This script is Copyright (C) 2012 Tenable Network Security, Inc.
The remote Scientific Linux host is missing one or more security
A public static field declaration allowed untrusted JNLP (Java Network
Launching Protocol) applications to read privileged data. A remote
attacker could directly or indirectly read the values of restricted
system properties, such as 'user.name', 'user.home', and 'java.home',
which untrusted applications should not be allowed to read.
It was found that JNLPSecurityManager could silently return without
throwing an exception when permission was denied. If the javaws
command was used to launch a Java Web Start application that relies on
this exception being thrown, it could result in that application being
run with elevated privileges, allowing it to bypass security manager
restrictions and gain access to privileged functionality.
Note: The previous java-1.6.0-openjdk update installed javaws by
mistake. As part of the fixes for CVE-2010-3860 and CVE-2010-4351,
this update removes javaws.
This erratum also upgrades the OpenJDK package to IcedTea6 1.7.7.
Refer to the NEWS file, linked to in the References, for further
All running instances of OpenJDK Java must be restarted for the update
to take effect.
See also :
Update the affected packages.
Risk factor :
Medium / CVSS Base Score : 6.8