SynopsisThe remote Red Hat host is missing one or more security updates.
DescriptionUpdated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary.
This update has been rated as having critical security impact by the Red Hat Security Response Team.
The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.
A flaw was found in the Java Management Extensions (JMX) management agent. When local monitoring is enabled, remote attackers could use this flaw to perform illegal operations. (CVE-2008-3103)
Several flaws involving the handling of unsigned applets were found. A remote attacker could misuse an unsigned applet in order to connect to services on the host running the applet. (CVE-2008-3104)
Several flaws in the Java API for XML Web Services (JAX-WS) client and the JAX-WS service implementation were found. A remote attacker who could cause malicious XML to be processed by an application could access URLs, or cause a denial of service. (CVE-2008-3105, CVE-2008-3106)
Several flaws within the Java Runtime Environment (JRE) scripting support were found. A remote attacker could grant an untrusted applet extended privileges, such as reading and writing local files, executing local programs, or querying the sensitive data of other applets. (CVE-2008-3109, CVE-2008-3110)
A flaw in Java Web Start was found. Using an untrusted Java Web Start application, a remote attacker could create or delete arbitrary files with the permissions of the user running the untrusted application.
A flaw in Java Web Start when processing untrusted applications was found. An attacker could use this flaw to acquire sensitive information, such as the location of the cache. (CVE-2008-3114)
All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR2 Java release, which resolves these issues.
SolutionUpdate the affected packages.
File Name: redhat-RHSA-2008-0906.nasl
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent
CPE: p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-accessibility, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-demo, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-javacomm, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-jdbc, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-plugin, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-src, cpe:/o:redhat:enterprise_linux:4, cpe:/o:redhat:enterprise_linux:4.6, cpe:/o:redhat:enterprise_linux:5, cpe:/o:redhat:enterprise_linux:5.2
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Ease: Exploits are available
Patch Publication Date: 10/24/2008
Vulnerability Publication Date: 7/9/2008