Debian DSA-2358-1 : openjdk-6 - several vulnerabilities (BEAST)

critical Nessus Plugin ID 57499

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Java platform. This combines the two previous openjdk-6 advisories, DSA-2311-1 and DSA-2356-1.

- CVE-2011-0862 Integer overflow errors in the JPEG and font parser allow untrusted code (including applets) to elevate its privileges.

- CVE-2011-0864 Hotspot, the just-in-time compiler in OpenJDK, mishandled certain byte code instructions, allowing untrusted code (including applets) to crash the virtual machine.

- CVE-2011-0865 A race condition in signed object deserialization could allow untrusted code to modify signed content, apparently leaving its signature intact.

- CVE-2011-0867 Untrusted code (including applets) could access information about network interfaces which was not intended to be public. (Note that the interface MAC address is still available to untrusted code.)

- CVE-2011-0868 A float-to-long conversion could overflow, allowing untrusted code (including applets) to crash the virtual machine.

- CVE-2011-0869 Untrusted code (including applets) could intercept HTTP requests by reconfiguring proxy settings through a SOAP connection.

- CVE-2011-0871 Untrusted code (including applets) could elevate its privileges through the Swing MediaTracker code.

- CVE-2011-3389 The TLS implementation does not guard properly against certain chosen-plaintext attacks when block ciphers are used in CBC mode.

- CVE-2011-3521 The CORBA implementation contains a deserialization vulnerability in the IIOP implementation, allowing untrusted Java code (such as applets) to elevate its privileges.

- CVE-2011-3544 The Java scripting engine lacks necessary security manager checks, allowing untrusted Java code (such as applets) to elevate its privileges.

- CVE-2011-3547 The skip() method in java.io.InputStream uses a shared buffer, allowing untrusted Java code (such as applets) to access data that is skipped by other code.

- CVE-2011-3548 The java.awt.AWTKeyStroke class contains a flaw which allows untrusted Java code (such as applets) to elevate its privileges.

- CVE-2011-3551 The Java2D C code contains an integer overflow which results in a heap-based buffer overflow, potentially allowing untrusted Java code (such as applets) to elevate its privileges.

- CVE-2011-3552 Malicous Java code can use up an excessive amount of UDP ports, leading to a denial of service.

- CVE-2011-3553 JAX-WS enables stack traces for certain server responses by default, potentially leaking sensitive information.

- CVE-2011-3554 JAR files in pack200 format are not properly checked for errors, potentially leading to arbitrary code execution when unpacking crafted pack200 files.

- CVE-2011-3556 The RMI Registry server lacks access restrictions on certain methods, allowing a remote client to execute arbitary code.

- CVE-2011-3557 The RMI Registry server fails to properly restrict privileges of untrusted Java code, allowing RMI clients to elevate their privileges on the RMI Registry server.

- CVE-2011-3560 The com.sun.net.ssl.HttpsURLConnection class does not perform proper security manager checks in the setSSLSocketFactory() method, allowing untrusted Java code to bypass security policy restrictions.

Solution

Upgrade the openjdk-6 packages.

For the oldstable distribution (lenny), these problems have been fixed in version 6b18-1.8.10-0~lenny2.

See Also

https://security-tracker.debian.org/tracker/CVE-2011-0862

https://security-tracker.debian.org/tracker/CVE-2011-0864

https://security-tracker.debian.org/tracker/CVE-2011-0865

https://security-tracker.debian.org/tracker/CVE-2011-0867

https://security-tracker.debian.org/tracker/CVE-2011-0868

https://security-tracker.debian.org/tracker/CVE-2011-0869

https://security-tracker.debian.org/tracker/CVE-2011-0871

https://security-tracker.debian.org/tracker/CVE-2011-3389

https://security-tracker.debian.org/tracker/CVE-2011-3521

https://security-tracker.debian.org/tracker/CVE-2011-3544

https://security-tracker.debian.org/tracker/CVE-2011-3547

https://security-tracker.debian.org/tracker/CVE-2011-3548

https://security-tracker.debian.org/tracker/CVE-2011-3551

https://security-tracker.debian.org/tracker/CVE-2011-3552

https://security-tracker.debian.org/tracker/CVE-2011-3553

https://security-tracker.debian.org/tracker/CVE-2011-3554

https://security-tracker.debian.org/tracker/CVE-2011-3556

https://security-tracker.debian.org/tracker/CVE-2011-3557

https://security-tracker.debian.org/tracker/CVE-2011-3560

https://www.debian.org/security/2011/dsa-2358

Plugin Details

Severity: Critical

ID: 57499

File Name: debian_DSA-2358.nasl

Version: 1.20

Type: local

Agent: unix

Published: 1/12/2012

Updated: 12/5/2022

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:openjdk-6, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/5/2011

Vulnerability Publication Date: 6/14/2011

CISA Known Exploited Vulnerability Due Dates: 3/24/2022

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Java RMI Server Insecure Default Configuration Java Code Execution)

Reference Information

CVE: CVE-2011-0862, CVE-2011-0864, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-3389, CVE-2011-3521, CVE-2011-3544, CVE-2011-3547, CVE-2011-3548, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560

BID: 48137, 48139, 48140, 48142, 48144, 48146, 48147, 49778, 50211, 50215, 50216, 50218, 50224, 50231, 50234, 50236, 50243, 50246, 50248

DSA: 2358