RHEL 6 : java-1.7.0-openjdk (RHSA-2012:1386)

medium Nessus Plugin ID 62615

Synopsis

The remote Red Hat host is missing one or more security updates for java-1.7.0-openjdk.

Description

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:1386 advisory.

- OpenJDK: java.io.FilePermission information leak (Libraries, 6631398) (CVE-2012-3216)

- OpenJDK: uninitialized Array JVM memory disclosure (Hotspot, 7198606) (CVE-2012-4416)

- OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535) (CVE-2012-5068)

- OpenJDK: Executors state handling issues (Concurrency, 7189103) (CVE-2012-5069)

- OpenJDK: EnvHelp information disclosure (JMX, 7158796) (CVE-2012-5070)

- OpenJDK: DescriptorSupport insufficient package access checks (JMX, 7192975) (CVE-2012-5071)

- OpenJDK: AccessController.doPrivilegedWithCombiner() information disclosure (Security, 7172522) (CVE-2012-5072)

- OpenJDK: LogManager security bypass (Libraries, 7169884) (CVE-2012-5073)

- OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7169887) (CVE-2012-5074)

- OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888) (CVE-2012-5075)

- OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7163198) (CVE-2012-5076)

- OpenJDK: SecureRandom mulitple seeders information disclosure (Security, 7167656) (CVE-2012-5077)

- OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919) (CVE-2012-5079)

- OpenJDK: JSSE denial of service (JSSE, 7186286) (CVE-2012-5081)

- OpenJDK: DefaultFormatter insufficient data validation (Swing, 7195194) (CVE-2012-5084)

- OpenJDK: disable Gopher support by default (Gopher, 7189567) (CVE-2012-5085)

- OpenJDK: XMLDecoder sandbox restriction bypass (Beans, 7195917) (CVE-2012-5086)

- OpenJDK: PropertyElementHandler insufficient access checks (Beans, 7195549) (CVE-2012-5087)

- OpenJDK: MethodHandle insufficient access control checks (Libraries, 7196190) (CVE-2012-5088)

- OpenJDK: RMIConnectionImpl insufficient access control checks (JMX, 7198296) (CVE-2012-5089)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL java-1.7.0-openjdk package based on the guidance in RHSA-2012:1386.

See Also

http://www.nessus.org/u?428c7e35

http://www.nessus.org/u?a62c2e98

http://www.nessus.org/u?b0eb44d4

https://access.redhat.com/errata/RHSA-2012:1386

https://access.redhat.com/security/updates/classification/#important

https://bugzilla.redhat.com/show_bug.cgi?id=856124

https://bugzilla.redhat.com/show_bug.cgi?id=865346

https://bugzilla.redhat.com/show_bug.cgi?id=865348

https://bugzilla.redhat.com/show_bug.cgi?id=865350

https://bugzilla.redhat.com/show_bug.cgi?id=865352

https://bugzilla.redhat.com/show_bug.cgi?id=865354

https://bugzilla.redhat.com/show_bug.cgi?id=865357

https://bugzilla.redhat.com/show_bug.cgi?id=865359

https://bugzilla.redhat.com/show_bug.cgi?id=865363

https://bugzilla.redhat.com/show_bug.cgi?id=865365

https://bugzilla.redhat.com/show_bug.cgi?id=865370

https://bugzilla.redhat.com/show_bug.cgi?id=865428

https://bugzilla.redhat.com/show_bug.cgi?id=865434

https://bugzilla.redhat.com/show_bug.cgi?id=865471

https://bugzilla.redhat.com/show_bug.cgi?id=865511

https://bugzilla.redhat.com/show_bug.cgi?id=865514

https://bugzilla.redhat.com/show_bug.cgi?id=865519

https://bugzilla.redhat.com/show_bug.cgi?id=865531

https://bugzilla.redhat.com/show_bug.cgi?id=865541

https://bugzilla.redhat.com/show_bug.cgi?id=865568

Plugin Details

Severity: Medium

ID: 62615

File Name: redhat-RHSA-2012-1386.nasl

Version: 1.37

Type: local

Agent: unix

Published: 10/18/2012

Updated: 4/27/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2012-5088

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2012-5081

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-javadoc, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-devel, cpe:/o:redhat:enterprise_linux:6, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-src, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk, p-cpe:/a:redhat:enterprise_linux:java-1.7.0-openjdk-demo

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/13/2012

Vulnerability Publication Date: 10/16/2012

CISA Known Exploited Vulnerability Due Dates: 4/18/2022

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Java Applet Method Handle Remote Code Execution)

Reference Information

CVE: CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089

BID: 56043, 56054, 56056, 56057, 56079

RHSA: 2012:1386