Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2012-88)

critical Nessus Plugin ID 69695

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

Multiple flaws were discovered in the CORBA (Common Object Request Broker Architecture) implementation in Java. A malicious Java application or applet could use these flaws to bypass Java sandbox restrictions or modify immutable object data. (CVE-2012-1711 , CVE-2012-1719)

It was discovered that the SynthLookAndFeel class from Swing did not properly prevent access to certain UI elements from outside the current application context. A malicious Java application or applet could use this flaw to crash the Java Virtual Machine, or bypass Java sandbox restrictions. (CVE-2012-1716)

Multiple flaws were discovered in the font manager's layout lookup implementation. A specially crafted font file could cause the Java Virtual Machine to crash or, possibly, execute arbitrary code with the privileges of the user running the virtual machine. (CVE-2012-1713)

Multiple flaws were found in the way the Java HotSpot Virtual Machine verified the bytecode of the class file to be executed. A specially crafted Java application or applet could use these flaws to crash the Java Virtual Machine, or bypass Java sandbox restrictions.
(CVE-2012-1723 , CVE-2012-1725)

It was discovered that the Java XML parser did not properly handle certain XML documents. An attacker able to make a Java application parse a specially crafted XML file could use this flaw to make the XML parser enter an infinite loop. (CVE-2012-1724)

It was discovered that the Java security classes did not properly handle Certificate Revocation Lists (CRL). CRL containing entries with duplicate certificate serial numbers could have been ignored.
(CVE-2012-1718)

It was discovered that various classes of the Java Runtime library could create temporary files with insecure permissions. A local attacker could use this flaw to gain access to the content of such temporary files. (CVE-2012-1717)

Solution

Run 'yum update java-1.6.0-openjdk' to update your system.

See Also

https://alas.aws.amazon.com/ALAS-2012-88.html

Plugin Details

Severity: Critical

ID: 69695

File Name: ala_ALAS-2012-88.nasl

Version: 1.9

Type: local

Agent: unix

Published: 9/4/2013

Updated: 3/8/2022

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:java-1.6.0-openjdk-demo, p-cpe:/a:amazon:linux:java-1.6.0-openjdk-src, p-cpe:/a:amazon:linux:java-1.6.0-openjdk, p-cpe:/a:amazon:linux:java-1.6.0-openjdk-devel, cpe:/o:amazon:linux, p-cpe:/a:amazon:linux:java-1.6.0-openjdk-javadoc, p-cpe:/a:amazon:linux:java-1.6.0-openjdk-debuginfo

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/19/2012

CISA Known Exploited Vulnerability Due Dates: 3/24/2022

Exploitable With

Core Impact

Metasploit (Java Applet Field Bytecode Verifier Cache Remote Code Execution)

Reference Information

CVE: CVE-2012-1711, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1723, CVE-2012-1724

ALAS: 2012-88

RHSA: 2012:0729