SuSE 11.2 Security Update : java-1_6_0-openjdk (SAT Patch Number 7718)

Critical Nessus Plugin ID 66538

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 9.5

Synopsis

The remote SuSE 11 host is missing one or more security updates.

Description

java-1_6_0-openjdk has been updated to version Icedtea6-1.12.5 which fixes several security issues.

Security fixes

- S6657673, CVE-2013-1518: Issues with JAXP

- S7200507: Refactor Introspector internals

- S8000724, CVE-2013-2417: Improve networking serialization

- S8001031, CVE-2013-2419: Better font processing

- S8001040, CVE-2013-1537: Rework RMI model

- S8001322: Refactor deserialization

- S8001329, CVE-2013-1557: Augment RMI logging

- S8003335: Better handling of Finalizer thread

- S8003445: Adjust JAX-WS to focus on API

- S8003543, CVE-2013-2415: Improve processing of MTOM attachments

- S8004261: Improve input validation

- S8004336, CVE-2013-2431: Better handling of method handle intrinsic frames

- S8004986, CVE-2013-2383: Better handling of glyph table

- S8004987, CVE-2013-2384: Improve font layout

- S8004994, CVE-2013-1569: Improve checking of glyph table

- S8005432: Update access to JAX-WS

- S8005943: (process) Improved Runtime.exec

- S8006309: More reliable control panel operation

- S8006435, CVE-2013-2424: Improvements in JMX

- S8006790: Improve checking for windows

- S8006795: Improve font warning messages

- S8007406: Improve accessibility of AccessBridge

- S8007617, CVE-2013-2420: Better validation of images

- S8007667, CVE-2013-2430: Better image reading

- S8007918, CVE-2013-2429: Better image writing

- S8009063, CVE-2013-2426: Improve reliability of ConcurrentHashMap

- S8009305, CVE-2013-0401: Improve AWT data transfer

- S8009699, CVE-2013-2421: Methodhandle lookup

- S8009814, CVE-2013-1488: Better driver management

- S8009857, CVE-2013-2422: Problem with plugin

- RH952389: Temporary files created with insecure permissions Backports

- S7197906: BlockOffsetArray::power_to_cards_back() needs to handle > 32 bit shifts

- S7036559: ConcurrentHashMap footprint and contention improvements

- S5102804: Memory leak in Introspector.getBeanInfo(Class) for custom BeanInfo: Class param (with WeakCache from S6397609)

- S6501644: sync LayoutEngine code structure to match ICU

- S6886358: layout code update

- S6963811: Deadlock-prone locking changes in Introspector

- S7017324: Kerning crash in JDK 7 since ICU layout update

- S7064279: Introspector.getBeanInfo() should release some resources in timely manner

- S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01

- S7133220: Additional patches to JAXP 1.4.5 update 1 for 7u4 (partial for S6657673)

- S8009530: ICU Kern table support broken Bug fixes

- OJ3: Fix get_stack_bounds memory leak (alternate fix for S7197906)

- PR1362: Fedora 19 / rawhide FTBFS SIGILL

- PR1338: Remove dependence on libXp

- PR1339: Simplify the rhino class rewriter to avoid use of concurrency

- PR1336: Bootstrap failure on Fedora 17/18

- PR1319: Correct #ifdef to #if

- PR1402: Support glibc < 2.17 with AArch64 patch

- Give xalan/xerces access to their own internal packages.
New features

- JAXP, JAXWS &amp; JAF supplied as patches rather than drops to aid subsequent patching.

- PR1380: Add AArch64 support to Zero

Solution

Apply SAT patch number 7718.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=817157

http://support.novell.com/security/cve/CVE-2013-0401.html

http://support.novell.com/security/cve/CVE-2013-1488.html

http://support.novell.com/security/cve/CVE-2013-1518.html

http://support.novell.com/security/cve/CVE-2013-1537.html

http://support.novell.com/security/cve/CVE-2013-1557.html

http://support.novell.com/security/cve/CVE-2013-1569.html

http://support.novell.com/security/cve/CVE-2013-2383.html

http://support.novell.com/security/cve/CVE-2013-2384.html

http://support.novell.com/security/cve/CVE-2013-2415.html

http://support.novell.com/security/cve/CVE-2013-2417.html

http://support.novell.com/security/cve/CVE-2013-2419.html

http://support.novell.com/security/cve/CVE-2013-2420.html

http://support.novell.com/security/cve/CVE-2013-2421.html

http://support.novell.com/security/cve/CVE-2013-2422.html

http://support.novell.com/security/cve/CVE-2013-2424.html

http://support.novell.com/security/cve/CVE-2013-2426.html

http://support.novell.com/security/cve/CVE-2013-2429.html

http://support.novell.com/security/cve/CVE-2013-2430.html

http://support.novell.com/security/cve/CVE-2013-2431.html

Plugin Details

Severity: Critical

ID: 66538

File Name: suse_11_java-1_6_0-openjdk-130512.nasl

Version: 1.10

Type: local

Agent: unix

Published: 2013/05/22

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 9.5

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:11:java-1_6_0-openjdk, p-cpe:/a:novell:suse_linux:11:java-1_6_0-openjdk-demo, p-cpe:/a:novell:suse_linux:11:java-1_6_0-openjdk-devel, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/05/12

Exploitable With

Core Impact

Metasploit (Java Applet Driver Manager Privileged toString() Remote Code Execution)

Reference Information

CVE: CVE-2013-0401, CVE-2013-1488, CVE-2013-1518, CVE-2013-1537, CVE-2013-1557, CVE-2013-1569, CVE-2013-2383, CVE-2013-2384, CVE-2013-2415, CVE-2013-2417, CVE-2013-2419, CVE-2013-2420, CVE-2013-2421, CVE-2013-2422, CVE-2013-2424, CVE-2013-2426, CVE-2013-2429, CVE-2013-2430, CVE-2013-2431