Does CVE-2012-4681, CVE-2012-1682 (Java remote code execution) affect Red Hat products?

On Sunday 26 August, details of a previously unknown Java security flaw were published on a blog. This information spread rapidly within the information security community, and by Monday working exploit code was publicly available. The exploit allowed an attacker to perform remote code execution against a browser using the vulnerable Java plugin. This serious impact, coupled with the publicly available exploit, have led to several attacks in the wild and significant media attention.

Further analysis of the exploit showed that two issues were used to achieve code execution. These issues were assigned CVE identifiers CVE-2012-4681 and CVE-2012-1682.

Red Hat has tested these issues and confirmed that both affected Java SE 7 provided by OpenJDK 7 (java-1.7.0-openjdk), Oracle Java SE 7 (java-1.7.0-oracle) and IBM Java SE 7 (java-1.7.0-ibm) as shipped with Red Hat Enterprise Linux 6, making those Java versions vulnerable to the published exploit code. The CVE-2012-1682 issue also affected Java SE 6 provided by OpenJDK 6 (java-1.6.0-openjdk) as shipped with Red Hat Enterprise Linux 5 and 6. Red Hat is currently not aware of any public exploit using only the CVE-2012-1682 issue to achieve code execution.

Red Hat has released updates for java-1.7.0-oracle, java-1.7.0-openjdk, java-1.7.0-ibm and java-1.6.0-openjdk packages resolving these issues.

You can find out more details regarding these flaws and links to released errata in the Red Hat CVE Database:

https://access.redhat.com/security/cve/CVE-2012-4681
https://access.redhat.com/security/cve/CVE-2012-1682