.7.0-openjdk-src?arch=x86_64&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
pkg:rpm/amazonlinux/java-1.7.0-openjdk-src?arch=i686&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
pkg:rpm/amazonlinux/java-1.7.0-openjdk-javadoc?arch=noarch&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
pkg:rpm/amazonlinux/java-1.7.0-openjdk-devel?arch=x86_64&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
pkg:rpm/amazonlinux/java-1.7.0-openjdk-devel?arch=i686&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
pkg:rpm/amazonlinux/java-1.7.0-openjdk-demo?arch=x86_64&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
pkg:rpm/amazonlinux/java-1.7.0-openjdk-demo?arch=i686&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
pkg:rpm/amazonlinux/java-1.7.0-openjdk-debuginfo?arch=x86_64&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
pkg:rpm/amazonlinux/java-1.7.0-openjdk-debuginfo?arch=i686&distro=amazonlinux-1 < 1.7.0.9-2.3.3.13.amzn1
ID
ALAS-2012-137
Severity
important
URL
https://alas.aws.amazon.com/ALAS-2012-137.html
Published
2012-10-23T10:38:00
(12 years ago)
Modified
2014-09-14T17:14:00
(10 years ago)
Rights
Amazon Linux Security Team
Other Advisories
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk?arch=x86_64&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 x86_64
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk?arch=i686&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 i686
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk-src?arch=x86_64&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk-src < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 x86_64
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk-src?arch=i686&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk-src < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 i686
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk-javadoc?arch=noarch&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk-javadoc < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 noarch
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk-devel?arch=x86_64&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk-devel < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 x86_64
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk-devel?arch=i686&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk-devel < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 i686
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk-demo?arch=x86_64&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk-demo < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 x86_64
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk-demo?arch=i686&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk-demo < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 i686
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk-debuginfo?arch=x86_64&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk-debuginfo < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 x86_64
Affected pkg:rpm/amazonlinux/java-1.7.0-openjdk-debuginfo?arch=i686&distro=amazonlinux-1 amazonlinux java-1.7.0-openjdk-debuginfo < 1.7.0.9-2.3.3.13.amzn1 amazonlinux-1 i686
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date