Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : openjdk-6, openjdk-6b18 vulnerabilities (USN-1010-1)

Critical Nessus Plugin ID 50410

Synopsis

The remote Ubuntu host is missing one or more security-related patches.

Description

Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session. USN-923-1 disabled SSL/TLS renegotiation by default; this update implements the TLS Renegotiation Indication Extension as defined in RFC 5746, and thus supports secure renegotiation between updated clients and servers.
(CVE-2009-3555)

It was discovered that the HttpURLConnection class did not validate request headers set by java applets, which could allow an attacker to trigger actions otherwise not allowed to HTTP clients. (CVE-2010-3541)

It was discovered that JNDI could leak information that would allow an attacker to to access information about otherwise-protected internal network names. (CVE-2010-3548)

It was discovered that HttpURLConnection improperly handled the 'chunked' transfer encoding method, which could allow attackers to conduct HTTP response splitting attacks. (CVE-2010-3549)

It was discovered that the NetworkInterface class improperly checked the network 'connect' permissions for local network addresses. This could allow an attacker to read local network addresses.
(CVE-2010-3551)

It was discovered that UIDefault.ProxyLazyValue had unsafe reflection usage, allowing an attacker to create objects. (CVE-2010-3553)

It was discovered that multiple flaws in the CORBA reflection implementation could allow an attacker to execute arbitrary code by misusing permissions granted to certain system objects.
(CVE-2010-3554)

It was discovered that unspecified flaws in the Swing library could allow untrusted applications to modify the behavior and state of certain JDK classes. (CVE-2010-3557)

It was discovered that the privileged accept method of the ServerSocket class in the CORBA implementation allowed it to receive connections from any host, instead of just the host of the current connection. An attacker could use this flaw to bypass restrictions defined by network permissions. (CVE-2010-3561)

It was discovered that there exists a double free in java's indexColorModel that could allow an attacker to cause an applet or application to crash, or possibly execute arbitrary code with the privilege of the user running the java applet or application.
(CVE-2010-3562)

It was discovered that the Kerberos implementation improperly checked AP-REQ requests, which could allow an attacker to cause a denial of service against the receiving JVM. (CVE-2010-3564)

It was discovered that improper checks of unspecified image metadata in JPEGImageWriter.writeImage of the imageio API could allow an attacker to execute arbitrary code with the privileges of the user running a java applet or application. (CVE-2010-3565)

It was discovered that an unspecified vulnerability in the ICC profile handling code could allow an attacker to execute arbitrary code with the privileges of the user running a java applet or application.
(CVE-2010-3566)

It was discovered that a miscalculation in the OpenType font rendering implementation would allow out-of-bounds memory access. This could allow an attacker to execute arbitrary code with the privileges of the user running a java application. (CVE-2010-3567)

It was discovered that an unspecified race condition in the way objects were deserialized could allow an attacker to cause an applet or application to misuse the privileges of the user running the java applet or application. (CVE-2010-3568)

It was discovered that the defaultReadObject of the Serialization API could be tricked into setting a volatile field multiple times. This could allow an attacker to execute arbitrary code with the privileges of the user running a java applet or application. (CVE-2010-3569)

It was discovered that the HttpURLConnection class did not validate request headers set by java applets, which could allow an attacker to trigger actions otherwise not allowed to HTTP clients. (CVE-2010-3573)

It was discovered that the HttpURLConnection class improperly checked whether the calling code was granted the 'allowHttpTrace' permission, allowing an attacker to create HTTP TRACE requests. (CVE-2010-3574).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected packages.

See Also

https://usn.ubuntu.com/1010-1/

Plugin Details

Severity: Critical

ID: 50410

File Name: ubuntu_USN-1010-1.nasl

Version: 1.15

Type: local

Agent: unix

Published: 2010/10/29

Updated: 2018/12/01

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:icedtea-6-jre-cacao, p-cpe:/a:canonical:ubuntu_linux:icedtea6-plugin, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-dbg, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-demo, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-doc, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jdk, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-zero, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-source, cpe:/o:canonical:ubuntu_linux:10.04:-:lts, cpe:/o:canonical:ubuntu_linux:10.10, cpe:/o:canonical:ubuntu_linux:8.04:-:lts, cpe:/o:canonical:ubuntu_linux:9.10

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2010/10/28

Reference Information

CVE: CVE-2009-3555, CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3551, CVE-2010-3553, CVE-2010-3554, CVE-2010-3557, CVE-2010-3561, CVE-2010-3562, CVE-2010-3564, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3573, CVE-2010-3574

BID: 36935, 43963, 43979, 43985, 43988, 43992, 43994, 44009, 44011, 44012, 44013, 44014, 44016, 44017, 44027, 44028, 44032, 44035

USN: 1010-1

CWE: 310