RHEL 6 : icedtea-web (RHSA-2011:1441)

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated icedtea-web packages that fix one security issue are now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having
moderate security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from
the CVE link in the References section.

The IcedTea-Web project provides a Java web browser plug-in and an
implementation of Java Web Start, which is based on the Netx project.
It also contains a configuration tool for managing deployment settings
for the plug-in and Web Start implementations.

A flaw was found in the same-origin policy implementation in the
IcedTea-Web browser plug-in. A malicious Java applet could use this
flaw to open network connections to hosts other than the originating
host, violating the same-origin policy. (CVE-2011-3377)

All IcedTea-Web users should upgrade to these updated packages, which
upgrade IcedTea-Web to version 1.0.6 to correct this issue. Web
browsers using the IcedTea-Web browser plug-in must be restarted for
this update to take effect.

See also :

https://www.redhat.com/security/data/cve/CVE-2011-3377.html
http://rhn.redhat.com/errata/RHSA-2011-1441.html

Solution :

Update the affected icedtea-web, icedtea-web-debuginfo and / or
icedtea-web-javadoc packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)

Family: Red Hat Local Security Checks

Nessus Plugin ID: 56745 ()

Bugtraq ID:

CVE ID: CVE-2011-3377