RHEL 4 / 5 : java-1.6.0-ibm (RHSA-2008:0906)

This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.

Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated java-1.6.0-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 4 Extras and Red Hat
Enterprise Linux 5 Supplementary.

This update has been rated as having critical security impact by the
Red Hat Security Response Team.

The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment
and the IBM Java 2 Software Development Kit.

A flaw was found in the Java Management Extensions (JMX) management
agent. When local monitoring is enabled, remote attackers could use
this flaw to perform illegal operations. (CVE-2008-3103)

Several flaws involving the handling of unsigned applets were found. A
remote attacker could misuse an unsigned applet in order to connect to
services on the host running the applet. (CVE-2008-3104)

Several flaws in the Java API for XML Web Services (JAX-WS) client and
the JAX-WS service implementation were found. A remote attacker who
could cause malicious XML to be processed by an application could
access URLs, or cause a denial of service. (CVE-2008-3105,

Several flaws within the Java Runtime Environment (JRE) scripting
support were found. A remote attacker could grant an untrusted applet
extended privileges, such as reading and writing local files,
executing local programs, or querying the sensitive data of other
applets. (CVE-2008-3109, CVE-2008-3110)

A flaw in Java Web Start was found. Using an untrusted Java Web Start
application, a remote attacker could create or delete arbitrary files
with the permissions of the user running the untrusted application.

A flaw in Java Web Start when processing untrusted applications was
found. An attacker could use this flaw to acquire sensitive
information, such as the location of the cache. (CVE-2008-3114)

All users of java-1.6.0-ibm are advised to upgrade to these updated
packages, containing the IBM 1.6.0 SR2 Java release, which resolves
these issues.

See also :


Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 40728 ()

Bugtraq ID:

CVE ID: CVE-2008-3103