RHEL 4 / 5 : java-1.6.0-ibm (RHSA-2008:0906)

Critical Nessus Plugin ID 40728

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.

A flaw was found in the Java Management Extensions (JMX) management agent. When local monitoring is enabled, remote attackers could use this flaw to perform illegal operations. (CVE-2008-3103)

Several flaws involving the handling of unsigned applets were found. A remote attacker could misuse an unsigned applet in order to connect to services on the host running the applet. (CVE-2008-3104)

Several flaws in the Java API for XML Web Services (JAX-WS) client and the JAX-WS service implementation were found. A remote attacker who could cause malicious XML to be processed by an application could access URLs, or cause a denial of service. (CVE-2008-3105, CVE-2008-3106)

Several flaws within the Java Runtime Environment (JRE) scripting support were found. A remote attacker could grant an untrusted applet extended privileges, such as reading and writing local files, executing local programs, or querying the sensitive data of other applets. (CVE-2008-3109, CVE-2008-3110)

A flaw in Java Web Start was found. Using an untrusted Java Web Start application, a remote attacker could create or delete arbitrary files with the permissions of the user running the untrusted application.
(CVE-2008-3112)

A flaw in Java Web Start when processing untrusted applications was found. An attacker could use this flaw to acquire sensitive information, such as the location of the cache. (CVE-2008-3114)

All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR2 Java release, which resolves these issues.

Solution

Update the affected packages.

CPE: p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-accessibility, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-demo, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-javacomm, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-jdbc, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-plugin, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-src, cpe:/o:redhat:enterprise_linux:4, cpe:/o:redhat:enterprise_linux:4.6, cpe:/o:redhat:enterprise_linux:5, cpe:/o:redhat:enterprise_linux:5.2

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2008/10/24

Vulnerability Publication Date: 2008/07/09

Exploitable With

CANVAS (D2ExploitPack)

Reference Information

CVE: CVE-2008-3103, CVE-2008-3104, CVE-2008-3105, CVE-2008-3106, CVE-2008-3109, CVE-2008-3110, CVE-2008-3112, CVE-2008-3114

RHSA: 2008:0906

CWE: 200, 264

RHEL 4 / 5 : java-1.6.0-ibm (RHSA-2008:0906)

Synopsis

Description

Solution

See Also

Plugin Details

Risk Information

CVSS v2.0

Vulnerability Information

Exploitable With

Reference Information