RHEL 5 : java-1.6.0-openjdk (RHSA-2012:1385)

medium Nessus Plugin ID 62614

Language:

Synopsis

The remote Red Hat host is missing one or more security updates for java-1.6.0-openjdk.

Description

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1385 advisory.

- OpenJDK: java.io.FilePermission information leak (Libraries, 6631398) (CVE-2012-3216)

- OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) (CVE-2012-4416)

- OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535) (CVE-2012-5068)

- OpenJDK: Executors state handling issues (Concurrency, 7189103) (CVE-2012-5069)

- OpenJDK: DescriptorSupport insufficient package access checks (JMX, 7192975) (CVE-2012-5071)

- OpenJDK: AccessController.doPrivilegedWithCombiner() information disclosure (Security, 7172522) (CVE-2012-5072)

- OpenJDK: LogManager security bypass (Libraries, 7169884) (CVE-2012-5073)

- OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888) (CVE-2012-5075)

- OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656) (CVE-2012-5077)

- OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919) (CVE-2012-5079)

- OpenJDK: JSSE denial of service (JSSE, 7186286) (CVE-2012-5081)

- OpenJDK: DefaultFormatter insufficient data validation (Swing, 7195194) (CVE-2012-5084)

- OpenJDK: disable Gopher support by default (Gopher, 7189567) (CVE-2012-5085)

- OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917) (CVE-2012-5086)

- OpenJDK: RMIConnectionImpl insufficient access control checks (JMX, 7198296) (CVE-2012-5089)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL java-1.6.0-openjdk package based on the guidance in RHSA-2012:1385.

Plugin Details

Severity: Medium

ID: 62614

File Name: redhat-RHSA-2012-1385.nasl

Version: 1.28

Type: local

Agent: unix

Family: Red Hat Local Security Checks

Published: 10/18/2012

Updated: 4/27/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2012-5086

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2012-5081

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-demo, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-devel, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-javadoc, p-cpe:/a:redhat:enterprise_linux:java-1.6.0-openjdk-src, cpe:/o:redhat:enterprise_linux:5

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/17/2012

Reference Information

CVE: CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5089

RHSA: 2012:1385

Detections

Analytics