Ubuntu 8.10 : openjdk-6 vulnerabilities (USN-748-1)

critical Nessus Plugin ID 36366

Synopsis

The remote Ubuntu host is missing one or more security-related patches.

Description

It was discovered that font creation could leak temporary files. If a user were tricked into loading a malicious program or applet, a remote attacker could consume disk space, leading to a denial of service.
(CVE-2006-2426, CVE-2009-1100)

It was discovered that the lightweight HttpServer did not correctly close files on dataless connections. A remote attacker could send specially crafted requests, leading to a denial of service.
(CVE-2009-1101)

The Java Runtime Environment did not correctly validate certain generated code. If a user were tricked into running a malicious applet a remote attacker could execute arbitrary code. (CVE-2009-1102)

It was discovered that LDAP connections did not close correctly. A remote attacker could send specially crafted requests, leading to a denial of service. (CVE-2009-1093)

Java LDAP routines did not unserialize certain data correctly. A remote attacker could send specially crafted requests that could lead to arbitrary code execution. (CVE-2009-1094)

Java did not correctly check certain JAR headers. If a user or automated system were tricked into processing a malicious JAR file, a remote attacker could crash the application, leading to a denial of service. (CVE-2009-1095, CVE-2009-1096)

It was discovered that PNG and GIF decoding in Java could lead to memory corruption. If a user or automated system were tricked into processing a specially crafted image, a remote attacker could crash the application, leading to a denial of service. (CVE-2009-1097, CVE-2009-1098).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected packages.

See Also

https://usn.ubuntu.com/748-1/

Plugin Details

Severity: Critical

ID: 36366

File Name: ubuntu_USN-748-1.nasl

Version: 1.19

Type: local

Agent: unix

Published: 4/23/2009

Updated: 1/19/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-lib, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre-headless, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-demo, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jre, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-source, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-jdk, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-source-files, cpe:/o:canonical:ubuntu_linux:8.10, p-cpe:/a:canonical:ubuntu_linux:icedtea6-plugin, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-dbg, p-cpe:/a:canonical:ubuntu_linux:openjdk-6-doc

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/26/2009

Reference Information

CVE: CVE-2006-2426, CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102

BID: 34240

CWE: 119, 16, 189, 94

USN: 748-1