RHSA-2008:0638 - Security Advisory

Topic

Red Hat Network Satellite Server version 5.1.1 is now available. This
update includes fixes for a number of security issues in the Red Hat
Network Satellite Server IBM Java Runtime Environment for IBM S/390 and IBM
System z architectures.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

Description

This release corrects several security vulnerabilities in the IBM Java
Runtime Environment shipped as part of Red Hat Network Satellite Server 5.1
for IBM S/390 and IBM System z architectures. In a typical operating
environment, these are of low security risk as the runtime is not used on
untrusted applets.

Multiple flaws were fixed in the IBM Java 1.5.0 Runtime Environment.
(CVE-2008-0657, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190,
CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195, CVE-2008-1196,
CVE-2008-3104, CVE-2008-3106, CVE-2008-3108, CVE-2008-3111, CVE-2008-3112,
CVE-2008-3113, CVE-2008-3114)

Users of Red Hat Network Satellite Server 5.1 are advised to upgrade to
5.1.1, which resolves these issues.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

• Red Hat Network Satellite 5.1 (for RHEL Mainframe) 5.1 s390x
• Red Hat Network Satellite 5.1 (for RHEL Server) 5.1 i386

Fixes

• BZ - 431861 - CVE-2008-0657 java-1.5.0 Privilege escalation via unstrusted applet and application
• BZ - 436030 - CVE-2008-1187 Untrusted applet and application XSLT processing privilege escalation
• BZ - 436293 - CVE-2008-1188 Buffer overflow security vulnerabilities in Java Web Start (CVE-2008-1189, CVE-2008-1190)
• BZ - 436295 - CVE-2008-1192 Java Plugin same-origin-policy bypass
• BZ - 436296 - CVE-2008-1193 JRE image parsing library allows privilege escalation (CVE-2008-1194)
• BZ - 436299 - CVE-2008-1195 Java-API calls in untrusted Javascript allow network privilege escalation
• BZ - 436302 - CVE-2008-1196 Buffer overflow security vulnerabilities in Java Web Start
• BZ - 452649 - CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)
• BZ - 454601 - CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932)
• BZ - 454604 - CVE-2008-3108 Security Vulnerability with JRE fonts processing may allow Elevation of Privileges (6450319)
• BZ - 454605 - CVE-2008-3111 Java Web Start Buffer overflow vulnerabilities (6557220)
• BZ - 454606 - CVE-2008-3112 Java Web Start, arbitrary file creation (6703909)
• BZ - 454607 - CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077)
• BZ - 454608 - CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074)

CVEs

• CVE-2008-3108
• CVE-2008-3111
• CVE-2008-3113
• CVE-2008-3114
• CVE-2008-3112
• CVE-2008-3106
• CVE-2008-3104
• CVE-2008-1192
• CVE-2008-1190
• CVE-2008-1196
• CVE-2008-1195
• CVE-2008-1194
• CVE-2008-1193
• CVE-2008-1187
• CVE-2008-1188
• CVE-2008-1189
• CVE-2008-0657

References

• http://www.redhat.com/security/updates/classification/#low