Detections
Analytics

RHEL 6 : java-1.7.0-openjdk (RHSA-2012:1386)

medium Nessus Plugin ID 62615

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for java-1.7.0-openjdk.

Description

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1386 advisory.

 - OpenJDK: java.io.FilePermission information leak (Libraries, 6631398) (CVE-2012-3216)

 - OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) (CVE-2012-4416)

 - OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535) (CVE-2012-5068)

 - OpenJDK: Executors state handling issues (Concurrency, 7189103) (CVE-2012-5069)

 - OpenJDK: EnvHelp information disclosure (JMX, 7158796) (CVE-2012-5070)

 - OpenJDK: DescriptorSupport insufficient package access checks (JMX, 7192975) (CVE-2012-5071)

 - OpenJDK: AccessController.doPrivilegedWithCombiner() information disclosure (Security, 7172522) (CVE-2012-5072)

 - OpenJDK: LogManager security bypass (Libraries, 7169884) (CVE-2012-5073)

 - OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7169887) (CVE-2012-5074)

 - OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888) (CVE-2012-5075)

 - OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198) (CVE-2012-5076)

 - OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656) (CVE-2012-5077)

 - OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919) (CVE-2012-5079)

 - OpenJDK: JSSE denial of service (JSSE, 7186286) (CVE-2012-5081)

 - OpenJDK: DefaultFormatter insufficient data validation (Swing, 7195194) (CVE-2012-5084)

 - OpenJDK: disable Gopher support by default (Gopher, 7189567) (CVE-2012-5085)

 - OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917) (CVE-2012-5086)

 - OpenJDK: PropertyElementHandler insufficient access checks (Beans, 7195549) (CVE-2012-5087)

 - OpenJDK: MethodHandle insufficient access control checks (Libraries, 7196190) (CVE-2012-5088)

 - OpenJDK: RMIConnectionImpl insufficient access control checks (JMX, 7198296) (CVE-2012-5089)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL java-1.7.0-openjdk package based on the guidance in RHSA-2012:1386.

See Also

http://www.nessus.org/u?428c7e35

http://www.nessus.org/u?a62c2e98

http://www.nessus.org/u?b0eb44d4

https://access.redhat.com/errata/RHSA-2012:1386

https://access.redhat.com/security/updates/classification/#important

https://bugzilla.redhat.com/show_bug.cgi?id=856124

https://bugzilla.redhat.com/show_bug.cgi?id=865346

https://bugzilla.redhat.com/show_bug.cgi?id=865348

https://bugzilla.redhat.com/show_bug.cgi?id=865350

https://bugzilla.redhat.com/show_bug.cgi?id=865352

https://bugzilla.redhat.com/show_bug.cgi?id=865354

https://bugzilla.redhat.com/show_bug.cgi?id=865357

https://bugzilla.redhat.com/show_bug.cgi?id=865359

https://bugzilla.redhat.com/show_bug.cgi?id=865363

https://bugzilla.redhat.com/show_bug.cgi?id=865365

https://bugzilla.redhat.com/show_bug.cgi?id=865370

https://bugzilla.redhat.com/show_bug.cgi?id=865428

https://bugzilla.redhat.com/show_bug.cgi?id=865434

https://bugzilla.redhat.com/show_bug.cgi?id=865471

https://bugzilla.redhat.com/show_bug.cgi?id=865511

https://bugzilla.redhat.com/show_bug.cgi?id=865514

https://bugzilla.redhat.com/show_bug.cgi?id=865519

https://bugzilla.redhat.com/show_bug.cgi?id=865531

https://bugzilla.redhat.com/show_bug.cgi?id=865541

https://bugzilla.redhat.com/show_bug.cgi?id=865568

Plugin Details

Severity: Medium

ID: 62615

File Name: redhat-RHSA-2012-1386.nasl

Version: 1.37

Type: local

Agent: unix

Published: 10/18/2012

Updated: 4/27/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2012-5088

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2012-5081

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel, cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/13/2012

Vulnerability Publication Date: 10/16/2012

CISA Known Exploited Vulnerability Due Dates: 4/18/2022

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Java Applet Method Handle Remote Code Execution)

Reference Information

CVE: CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089

BID: 56043, 56054, 56056, 56057, 56079

RHSA: 2012:1386