[RHSA-2012:1384] java-1.6.0-openjdk security update

Severity Critical

Affected Packages 10

CVEs 15

These packages provide the OpenJDK 6 Java Runtime Environment and the
OpenJDK 6 Software Development Kit.

Multiple improper permission check issues were discovered in the Beans,
Swing, and JMX components in OpenJDK. An untrusted Java application or
applet could use these flaws to bypass Java sandbox restrictions.
(CVE-2012-5086, CVE-2012-5084, CVE-2012-5089)

Multiple improper permission check issues were discovered in the Scripting,
JMX, Concurrency, Libraries, and Security components in OpenJDK. An
untrusted Java application or applet could use these flaws to bypass
certain Java sandbox restrictions. (CVE-2012-5068, CVE-2012-5071,
CVE-2012-5069, CVE-2012-5073, CVE-2012-5072)

It was discovered that java.util.ServiceLoader could create an instance of
an incompatible class while performing provider lookup. An untrusted Java
application or applet could use this flaw to bypass certain Java sandbox
restrictions. (CVE-2012-5079)

It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS
implementation did not properly handle handshake records containing an
overly large data length value. An unauthenticated, remote attacker could
possibly use this flaw to cause an SSL/TLS server to terminate with an
exception. (CVE-2012-5081)

It was discovered that the JMX component in OpenJDK could perform certain
actions in an insecure manner. An untrusted Java application or applet
could possibly use this flaw to disclose sensitive information.
(CVE-2012-5075)

A bug in the Java HotSpot Virtual Machine optimization code could cause it
to not perform array initialization in certain cases. An untrusted Java
application or applet could use this flaw to disclose portions of the
virtual machine's memory. (CVE-2012-4416)

It was discovered that the SecureRandom class did not properly protect
against the creation of multiple seeders. An untrusted Java application or
applet could possibly use this flaw to disclose sensitive information.
(CVE-2012-5077)

It was discovered that the java.io.FilePermission class exposed the hash
code of the canonicalized path name. An untrusted Java application or
applet could possibly use this flaw to determine certain system paths, such
as the current working directory. (CVE-2012-3216)

This update disables Gopher protocol support in the java.net package by
default. Gopher support can be enabled by setting the newly introduced
property, "jdk.net.registerGopherProtocol", to true. (CVE-2012-5085)

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.

This erratum also upgrades the OpenJDK package to IcedTea6 1.11.5. Refer to
the NEWS file, linked to in the References, for further information.

All users of java-1.6.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

Package	Affected Version
pkg:rpm/redhat/java-1.6.0-openjdk?arch=x86_64&distro=redhat-6.3	< 1.6.0.0-1.50.1.11.5.el6_3
pkg:rpm/redhat/java-1.6.0-openjdk?arch=i686&distro=redhat-6.3	< 1.6.0.0-1.50.1.11.5.el6_3
pkg:rpm/redhat/java-1.6.0-openjdk-src?arch=x86_64&distro=redhat-6.3	< 1.6.0.0-1.50.1.11.5.el6_3
pkg:rpm/redhat/java-1.6.0-openjdk-src?arch=i686&distro=redhat-6.3	< 1.6.0.0-1.50.1.11.5.el6_3
pkg:rpm/redhat/java-1.6.0-openjdk-javadoc?arch=x86_64&distro=redhat-6.3	< 1.6.0.0-1.50.1.11.5.el6_3
pkg:rpm/redhat/java-1.6.0-openjdk-javadoc?arch=i686&distro=redhat-6.3	< 1.6.0.0-1.50.1.11.5.el6_3
pkg:rpm/redhat/java-1.6.0-openjdk-devel?arch=x86_64&distro=redhat-6.3	< 1.6.0.0-1.50.1.11.5.el6_3
pkg:rpm/redhat/java-1.6.0-openjdk-devel?arch=i686&distro=redhat-6.3	< 1.6.0.0-1.50.1.11.5.el6_3
pkg:rpm/redhat/java-1.6.0-openjdk-demo?arch=x86_64&distro=redhat-6.3	< 1.6.0.0-1.50.1.11.5.el6_3
pkg:rpm/redhat/java-1.6.0-openjdk-demo?arch=i686&distro=redhat-6.3	< 1.6.0.0-1.50.1.11.5.el6_3

ID

RHSA-2012:1384

Severity

critical

URL

https://access.redhat.com/errata/RHSA-2012:1384

Published

2012-10-17T00:00:00
(12 years ago)

Modified

2012-10-17T00:00:00
(12 years ago)

Rights

Other Advisories

Source	# ID	URL
Bugzilla	856124	https://bugzilla.redhat.com/856124
Bugzilla	865346	https://bugzilla.redhat.com/865346
Bugzilla	865348	https://bugzilla.redhat.com/865348
Bugzilla	865354	https://bugzilla.redhat.com/865354
Bugzilla	865357	https://bugzilla.redhat.com/865357
Bugzilla	865363	https://bugzilla.redhat.com/865363
Bugzilla	865365	https://bugzilla.redhat.com/865365
Bugzilla	865370	https://bugzilla.redhat.com/865370
Bugzilla	865428	https://bugzilla.redhat.com/865428
Bugzilla	865511	https://bugzilla.redhat.com/865511
Bugzilla	865514	https://bugzilla.redhat.com/865514
Bugzilla	865519	https://bugzilla.redhat.com/865519
Bugzilla	865531	https://bugzilla.redhat.com/865531
Bugzilla	865541	https://bugzilla.redhat.com/865541
Bugzilla	865568	https://bugzilla.redhat.com/865568
RHSA	RHSA-2012:1384	https://access.redhat.com/errata/RHSA-2012:1384
CVE	CVE-2012-3216	https://access.redhat.com/security/cve/CVE-2012-3216
CVE	CVE-2012-4416	https://access.redhat.com/security/cve/CVE-2012-4416
CVE	CVE-2012-5068	https://access.redhat.com/security/cve/CVE-2012-5068
CVE	CVE-2012-5069	https://access.redhat.com/security/cve/CVE-2012-5069
CVE	CVE-2012-5071	https://access.redhat.com/security/cve/CVE-2012-5071
CVE	CVE-2012-5072	https://access.redhat.com/security/cve/CVE-2012-5072
CVE	CVE-2012-5073	https://access.redhat.com/security/cve/CVE-2012-5073
CVE	CVE-2012-5075	https://access.redhat.com/security/cve/CVE-2012-5075
CVE	CVE-2012-5077	https://access.redhat.com/security/cve/CVE-2012-5077
CVE	CVE-2012-5079	https://access.redhat.com/security/cve/CVE-2012-5079
CVE	CVE-2012-5081	https://access.redhat.com/security/cve/CVE-2012-5081
CVE	CVE-2012-5084	https://access.redhat.com/security/cve/CVE-2012-5084
CVE	CVE-2012-5085	https://access.redhat.com/security/cve/CVE-2012-5085
CVE	CVE-2012-5086	https://access.redhat.com/security/cve/CVE-2012-5086
CVE	CVE-2012-5089	https://access.redhat.com/security/cve/CVE-2012-5089

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/redhat/java-1.6.0-openjdk?arch=x86_64&distro=redhat-6.3	redhat	java-1.6.0-openjdk	< 1.6.0.0-1.50.1.11.5.el6_3	redhat-6.3	x86_64
Affected	pkg:rpm/redhat/java-1.6.0-openjdk?arch=i686&distro=redhat-6.3	redhat	java-1.6.0-openjdk	< 1.6.0.0-1.50.1.11.5.el6_3	redhat-6.3	i686
Affected	pkg:rpm/redhat/java-1.6.0-openjdk-src?arch=x86_64&distro=redhat-6.3	redhat	java-1.6.0-openjdk-src	< 1.6.0.0-1.50.1.11.5.el6_3	redhat-6.3	x86_64
Affected	pkg:rpm/redhat/java-1.6.0-openjdk-src?arch=i686&distro=redhat-6.3	redhat	java-1.6.0-openjdk-src	< 1.6.0.0-1.50.1.11.5.el6_3	redhat-6.3	i686
Affected	pkg:rpm/redhat/java-1.6.0-openjdk-javadoc?arch=x86_64&distro=redhat-6.3	redhat	java-1.6.0-openjdk-javadoc	< 1.6.0.0-1.50.1.11.5.el6_3	redhat-6.3	x86_64
Affected	pkg:rpm/redhat/java-1.6.0-openjdk-javadoc?arch=i686&distro=redhat-6.3	redhat	java-1.6.0-openjdk-javadoc	< 1.6.0.0-1.50.1.11.5.el6_3	redhat-6.3	i686
Affected	pkg:rpm/redhat/java-1.6.0-openjdk-devel?arch=x86_64&distro=redhat-6.3	redhat	java-1.6.0-openjdk-devel	< 1.6.0.0-1.50.1.11.5.el6_3	redhat-6.3	x86_64
Affected	pkg:rpm/redhat/java-1.6.0-openjdk-devel?arch=i686&distro=redhat-6.3	redhat	java-1.6.0-openjdk-devel	< 1.6.0.0-1.50.1.11.5.el6_3	redhat-6.3	i686
Affected	pkg:rpm/redhat/java-1.6.0-openjdk-demo?arch=x86_64&distro=redhat-6.3	redhat	java-1.6.0-openjdk-demo	< 1.6.0.0-1.50.1.11.5.el6_3	redhat-6.3	x86_64
Affected	pkg:rpm/redhat/java-1.6.0-openjdk-demo?arch=i686&distro=redhat-6.3	redhat	java-1.6.0-openjdk-demo	< 1.6.0.0-1.50.1.11.5.el6_3	redhat-6.3	i686

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date