Detections
Analytics

openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2013:1288-1)

critical Nessus Plugin ID 75101

Language:

Synopsis

The remote openSUSE host is missing a security update.

Description

java-1_7_0-openjdk was updated to icedtea-2.4.1 (bnc#828665)

- Security fixes

 - S6741606, CVE-2013-2407: Integrate Apache Santuario

 - S7158805, CVE-2013-2445: Better rewriting of nested subroutine calls

 - S7170730, CVE-2013-2451: Improve Windows network stack support.

 - S8000638, CVE-2013-2450: Improve deserialization

 - S8000642, CVE-2013-2446: Better handling of objects for transportation

 - S8001032: Restrict object access

 - S8001033, CVE-2013-2452: Refactor network address handling in virtual machine identifiers

 - S8001034, CVE-2013-1500: Memory management improvements

 - S8001038, CVE-2013-2444: Resourcefully handle resources

 - S8001043: Clarify definition restrictions

 - S8001308: Update display of applet windows

 - S8001309: Better handling of annotation interfaces

 - S8001318, CVE-2013-2447: Socket.getLocalAddress not consistent with InetAddress.getLocalHost

 - S8001330, CVE-2013-2443: Improve on checking order (non-Zero builds only)

 - S8003703, CVE-2013-2412: Update RMI connection dialog box

 - S8004288, CVE-2013-2449: (fs) Files.probeContentType problems

 - S8004584: Augment applet contextualization

 - S8005007: Better glyph processing

 - S8006328, CVE-2013-2448: Improve robustness of sound classes

 - S8006611: Improve scripting

 - S8007467: Improve robustness of JMX internal APIs

 - S8007471: Improve MBean notifications

 - S8007812, CVE-2013-2455: (reflect) Class.getEnclosingMethod problematic for some classes

 - S8007925: Improve cmsStageAllocLabV2ToV4curves

 - S8007926: Improve cmsPipelineDup

 - S8007927: Improve cmsAllocProfileSequenceDescription

 - S8007929: Improve CurvesAlloc

 - S8008120, CVE-2013-2457: Improve JMX class checking

 - S8008124, CVE-2013-2453: Better compliance testing

 - S8008128: Better API coherence for JMX

 - S8008132, CVE-2013-2456: Better serialization support

 - S8008585: Better JMX data handling

 - S8008593: Better URLClassLoader resource management

 - S8008603: Improve provision of JMX providers

 - S8008607: Better input checking in JMX

 - S8008611: Better handling of annotations in JMX

 - S8008615: Improve robustness of JMX internal APIs

 - S8008623: Better handling of MBeanServers

 - S8008744, CVE-2013-2407: Rework part of fix for JDK-6741606

 - S8008982: Adjust JMX for underlying interface changes

 - S8009004: Better implementation of RMI connections

 - S8009008: Better manage management-api

 - S8009013: Better handling of T2K glyphs

 - S8009034: Improve resulting notifications in JMX

 - S8009038: Improve JMX notification support

 - S8009057, CVE-2013-2448: Improve MIDI event handling

 - S8009067: Improve storing keys in KeyStore

 - S8009071, CVE-2013-2459: Improve shape handling

 - S8009235: Improve handling of TSA data

 - S8009424, CVE-2013-2458: Adapt Nashorn to JSR-292 implementation change

 - S8009554, CVE-2013-2454: Improve SerialJavaObject.getFields

 - S8009654: Improve stability of cmsnamed

 - S8010209, CVE-2013-2460: Better provision of factories

 - S8011243, CVE-2013-2470: Improve ImagingLib

 - S8011248, CVE-2013-2471: Better Component Rasters

 - S8011253, CVE-2013-2472: Better Short Component Rasters

 - S8011257, CVE-2013-2473: Better Byte Component Rasters

 - S8012375, CVE-2013-1571: Improve Javadoc framing

 - S8012421: Better positioning of PairPositioning

 - S8012438, CVE-2013-2463: Better image validation

 - S8012597, CVE-2013-2465: Better image channel verification

 - S8012601, CVE-2013-2469: Better validation of image layouts

 - S8014281, CVE-2013-2461: Better checking of XML signature

 - S8015997: Additional improvement in Javadoc framing

 - OpenJDK

 - list to long, please consult NEWS file

 - java-1.7.0-openjdk-zero-arch.patch: fix detection of zero arch

 - ignore rhino dependencies during a build to prevent a build cycle

- update to icedtea-2.4.0 (based on oracle jdk7u40)

 - OpenJDK (see NEWS for full listing)

 - PR1209, S7170638: Use DTRACE_PROBE[N] in JNI Set and SetStatic Field.

 - PR1206, S7201205: Add Makefile configuration option to build with unlimited crypto in OpenJDK

 - Backports

 - PR1197, S8003120, RH868136:
 ResourceManager.getApplicationResources() does not close InputStreams

 - S8014618, RH962568: Need to strip leading zeros in TlsPremasterSecret of DHKeyAgreement

 - Bug fixes

 - PR1212: IcedTea7 fails to build because Resources.getText() is no longer available for code to use

 - Add NSS (commented out) to other platforms.

 - Allow multiple PKCS11 library initialisation to be a non-critical error.

 - Complete switch from local zlib patch to upstream version.

 - Include defs.make in buildtree.make so ZERO_BUILD is recognised and JVM_VARIANT_ZERO set.

 - Provide support for using PKCS11 provider with NSS

 - Remove file apparently removed as part of upstreaming of Zero.

 - Revert 7060849

 - Set UNLIMITED_CRYPTO=true to ensure we use the unlimited policy.

 - PR473: Set handleStartupErrors to ignoreMultipleInitialisation in nss.cfg

 - PR716: IcedTea7 should bootstrap with IcedTea6

 - Expand java.security.cert.* imports to avoid conflict when building with OpenJDK 6.

 - Fix indentation on Makefile block not executed when STRIP_POLICY=no_strip is set

 - Fix invalid XSL stylesheets and DTD introduced as part of JEP 167.

 - Include defs.make in buildtree.make so ZERO_BUILD is recognised and JVM_VARIANT_ZERO set.

 - Make sure libffi cflags and libs are used.

 - PR1378: Add AArch64 support to Zero

 - PR1170: Ensure unlimited crypto policy is in place.

 - RH513605, PR1280: Updating/Installing OpenJDK should recreate the shared class-data archive

 - PR1358: Make XRender mandatory

 - PR1360: Check for /usr/lib64 JVMs and generic JPackage alternative

 - PR1435, D657854: OpenJDK 7 returns incorrect TrueType font metrics

 - PR728: GTKLookAndFeel does not honor gtk-alternative-button-order

 - JamVM

 - JSR 335: (lambda expressions) initial hack

 - JEP 171: Implement fence methods in sun.misc.Unsafe

 - Fix invokesuper check in invokespecial opcode

 - Fix non-direct interpreter invokespecial super-class check

 - When GC'ing a native method don't try to free code

 - Do not free unprepared Miranda method code data

 - Set anonymous class protection domain

 - JVM_IsVMGeneratedMethodIx stub

 - Dummy implementation of sun.misc.Perf natives

 - separate vm for zero is no longer needed

 - drop java-1.7.0-openjdk-aarch64.patch (upstream: PR1378)

 - fix bnc#781690c#11 - setup JAVA_HOME in posttrans, so certificates will be created by this JVM

 - fix the postrans conditions (add missing prefiX)

 - relax build requires, so every java-devel >= 1.7.0 can match

Solution

Update the affected java-1_7_0-openjdk packages.

See Also

https://bugzilla.novell.com/show_bug.cgi?id=781690

https://bugzilla.novell.com/show_bug.cgi?id=828665

https://lists.opensuse.org/opensuse-updates/2013-08/msg00001.html

Plugin Details

Severity: Critical

ID: 75101

File Name: openSUSE-2013-622.nasl

Version: 1.5

Type: local

Agent: unix

Published: 6/13/2014

Updated: 3/29/2022

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.8

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-javadoc, cpe:/o:novell:opensuse:12.3, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-src, cpe:/o:novell:opensuse:12.2, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_7_0-openjdk-demo-debuginfo

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/24/2013

CISA Known Exploited Vulnerability Due Dates: 4/18/2022

Exploitable With

Core Impact

Metasploit (Java storeImageArray() Invalid Array Indexing Vulnerability)

Reference Information

CVE: CVE-2013-1500, CVE-2013-1571, CVE-2013-2407, CVE-2013-2412, CVE-2013-2443, CVE-2013-2444, CVE-2013-2445, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2449, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2458, CVE-2013-2459, CVE-2013-2460, CVE-2013-2461, CVE-2013-2463, CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473