RHEL 4 / 5 : java-1.6.0-ibm (RHSA-2008:0906)

This script is Copyright (C) 2009-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated java-1.6.0-ibm packages that fix several security issues are
now available for Red Hat Enterprise Linux 4 Extras and Red Hat
Enterprise Linux 5 Supplementary.

This update has been rated as having critical security impact by the
Red Hat Security Response Team.

The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment
and the IBM Java 2 Software Development Kit.

A flaw was found in the Java Management Extensions (JMX) management
agent. When local monitoring is enabled, remote attackers could use
this flaw to perform illegal operations. (CVE-2008-3103)

Several flaws involving the handling of unsigned applets were found. A
remote attacker could misuse an unsigned applet in order to connect to
services on the host running the applet. (CVE-2008-3104)

Several flaws in the Java API for XML Web Services (JAX-WS) client and
the JAX-WS service implementation were found. A remote attacker who
could cause malicious XML to be processed by an application could
access URLs, or cause a denial of service. (CVE-2008-3105,
CVE-2008-3106)

Several flaws within the Java Runtime Environment (JRE) scripting
support were found. A remote attacker could grant an untrusted applet
extended privileges, such as reading and writing local files,
executing local programs, or querying the sensitive data of other
applets. (CVE-2008-3109, CVE-2008-3110)

A flaw in Java Web Start was found. Using an untrusted Java Web Start
application, a remote attacker could create or delete arbitrary files
with the permissions of the user running the untrusted application.
(CVE-2008-3112)

A flaw in Java Web Start when processing untrusted applications was
found. An attacker could use this flaw to acquire sensitive
information, such as the location of the cache. (CVE-2008-3114)

All users of java-1.6.0-ibm are advised to upgrade to these updated
packages, containing the IBM 1.6.0 SR2 Java release, which resolves
these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2008-3103.html
https://www.redhat.com/security/data/cve/CVE-2008-3104.html
https://www.redhat.com/security/data/cve/CVE-2008-3105.html
https://www.redhat.com/security/data/cve/CVE-2008-3106.html
https://www.redhat.com/security/data/cve/CVE-2008-3109.html
https://www.redhat.com/security/data/cve/CVE-2008-3110.html
https://www.redhat.com/security/data/cve/CVE-2008-3112.html
https://www.redhat.com/security/data/cve/CVE-2008-3114.html
http://www-128.ibm.com/developerworks/java/jdk/alerts/
http://rhn.redhat.com/errata/RHSA-2008-0906.html

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 40728 ()

Bugtraq ID:

CVE ID: CVE-2008-3103
CVE-2008-3104
CVE-2008-3105
CVE-2008-3106
CVE-2008-3109
CVE-2008-3110
CVE-2008-3112
CVE-2008-3114