RHEL 4 / 5 : java-1.6.0-ibm (RHSA-2008:0906)

critical Nessus Plugin ID 40728

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary.

This update has been rated as having critical security impact by the Red Hat Security Response Team.

The IBM 1.6.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit.

A flaw was found in the Java Management Extensions (JMX) management agent. When local monitoring is enabled, remote attackers could use this flaw to perform illegal operations. (CVE-2008-3103)

Several flaws involving the handling of unsigned applets were found. A remote attacker could misuse an unsigned applet in order to connect to services on the host running the applet. (CVE-2008-3104)

Several flaws in the Java API for XML Web Services (JAX-WS) client and the JAX-WS service implementation were found. A remote attacker who could cause malicious XML to be processed by an application could access URLs, or cause a denial of service. (CVE-2008-3105, CVE-2008-3106)

Several flaws within the Java Runtime Environment (JRE) scripting support were found. A remote attacker could grant an untrusted applet extended privileges, such as reading and writing local files, executing local programs, or querying the sensitive data of other applets. (CVE-2008-3109, CVE-2008-3110)

A flaw in Java Web Start was found. Using an untrusted Java Web Start application, a remote attacker could create or delete arbitrary files with the permissions of the user running the untrusted application.
(CVE-2008-3112)

A flaw in Java Web Start when processing untrusted applications was found. An attacker could use this flaw to acquire sensitive information, such as the location of the cache. (CVE-2008-3114)

All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.6.0 SR2 Java release, which resolves these issues.

Solution

Update the affected packages.

See Also

https://access.redhat.com/security/cve/cve-2008-3103

https://access.redhat.com/security/cve/cve-2008-3104

https://access.redhat.com/security/cve/cve-2008-3105

https://access.redhat.com/security/cve/cve-2008-3106

https://access.redhat.com/security/cve/cve-2008-3109

https://access.redhat.com/security/cve/cve-2008-3110

https://access.redhat.com/security/cve/cve-2008-3112

https://access.redhat.com/security/cve/cve-2008-3114

https://www.ibm.com/us-en/?ar=1

https://access.redhat.com/errata/RHSA-2008:0906

Plugin Details

Severity: Critical

ID: 40728

File Name: redhat-RHSA-2008-0906.nasl

Version: 1.28

Type: local

Agent: unix

Published: 8/24/2009

Updated: 1/14/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-accessibility, cpe:/o:redhat:enterprise_linux:5, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-src, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-javacomm, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-plugin, cpe:/o:redhat:enterprise_linux:4, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-demo, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-devel, cpe:/o:redhat:enterprise_linux:4.6, cpe:/o:redhat:enterprise_linux:5.2, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-ibm-jdbc

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/24/2008

Vulnerability Publication Date: 7/9/2008

Exploitable With

CANVAS (D2ExploitPack)

Reference Information

CVE: CVE-2008-3103, CVE-2008-3104, CVE-2008-3105, CVE-2008-3106, CVE-2008-3109, CVE-2008-3110, CVE-2008-3112, CVE-2008-3114

CWE: 200, 264

RHSA: 2008:0906