Scientific Linux Security Update : java (jdk 1.6.0) on SL4.x, SL5.x i386/x86_64

High Nessus Plugin ID 60691

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

CVE-2009-2409 deprecate MD2 in SSL cert validation (Kaminsky)

CVE-2009-3873 OpenJDK JPEG Image Writer quantization problem (6862968)

CVE-2009-3875 OpenJDK MessageDigest.isEqual introduces timing attack vulnerabilities (6863503)

CVE-2009-3876 OpenJDK ASN.1/DER input stream parser denial of service (6864911) CVE-2009-3877

CVE-2009-3869 OpenJDK JRE AWT setDifflCM stack overflow (6872357)

CVE-2009-3871 OpenJDK JRE AWT setBytePixels heap overflow (6872358)

CVE-2009-3874 OpenJDK ImageI/O JPEG heap overflow (6874643)

CVE-2009-3728 OpenJDK ICC_Profile file existence detection information leak (6631533)

CVE-2009-3881 OpenJDK resurrected classloaders can still have children (6636650)

CVE-2009-3882 CVE-2009-3883 OpenJDK information leaks in mutable variables (6657026,6657138)

CVE-2009-3880 OpenJDK UI logging information leakage(6664512)

CVE-2009-3879 OpenJDK GraphicsConfiguration information leak(6822057)

CVE-2009-3884 OpenJDK zoneinfo file existence information leak (6824265)

CVE-2009-3729 JRE TrueType font parsing crash (6815780)

CVE-2009-3872 JRE JPEG JFIF Decoder issue (6862969)

CVE-2009-3886 JRE REGRESSION:have problem to run JNLP app and applets with signed Jar files (6870531)

CVE-2009-3865 java-1.6.0-sun: ACE in JRE Deployment Toolkit (6869752)

CVE-2009-3866 java-1.6.0-sun: Privilege escalation in the Java Web Start Installer (6872824)

CVE-2009-3867 java-1.5.0-sun, java-1.6.0-sun: Stack-based buffer overflow via a long file: URL argument (6854303)

CVE-2009-3868 java-1.5.0-sun, java-1.6.0-sun: Privilege escalation via crafted image file due improper color profiles parsing (6862970)

This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. These vulnerabilities are summarized on the 'Advance notification of Security Updates for Java SE' page from Sun Microsystems, listed in the References section. (CVE-2009-2409, CVE-2009-3728, CVE-2009-3729,

CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868,

CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873,

CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877,

CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882,

CVE-2009-3883, CVE-2009-3884, CVE-2009-3886)

All running instances of Sun Java must be restarted for the update to take effect.

Solution

Update the affected java-1.6.0-sun-compat and / or jdk packages.

See Also

http://www.nessus.org/u?6a7a8b8a

Plugin Details

Severity: High

ID: 60691

File Name: sl_20091109_java__jdk_1_6_0__on_SL4_x.nasl

Version: 1.5

Type: local

Agent: unix

Published: 2012/08/01

Updated: 2019/01/02

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: x-cpe:/o:fermilab:scientific_linux

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2009/11/09

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Sun Java JRE AWT setDiffICM Buffer Overflow)

Reference Information

CVE: CVE-2009-2409, CVE-2009-3728, CVE-2009-3729, CVE-2009-3865, CVE-2009-3866, CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3886

CWE: 22, 94, 119, 189, 200, 264, 310, 399