Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : openjdk-6, openjdk-6b18 vulnerabilities (USN-1010-1)

Ubuntu Security Notice (C) 2010-2014 Canonical, Inc. / NASL script (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related patches.

Description :

Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3
protocols. If an attacker could perform a man in the middle attack at
the start of a TLS connection, the attacker could inject arbitrary
content at the beginning of the user's session. USN-923-1 disabled
SSL/TLS renegotiation by default
this update implements the TLS
Renegotiation Indication Extension as defined in RFC 5746, and thus
supports secure renegotiation between updated clients and servers.
(CVE-2009-3555)

It was discovered that the HttpURLConnection class did not validate
request headers set by java applets, which could allow an attacker to
trigger actions otherwise not allowed to HTTP clients. (CVE-2010-3541)

It was discovered that JNDI could leak information that would allow an
attacker to to access information about otherwise-protected internal
network names. (CVE-2010-3548)

It was discovered that HttpURLConnection improperly handled the
'chunked' transfer encoding method, which could allow attackers to
conduct HTTP response splitting attacks. (CVE-2010-3549)

It was discovered that the NetworkInterface class improperly checked
the network 'connect' permissions for local network addresses. This
could allow an attacker to read local network addresses.
(CVE-2010-3551)

It was discovered that UIDefault.ProxyLazyValue had unsafe reflection
usage, allowing an attacker to create objects. (CVE-2010-3553)

It was discovered that multiple flaws in the CORBA reflection
implementation could allow an attacker to execute arbitrary code by
misusing permissions granted to certain system objects.
(CVE-2010-3554)

It was discovered that unspecified flaws in the Swing library could
allow untrusted applications to modify the behavior and state of
certain JDK classes. (CVE-2010-3557)

It was discovered that the privileged accept method of the
ServerSocket class in the CORBA implementation allowed it to receive
connections from any host, instead of just the host of the current
connection. An attacker could use this flaw to bypass restrictions
defined by network permissions. (CVE-2010-3561)

It was discovered that there exists a double free in java's
indexColorModel that could allow an attacker to cause an applet or
application to crash, or possibly execute arbitrary code with the
privilege of the user running the java applet or application.
(CVE-2010-3562)

It was discovered that the Kerberos implementation improperly checked
AP-REQ requests, which could allow an attacker to cause a denial of
service against the receiving JVM. (CVE-2010-3564)

It was discovered that improper checks of unspecified image metadata
in JPEGImageWriter.writeImage of the imageio API could allow an
attacker to execute arbitrary code with the privileges of the user
running a java applet or application. (CVE-2010-3565)

It was discovered that an unspecified vulnerability in the ICC profile
handling code could allow an attacker to execute arbitrary code with
the privileges of the user running a java applet or application.
(CVE-2010-3566)

It was discovered that a miscalculation in the OpenType font rendering
implementation would allow out-of-bounds memory access. This could
allow an attacker to execute arbitrary code with the privileges of the
user running a java application. (CVE-2010-3567)

It was discovered that an unspecified race condition in the way
objects were deserialized could allow an attacker to cause an applet
or application to misuse the privileges of the user running the java
applet or application. (CVE-2010-3568)

It was discovered that the defaultReadObject of the Serialization API
could be tricked into setting a volatile field multiple times. This
could allow an attacker to execute arbitrary code with the privileges
of the user running a java applet or application. (CVE-2010-3569)

It was discovered that the HttpURLConnection class did not validate
request headers set by java applets, which could allow an attacker to
trigger actions otherwise not allowed to HTTP clients. (CVE-2010-3573)

It was discovered that the HttpURLConnection class improperly checked
whether the calling code was granted the 'allowHttpTrace' permission,
allowing an attacker to create HTTP TRACE requests. (CVE-2010-3574).

Solution :

Update the affected packages.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false