Oracle Linux 6 : icedtea-web (ELSA-2011-1441)

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote Oracle Linux host is missing one or more security updates.

Description :

From Red Hat Security Advisory 2011:1441 :

Updated icedtea-web packages that fix one security issue are now
available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having
moderate security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from
the CVE link in the References section.

The IcedTea-Web project provides a Java web browser plug-in and an
implementation of Java Web Start, which is based on the Netx project.
It also contains a configuration tool for managing deployment settings
for the plug-in and Web Start implementations.

A flaw was found in the same-origin policy implementation in the
IcedTea-Web browser plug-in. A malicious Java applet could use this
flaw to open network connections to hosts other than the originating
host, violating the same-origin policy. (CVE-2011-3377)

All IcedTea-Web users should upgrade to these updated packages, which
upgrade IcedTea-Web to version 1.0.6 to correct this issue. Web
browsers using the IcedTea-Web browser plug-in must be restarted for
this update to take effect.

See also :

https://oss.oracle.com/pipermail/el-errata/2011-November/002456.html

Solution :

Update the affected icedtea-web packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Oracle Linux Local Security Checks

Nessus Plugin ID: 68388 ()

Bugtraq ID: 50610

CVE ID: CVE-2011-3377