GLSA-201111-02 : Oracle JRE/JDK: Multiple vulnerabilities (BEAST)

Critical Nessus Plugin ID 56724

Synopsis

The remote Gentoo host is missing one or more security-related
patches.

Description

The remote host is affected by the vulnerability described in GLSA-201111-02
(Oracle JRE/JDK: Multiple vulnerabilities)

Multiple vulnerabilities have been reported in the Oracle Java
implementation. Please review the CVE identifiers referenced below and
the associated Oracle Critical Patch Update Advisory for details.
Impact :

A remote attacker could exploit these vulnerabilities to cause
unspecified impact, possibly including remote execution of arbitrary
code.
Workaround :

There is no known workaround at this time.

Solution

All Oracle JDK 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-java/sun-jdk-1.6.0.29'
All Oracle JRE 1.6 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=dev-java/sun-jre-bin-1.6.0.29'
All users of the precompiled 32-bit Oracle JRE 1.6 should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose
'>=app-emulation/emul-linux-x86-java-1.6.0.29'
NOTE: As Oracle has revoked the DLJ license for its Java implementation,
the packages can no longer be updated automatically. This limitation is
not present on a non-fetch restricted implementation such as
dev-java/icedtea-bin.

See Also

https://security.gentoo.org/glsa/201111-02

Plugin Details

Severity: Critical

ID: 56724

File Name: gentoo_GLSA-201111-02.nasl

Version: 1.19

Type: local

Published: 2011/11/07

Modified: 2018/07/11

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:emul-linux-x86-java, p-cpe:/a:gentoo:linux:sun-jdk, p-cpe:/a:gentoo:linux:sun-jre-bin, cpe:/o:gentoo:linux

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/11/05

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Java RMI Server Insecure Default Configuration Java Code Execution)

Reference Information

CVE: CVE-2010-3541, CVE-2010-3548, CVE-2010-3549, CVE-2010-3550, CVE-2010-3551, CVE-2010-3552, CVE-2010-3553, CVE-2010-3554, CVE-2010-3555, CVE-2010-3556, CVE-2010-3557, CVE-2010-3558, CVE-2010-3559, CVE-2010-3560, CVE-2010-3561, CVE-2010-3562, CVE-2010-3563, CVE-2010-3565, CVE-2010-3566, CVE-2010-3567, CVE-2010-3568, CVE-2010-3569, CVE-2010-3570, CVE-2010-3571, CVE-2010-3572, CVE-2010-3573, CVE-2010-3574, CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4451, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4474, CVE-2010-4475, CVE-2010-4476, CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0862, CVE-2011-0863, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0872, CVE-2011-0873, CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3555, CVE-2011-3556, CVE-2011-3557, CVE-2011-3558, CVE-2011-3560, CVE-2011-3561

BID: 43965, 43971, 43979, 43985, 43988, 43992, 43994, 43999, 44009, 44011, 44012, 44013, 44014, 44016, 44017, 44020, 44021, 44023, 44024, 44026, 44027, 44028, 44030, 44032, 44035, 44038, 44040, 46091, 46386, 46387, 46388, 46391, 46393, 46394, 46395, 46397, 46398, 46399, 46400, 46402, 46403, 46404, 46405, 46406, 46407, 46409, 46410, 46411, 48137, 48138, 48139, 48140, 48141, 48142, 48143, 48144, 48145, 48146, 48147, 48148, 48149, 49778, 50211, 50215, 50216, 50218, 50220, 50223, 50224, 50226, 50229, 50231, 50234, 50236, 50237, 50239, 50242, 50243, 50246, 50248, 50250

GLSA: 201111-02