SuSE 10 Security Update : Java 1.4.2 (ZYPP Patch Number 5431)

Critical Nessus Plugin ID 34036

Synopsis

The remote SuSE 10 host is missing a security-related patch.

Description

Sun Java was updated to 1.4.2u18 to fix following security vulnerabilities :

- Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows context-dependent attackers to obtain sensitive information (the cache location) via an untrusted application, aka CR 6704074. (CVE-2008-3114)

- Unspecified vulnerability in Sun Java Web Start in JDK and JRE 5.0 before Update 16 and SDK and JRE 1.4.x before 1.4.2_18 allows remote attackers to create or delete arbitrary files via an untrusted application, aka CR 6704077. (CVE-2008-3113)

- Unspecified vulnerability in Sun Java Web Start in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows remote attackers to create arbitrary files via an untrusted application, aka CR 6703909. (CVE-2008-3112)

- Multiple buffer overflows in Sun Java Web Start in JDK and JRE 6 before Update 4, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allow context-dependent attackers to gain privileges via an untrusted application, as demonstrated by an application that grants itself privileges to (1) read local files, (2) write to local files, or (3) execute local programs, aka CR 6557220. (CVE-2008-3111)

- Buffer overflow in Sun Java Runtime Environment (JRE) in JDK and JRE 5.0 before Update 10, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allows context-dependent attackers to gain privileges via unspecified vectors related to font processing.
(CVE-2008-3108)

- Unspecified vulnerability in the Virtual Machine in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, and SDK and JRE 1.4.x before 1.4.2_18 allows context-dependent attackers to gain privileges via an untrusted (1) application or (2) applet, as demonstrated by an application or applet that grants itself privileges to (a) read local files, (b) write to local files, or (c) execute local programs. (CVE-2008-3107)

- Multiple unspecified vulnerabilities in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 7, JDK and JRE 5.0 before Update 16, SDK and JRE 1.4.x before 1.4.2_18, and SDK and JRE 1.3.x before 1.3.1_23 allow remote attackers to violate the security model for an applet's outbound connections by connecting to localhost services running on the machine that loaded the applet.
(CVE-2008-3104)

Solution

Apply ZYPP patch number 5431.

See Also

http://support.novell.com/security/cve/CVE-2008-3104.html

http://support.novell.com/security/cve/CVE-2008-3107.html

http://support.novell.com/security/cve/CVE-2008-3108.html

http://support.novell.com/security/cve/CVE-2008-3111.html

http://support.novell.com/security/cve/CVE-2008-3112.html

http://support.novell.com/security/cve/CVE-2008-3113.html

http://support.novell.com/security/cve/CVE-2008-3114.html

Plugin Details

Severity: Critical

ID: 34036

File Name: suse_java-1_4_2-sun-5431.nasl

Version: $Revision: 1.18 $

Type: local

Agent: unix

Published: 2008/08/24

Modified: 2016/12/22

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:suse:suse_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2008/07/14

Exploitable With

CANVAS (D2ExploitPack)

Reference Information

CVE: CVE-2008-3104, CVE-2008-3107, CVE-2008-3108, CVE-2008-3111, CVE-2008-3112, CVE-2008-3113, CVE-2008-3114

CWE: 20, 119, 200, 264