Detections
Analytics

openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2012:1154-1)

critical Nessus Plugin ID 74748

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

Java-1_7_0-openjdk was updated to fix a remote exploit (CVE-2012-4681).

Also bugfixes were done :

 - fix build on ARM and i586

 - remove files that are no longer used

 - zero build can be enabled using rpmbuild (osc build)
 --with zero

 - add hotspot 2.1 needed for zero

 - fix filelist on %(ix86)

 - Security fixes

 - S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder

 - S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects

 - S7163201, CVE-2012-0547: Simplify toolkit internals references

 - RH852051, CVE-2012-4681, S7162473: Reintroduce PackageAccessible checks removed in 6788531.

 - OpenJDK

 - Fix Zero FTBFS issues with 2.3

 - S7180036: Build failure in Mac platform caused by fix # 7163201

 - S7182135: Impossible to use some editors directly

 - S7183701: [TEST] closed/java/beans/security/TestClassFinder.java –
 compilation failed

 - S7185678:
 java/awt/Menu/NullMenuLabelTest/NullMenuLabelTest.java failed with NPE

 - Bug fixes

 - PR1149: Zero-specific patch files not being packaged

 - use icedtea tarball for build again, this led into following dropped files because the are already in the tarball and simplified %prep and %build

 - drop class-rewriter.tar.gz

 - drop systemtap-tapset.tar.gz

 - drop desktop-files.tar.gz

 - drop nss.cfg

 - drop pulseaudio.tar.gz

 - drop remove-intree-libraries.sh

 - add archives from icedtea7-forest-2.3 for openjdk, corba, jaxp, jaxws, jdk, langtools and hotspot

 - drop rhino.patch, pulse-soundproperties and systemtap patch

 - move gnome bridge patches before make as it's irritating to have the patch fail after openjdk is built

 - use explicit file attributes in %files sections to prevent the file permissions problems in a future (like bnc#770040)

 - changed version scheme, so it now matches Oracle Java 1.7.0.6 == Java7 u 6

 - update to icedtea-2.3.1 / OpenJDK7 u6 (bnc#777499)

 - Security fixes

 - RH852051, CVE-2012-4681: Reintroduce PackageAccessible checks removed in 6788531.

 - Bug fixes

 - PR902: PulseAudioClip getMicrosecondsLength() returns length in milliseconds, not microseconds

 - PR986: IcedTea7 fails to build with IcedTea6 CACAO due to low max heapsize

 - PR1050: Stream objects not garbage collected

 - PR1119: Only add classes to rt-source-files.txt if the class (or one or more of its methods/fields) are actually missing from the boot JDK

 - PR1137: Allow JARs to be optionally compressed by setting COMPRESS_JARS

 - OpenJDK

 - Make dynamic support for GConf work again.

 - PR1095: Add configure option for -Werror

 - PR1101: Undefined symbols on GNU/Linux SPARC

 - PR1140: Unnecessary diz files should not be installed

 - S7192804, PR1138: Build should not install jvisualvm man page for OpenJDK

 - JamVM

 - ARMv6 armhf: Changes for Raspbian (Raspberry Pi)

 - PPC: Don't use lwsync if it isn't supported

 - X86: Generate machine-dependent stubs for i386

 - When suspending, ignore detached threads that have died, this prevents a user caused deadlock when an external thread has been attached to the VM via JNI and it has exited without detaching

 - Add missing REF_TO_OBJs for references passed from JNI, this enable JamVM to run Qt-Jambi

 - there are number of fixes in 2.3, see NEWS

Solution

Update the affected java-1_7_0-openjdk packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=770040

https://bugzilla.novell.com/show_bug.cgi?id=777499

https://lists.opensuse.org/opensuse-updates/2012-09/msg00052.html

Plugin Details

Severity: Critical

ID: 74748

File Name: openSUSE-2012-592.nasl

Version: 1.7

Type: local

Agent: unix

Published: 6/13/2014

Updated: 3/8/2022

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Continuous Assessment, Frictionless Assessment Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src, cpe:/o:novell:opensuse:12.2, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/7/2012

Vulnerability Publication Date: 8/28/2012

CISA Known Exploited Vulnerability Due Dates: 3/24/2022

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Java 7 Applet Remote Code Execution)

Reference Information

CVE: CVE-2012-0547, CVE-2012-1682, CVE-2012-3136, CVE-2012-4681

BID: 55213, 55336, 55337, 55339