RHEL 6 : icedtea-web (RHSA-2011:1100)

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated icedtea-web packages that fix two security issues are now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having
moderate security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

The IcedTea-Web project provides a Java web browser plug-in and an
implementation of Java Web Start, which is based on the Netx project.
It also contains a configuration tool for managing deployment settings
for the plug-in and Web Start implementations.

A flaw was discovered in the JNLP (Java Network Launching Protocol)
implementation in IcedTea-Web. An unsigned Java Web Start application
could use this flaw to manipulate the content of a Security Warning
dialog box, to trick a user into granting the application unintended
access permissions to local files. (CVE-2011-2514)

An information disclosure flaw was discovered in the JNLP
implementation in IcedTea-Web. An unsigned Java Web Start application
or Java applet could use this flaw to determine the path to the cache
directory used to store downloaded Java class and archive files, and
therefore determine the user's login name. (CVE-2011-2513)

All icedtea-web users should upgrade to these updated packages, which
contain backported patches to correct these issues.

See also :

https://www.redhat.com/security/data/cve/CVE-2011-2513.html
https://www.redhat.com/security/data/cve/CVE-2011-2514.html
http://rhn.redhat.com/errata/RHSA-2011-1100.html

Solution :

Update the affected icedtea-web, icedtea-web-debuginfo and / or
icedtea-web-javadoc packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Red Hat Local Security Checks

Nessus Plugin ID: 55710 ()

Bugtraq ID: 48829

CVE ID: CVE-2011-2513
CVE-2011-2514