openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:0377-1)

Critical Nessus Plugin ID 74907

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote openSUSE host is missing a security update.

Description

java-1_7_0-openjdk was updated to icedtea-2.3.6 (bnc#803379) containing various security and bugfixes :

- Security fixes

- S6563318, CVE-2013-0424: RMI data sanitization

- S6664509, CVE-2013-0425: Add logging context

- S6664528, CVE-2013-0426: Find log level matching its name or value given at construction time

- S6776941: CVE-2013-0427: Improve thread pool shutdown

- S7141694, CVE-2013-0429: Improving CORBA internals

- S7173145: Improve in-memory representation of splashscreens

- S7186945: Unpack200 improvement

- S7186946: Refine unpacker resource usage

- S7186948: Improve Swing data validation

- S7186952, CVE-2013-0432: Improve clipboard access

- S7186954: Improve connection performance

- S7186957: Improve Pack200 data validation

- S7192392, CVE-2013-0443: Better validation of client keys

- S7192393, CVE-2013-0440: Better Checking of order of TLS Messages

- S7192977, CVE-2013-0442: Issue in toolkit thread

- S7197546, CVE-2013-0428: (proxy) Reflect about creating reflective proxies

- S7200491: Tighten up JTable layout code

- S7200493, CVE-2013-0444: Improve cache handling

- S7200499: Better data validation for options

- S7200500: Launcher better input validation

- S7201064: Better dialogue checking

- S7201066, CVE-2013-0441: Change modifiers on unused fields

- S7201068, CVE-2013-0435: Better handling of UI elements

- S7201070: Serialization to conform to protocol

- S7201071, CVE-2013-0433: InetSocketAddress serialization issue

- S8000210: Improve JarFile code quality

- S8000537, CVE-2013-0450: Contextualize RequiredModelMBean class

- S8000539, CVE-2013-0431: Introspect JMX data handling

- S8000540, CVE-2013-1475: Improve IIOP type reuse management

- S8000631, CVE-2013-1476: Restrict access to class constructor

- S8001235, CVE-2013-0434: Improve JAXP HTTP handling

- S8001242: Improve RMI HTTP conformance

- S8001307: Modify ACC_SUPER behavior

- S8001972, CVE-2013-1478: Improve image processing

- S8002325, CVE-2013-1480: Improve management of images

- Backports

- S7057320:
test/java/util/concurrent/Executors/AutoShutdown.java failing intermittently

- S7083664: TEST_BUG: test hard code of using c:/temp but this dir might not exist

- S7107613: scalability blocker in javax.crypto.CryptoPermissions

- S7107616: scalability blocker in javax.crypto.JceSecurityManager

- S7146424: Wildcard expansion for single entry classpath

- S7160609: [macosx] JDK crash in libjvm.dylib ( C [GeForceGLDriver+0x675a] gldAttachDrawable+0x941)

- S7160951: [macosx] ActionListener called twice for JMenuItem using ScreenMenuBar

- S7162488: VM not printing unknown -XX options

- S7169395: Exception throws due to the changes in JDK 7 object tranversal and break backward compatibility

- S7175616: Port fix for TimeZone from JDK 8 to JDK 7

- S7176485: (bf) Allow temporary buffer cache to grow to IOV_MAX

- S7179908: Fork hs23.3 hsx from hs22.2 for jdk7u7 and reinitialize build number

- S7184326: TEST_BUG:
java/awt/Frame/7024749/bug7024749.java has a typo

- S7185245: Licensee source bundle tries to compile JFR

- S7185471: Avoid key expansion when AES cipher is re-init w/ the same key

- S7186371: [macosx] Main menu shortcuts not displayed (7u6 regression)

- S7187834: [macosx] Usage of private API in macosx 2d implementation causes Apple Store rejection

- S7188114: (launcher) need an alternate command line parser for Windows

- S7189136: Fork hs23.5 hsx from hs23.4 for jdk7u9 and reinitialize build number

- S7189350: Fix failed for CR 7162144

- S7190550: REGRESSION: Some closed/com/oracle/jfr/api tests fail to compile because of fix 7185245

- S7193219: JComboBox serialization fails in JDK 1.7

- S7193977: REGRESSION:Java 7's JavaBeans persistence ignoring the 'transient' flag on properties

- S7195106: REGRESSION : There is no way to get Icon inf, once Softreference is released

- S7195301: XML Signature DOM implementation should not use instanceof to determine type of Node

- S7195931: UnsatisfiedLinkError on PKCS11.C_GetOperationState while using NSS from jre7u6+

- S7197071: Makefiles for various security providers aren't including the default manifest.

- S7197652: Impossible to run any signed JNLP applications or applets, OCSP off by default

- S7198146: Another new regression test does not compile on windows-amd64

- S7198570: (tz) Support tzdata2012f

- S7198640: new hotspot build - hs23.6-b04

- S7199488: [TEST] runtime/7158800/InternTest.java failed due to false-positive on PID match.

- S7199645: Increment build # of hs23.5 to b02

- S7199669: Update tags in .hgtags file for CPU release rename

- S7200720: crash in net.dll during NTLM authentication

- S7200742: (se) Selector.select does not block when starting Coherence (sol11u1)

- S7200762: [macosx] Stuck in sun.java2d.opengl.CGLGraphicsConfig.getMaxTextureSize(Na tive Method)

- S8000285: Deadlock between PostEventQueue.noEvents, EventQueue.isDispatchThread and SwingUtilities.invokeLater

- S8000286: [macosx] Views keep scrolling back to the drag position after DnD

- S8000297: REGRESSION:
closed/java/awt/EventQueue/PostEventOrderingTest.java fails

- S8000307: Jre7cert: focusgained does not get called for all focus req when do alt + tab

- S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and reinitialize build number

- S8001124: jdk7u ProblemList.txt updates (10/2012)

- S8001242: Improve RMI HTTP conformance

- S8001808: Create a test for 8000327

- S8001876: Create regtest for 8000283

- S8002068: Build broken: corba code changes unable to use new JDK 7 classes

- S8002091: tools/launcher/ToolsOpts.java test started to fail since 7u11 b01 on Windows

- S8002114: fix failed for JDK-7160951: [macosx] ActionListener called twice for JMenuItem using ScreenMenuBar

- S8002225: (tz) Support tzdata2012i

- S8003402: (dc) test/java/nio/channels/DatagramChannel/SendToUnresovled.
java failing after 7u11 cleanup issues

- S8003403: Test ShortRSAKeyWithinTLS and ClientJSSEServerJSSE failing after 7u11 cleanup

- S8003948: NTLM/Negotiate authentication problem

- S8004175: Restricted packages added in java.security are missing in java.security-(macosx, solaris, windows)

- S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01

- S8004341: Two JCK tests fails with 7u11 b06

- S8005615: Java Logger fails to load tomcat logger implementation (JULI)

- Bug fixes

- Fix build using Zero's HotSpot so all patches apply again.

- PR1295: jamvm parallel unpack failure

- removed icedtea-2.3.2-fix-extract-jamvm-dependency.patch

- removed icedtea-2.3.3-refresh-6924259-string_offset.patch

- few missing /openjdk/%(origin)/ changes

Solution

Update the affected java-1_7_0-openjdk packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=803379

https://lists.opensuse.org/opensuse-updates/2013-03/msg00003.html

Plugin Details

Severity: Critical

ID: 74907

File Name: openSUSE-2013-165.nasl

Version: 1.7

Type: local

Agent: unix

Published: 2014/06/13

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Critical

VPR Score: 6.7

CVSS v2.0

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:java-1_7_0-openjdk, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src, cpe:/o:novell:opensuse:12.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/02/21

Vulnerability Publication Date: 2013/01/31

Exploitable With

Core Impact

Metasploit (Java Applet JMX Remote Code Execution)

Reference Information

CVE: CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0429, CVE-2013-0431, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0444, CVE-2013-0450, CVE-2013-1475, CVE-2013-1476, CVE-2013-1478, CVE-2013-1480