Ubuntu 8.10 : openjdk-6 vulnerabilities (USN-748-1)

Critical Nessus Plugin ID 36366

Synopsis

The remote Ubuntu host is missing one or more security-related patches.

Description

It was discovered that font creation could leak temporary files. If a user were tricked into loading a malicious program or applet, a remote attacker could consume disk space, leading to a denial of service.
(CVE-2006-2426, CVE-2009-1100)

It was discovered that the lightweight HttpServer did not correctly close files on dataless connections. A remote attacker could send specially crafted requests, leading to a denial of service.
(CVE-2009-1101)

The Java Runtime Environment did not correctly validate certain generated code. If a user were tricked into running a malicious applet a remote attacker could execute arbitrary code. (CVE-2009-1102)

It was discovered that LDAP connections did not close correctly. A remote attacker could send specially crafted requests, leading to a denial of service. (CVE-2009-1093)

Java LDAP routines did not unserialize certain data correctly. A remote attacker could send specially crafted requests that could lead to arbitrary code execution. (CVE-2009-1094)

Java did not correctly check certain JAR headers. If a user or automated system were tricked into processing a malicious JAR file, a remote attacker could crash the application, leading to a denial of service. (CVE-2009-1095, CVE-2009-1096)

It was discovered that PNG and GIF decoding in Java could lead to memory corruption. If a user or automated system were tricked into processing a specially crafted image, a remote attacker could crash the application, leading to a denial of service. (CVE-2009-1097, CVE-2009-1098).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected packages.

See Also

https://usn.ubuntu.com/748-1/

Plugin Details

Severity: Critical

ID: 36366

File Name: ubuntu_USN-748-1.nasl

Version: 1.17

Type: local

Agent: unix

Published: 2009/04/23

Updated: 2018/11/28

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:icedtea6-plugin, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-dbg, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-demo, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-doc, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jdk, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-source, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-source-files, cpe:/o:canonical:ubuntu_linux:8.10

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2009/03/26

Reference Information

CVE: CVE-2006-2426, CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102

BID: 34240

USN: 748-1

CWE: 16, 94, 119, 189