openSUSE Security Update : java-1_6_0-openjdk (java-1_6_0-openjdk-1613)

high Nessus Plugin ID 42923

Synopsis

The remote openSUSE host is missing a security update.

Description

New icedtea update to fix :

- ICC_Profile file existence detection information leak;
CVE-2009-3728: CVSS v2 Base Score: 5.0

- BMP parsing DoS with UNC ICC links; CVE-2009-3885: CVSS v2 Base Score: 5.0

- resurrected classloaders can still have children;
CVE-2009-3881: CVSS v2 Base Score: 7.5

- Numerous static security flaws in Swing; CVE-2009-3882:
CVSS v2 Base Score: 7.5

- Mutable statics in Windows PL&F; CVE-2009-3883: CVSS v2 Base Score: 7.5

- UI logging information leakage; CVE-2009-3880: CVSS v2 Base Score: 5.0

- GraphicsConfiguration information leak; CVE-2009-3879:
CVSS v2 Base Score: 7.5

- zoneinfo file existence information leak; CVE-2009-3884:
CVSS v2 Base Score: 5.0

- deprecate MD2 in SSL cert validation; CVE-2009-2409:
CVSS v2 Base Score: 6.4

- JPEG Image Writer quantization problem; CVE-2009-3873:
CVSS v2 Base Score: 9.3

- MessageDigest.isEqual introduces timing attack vulnerabilities; CVE-2009-3875: CVSS v2 Base Score: 5.0

- OpenJDK ASN.1/DER input stream parser denial of service;
CVE-2009-3876,CVE-2009-3877: CVSS v2 Base Score: 5.0

- JRE AWT setDifflCM stack overflow; CVE-2009-3869: CVSS v2 Base Score: 9.3

- ImageI/O JPEG heap overflow; CVE-2009-3874: CVSS v2 Base Score: 9.3

- JRE AWT setBytePixels heap overflow; CVE-2009-3871: CVSS v2 Base Score: 9.3

Solution

Update the affected java-1_6_0-openjdk packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=554069

Plugin Details

Severity: High

ID: 42923

File Name: suse_11_1_java-1_6_0-openjdk-091125.nasl

Version: 1.14

Type: local

Agent: unix

Published: 11/30/2009

Updated: 1/14/2021

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:java-1_6_0-openjdk, p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-plugin, p-cpe:/a:novell:opensuse:java-1_6_0-openjdk-src, cpe:/o:novell:opensuse:11.1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/25/2009

Exploitable With

Core Impact

Metasploit (Sun Java JRE AWT setDiffICM Buffer Overflow)

Reference Information

CVE: CVE-2009-2409, CVE-2009-3728, CVE-2009-3869, CVE-2009-3871, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877, CVE-2009-3879, CVE-2009-3880, CVE-2009-3881, CVE-2009-3882, CVE-2009-3883, CVE-2009-3884, CVE-2009-3885

CWE: 119, 189, 200, 22, 264, 310, 399