Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2008:1045 - Security Advisory
Issued:
2008-12-18
Updated:
2008-12-18

RHSA-2008:1045 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: java-1.6.0-bea security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

java-1.6.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and Red Hat
Enterprise Linux 5 Supplementary, contains security flaws and should not be
used.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Description

The BEA WebLogic JRockit JRE and SDK contains BEA WebLogic JRockit Virtual
Machine and is certified for the Java(TM) 2 Platform, Standard Edition,
v1.6.0.

The java-1.6.0-bea packages are vulnerable to important security flaws and
should no longer be used.

A flaw was found in the Java Management Extensions (JMX) management agent.
When local monitoring was enabled, remote attackers could use this flaw to
perform illegal operations. (CVE-2008-3103)

Several flaws involving the handling of unsigned applets were found. A
remote attacker could misuse an unsigned applet in order to connect to
services on the host running the applet. (CVE-2008-3104)

Several flaws in the Java API for XML Web Services (JAX-WS) client and the
JAX-WS service implementation were found. A remote attacker who could cause
malicious XML to be processed by an application could access URLs, or cause
a denial of service. (CVE-2008-3105, CVE-2008-3106)

Several flaws within the Java Runtime Environment's (JRE) scripting support
were found. A remote attacker could grant an untrusted applet extended
privileges, such as reading and writing local files, executing local
programs, or querying the sensitive data of other applets. (CVE-2008-3109,
CVE-2008-3110)

The vulnerabilities concerning applets listed above can only be triggered
in java-1.6.0-bea, by calling the "appletviewer" application.

BEA was acquired by Oracle(r) during 2008 (the acquisition was completed on
April 29, 2008). Consequently, JRockit is now an Oracle offering and these
issues are addressed in the current release of Oracle JRockit. Due to a
license change by Oracle, however, Red Hat is unable to ship Oracle
JRockit.

Users who wish to continue using JRockit should get an update directly from
Oracle: http://oracle.com/technology/software/products/jrockit/.

Alternatives to Oracle JRockit include the Java 2 Technology Edition of the
IBM(r) Developer Kit for Linux and the Sun(TM) Java SE Development Kit (JDK),
both of which are available on the Extras or Supplementary channels. For
Java 6 users, the new OpenJDK open source JDK will be included in Red Hat
Enterprise Linux 5.3 and will be supported by Red Hat.

This update removes the java-1.6.0-bea packages due to their known security
vulnerabilities.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Server 4 x86_64
  • Red Hat Enterprise Linux Server 4 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.2 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.2 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4ES x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4ES i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4AS x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 4AS i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Workstation 4 x86_64
  • Red Hat Enterprise Linux Workstation 4 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux Desktop 4 x86_64
  • Red Hat Enterprise Linux Desktop 4 i386
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 452649 - CVE-2008-3105 CVE-2008-3106 OpenJDK JAX-WS unauthorized URL access (6542088)
  • BZ - 452659 - CVE-2008-3103 OpenJDK JMX allows illegal operations with local monitoring (6332953)
  • BZ - 454601 - CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932)
  • BZ - 454603 - CVE-2008-3109 CVE-2008-3110 Security Vulnerabilities in the Java Runtime Environment Scripting Language Support (6529568, 6529579)

CVEs

(none)

References

  • https://support.bea.com/application_content/product_portlets/securityadvisories/jrockitindex.html
  • http://www.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 5

SRPM
x86_64
java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.x86_64.rpm SHA-256: 31d7d003cf642bd50d8267500a893cb3597c6f16a48f97d2e7810c255ef412b7
i386
java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.i686.rpm SHA-256: 8acd1e7fdd6a191d5f66b2fceea57a31d34c0ffa0476255ee8810d4139f36aed

Red Hat Enterprise Linux Server 4

SRPM
x86_64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.2

SRPM
x86_64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4ES

SRPM
x86_64
i386

Red Hat Enterprise Linux for x86_64 - Extended Update Support 4AS

SRPM
x86_64
i386

Red Hat Enterprise Linux Workstation 5

SRPM
x86_64
java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.x86_64.rpm SHA-256: 31d7d003cf642bd50d8267500a893cb3597c6f16a48f97d2e7810c255ef412b7
i386
java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.i686.rpm SHA-256: 8acd1e7fdd6a191d5f66b2fceea57a31d34c0ffa0476255ee8810d4139f36aed

Red Hat Enterprise Linux Workstation 4

SRPM
x86_64
i386

Red Hat Enterprise Linux Desktop 5

SRPM
x86_64
java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.x86_64.rpm SHA-256: 31d7d003cf642bd50d8267500a893cb3597c6f16a48f97d2e7810c255ef412b7
i386
java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.i686.rpm SHA-256: 8acd1e7fdd6a191d5f66b2fceea57a31d34c0ffa0476255ee8810d4139f36aed

Red Hat Enterprise Linux Desktop 4

SRPM
x86_64
i386

Red Hat Enterprise Linux Server from RHUI 5

SRPM
x86_64
java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.x86_64.rpm SHA-256: 31d7d003cf642bd50d8267500a893cb3597c6f16a48f97d2e7810c255ef412b7
i386
java-1.6.0-bea-uninstall-1.6.0.03-1jpp.6.el5.i686.rpm SHA-256: 8acd1e7fdd6a191d5f66b2fceea57a31d34c0ffa0476255ee8810d4139f36aed

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2022 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter