Detections
Analytics
Scientific Linux Security Update : icedtea-web on SL6.x i386/x86_64 (20130417)
medium Nessus Plugin ID 66017
Language:
Synopsis
The remote Scientific Linux host is missing one or more security updates.Description
It was discovered that the IcedTea-Web plug-in incorrectly used the same class loader instance for applets with the same value of the codebase attribute, even when they originated from different domains.A malicious applet could use this flaw to gain information about and possibly manipulate applets from different domains currently running in the browser. (CVE-2013-1926)
The IcedTea-Web plug-in did not properly check the format of the downloaded Java Archive (JAR) files. This could cause the plug-in to execute code hidden in a file in a different format, possibly allowing attackers to execute code in the context of websites that allow uploads of specific file types, known as a GIFAR attack.
(CVE-2013-1927)
This erratum also upgrades IcedTea-Web to version 1.2.3.
Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect.
Solution
Update the affected icedtea-web, icedtea-web-debuginfo and / or icedtea-web-javadoc packages.See Also
Plugin Details
Severity: Medium
ID: 66017
File Name: sl_20130417_icedtea_web_on_SL6_x.nasl
Version: 1.6
Type: local
Agent: unix
Published: 4/18/2013
Updated: 1/14/2021
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: p-cpe:/a:fermilab:scientific_linux:icedtea-web, p-cpe:/a:fermilab:scientific_linux:icedtea-web-debuginfo, p-cpe:/a:fermilab:scientific_linux:icedtea-web-javadoc, x-cpe:/o:fermilab:scientific_linux
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Patch Publication Date: 4/17/2013
Vulnerability Publication Date: 4/29/2013
Reference Information
CVE: CVE-2013-1926, CVE-2013-1927