Red Hat Product Errata RHSA-2013:1456 - Security Advisory
Issued:
2013-10-23
Updated:
2013-10-23

RHSA-2013:1456 - Security Advisory

Synopsis

Low: Red Hat Network Satellite server IBM Java Runtime security update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated java-1.6.0-ibm packages that fix several security issues are now
available for Red Hat Network Satellite Server 5.5.

The Red Hat Security Response Team has rated this update as having low
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

This update corrects several security vulnerabilities in the IBM Java
Runtime Environment shipped as part of Red Hat Network Satellite Server
5.5. In a typical operating environment, these are of low security risk as
the runtime is not used on untrusted applets.

Several flaws were fixed in the IBM Java 2 Runtime Environment.
(CVE-2012-0547, CVE-2012-0551, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533,
CVE-2012-1541, CVE-2012-1682, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717,
CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725,
CVE-2012-3143, CVE-2012-3159, CVE-2012-3213, CVE-2012-3216, CVE-2012-3342,
CVE-2012-4820, CVE-2012-4822, CVE-2012-4823, CVE-2012-5068, CVE-2012-5069,
CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079,
CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089, CVE-2013-0169,
CVE-2013-0351, CVE-2013-0401, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423,
CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428,
CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438,
CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445,
CVE-2013-0446, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1476,
CVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1486, CVE-2013-1487,
CVE-2013-1491, CVE-2013-1493, CVE-2013-1500, CVE-2013-1537, CVE-2013-1540,
CVE-2013-1557, CVE-2013-1563, CVE-2013-1569, CVE-2013-1571, CVE-2013-2383,
CVE-2013-2384, CVE-2013-2394, CVE-2013-2407, CVE-2013-2412, CVE-2013-2417,
CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2422, CVE-2013-2424,
CVE-2013-2429, CVE-2013-2430, CVE-2013-2432, CVE-2013-2433, CVE-2013-2435,
CVE-2013-2437, CVE-2013-2440, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444,
CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451,
CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456,
CVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465,
CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471,
CVE-2013-2472, CVE-2013-2473, CVE-2013-3743)

Users of Red Hat Network Satellite Server 5.5 are advised to upgrade to
these updated packages, which contain the IBM Java SE 6 SR14 release. For
this update to take effect, Red Hat Network Satellite Server must be
restarted ("/usr/sbin/rhn-satellite restart"), as well as all running
instances of IBM Java.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/site/articles/11258

Affected Products

  • Red Hat Satellite with Embedded Oracle 5.5 for RHEL 6 x86_64
  • Red Hat Satellite with Embedded Oracle 5.5 for RHEL 6 s390x
  • Red Hat Satellite with Embedded Oracle 5.5 for RHEL 5 x86_64

Fixes

  • BZ - 829358 - CVE-2012-1717 OpenJDK: insecure temporary file permissions (JRE, 7143606)
  • BZ - 829360 - CVE-2012-1716 OpenJDK: SynthLookAndFeel application context bypass (Swing, 7143614)
  • BZ - 829361 - CVE-2012-1713 OpenJDK: fontmanager layout lookup code memory corruption (2D, 7143617)
  • BZ - 829371 - CVE-2012-1719 OpenJDK: mutable repository identifiers in generated stub code (CORBA, 7143851)
  • BZ - 829372 - CVE-2012-1718 OpenJDK: CRL and certificate extensions handling improvements (Security, 7143872)
  • BZ - 829376 - CVE-2012-1725 OpenJDK: insufficient invokespecial <init> verification (HotSpot, 7160757)
  • BZ - 831353 - CVE-2012-1721 Oracle JDK: unspecified vulnerability fixed in 6u33 and 7u5 (Deployment)
  • BZ - 831354 - CVE-2012-1722 Oracle JDK: unspecified vulnerability fixed in 6u33 and 7u5 (Deployment)
  • BZ - 831355 - CVE-2012-0551 Oracle JDK: unspecified vulnerability fixed in 6u33 and 7u5 (Deployment)
  • BZ - 853097 - CVE-2012-1682 OpenJDK: beans ClassFinder insufficient permission checks (beans, 7162476)
  • BZ - 853228 - CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
  • BZ - 859140 - CVE-2013-0440 OpenJDK: CPU consumption DoS via repeated SSL ClientHello packets (JSSE, 7192393)
  • BZ - 865346 - CVE-2012-3216 OpenJDK: java.io.FilePermission information leak (Libraries, 6631398)
  • BZ - 865348 - CVE-2012-5068 OpenJDK: RhinoScriptEngine security bypass (Scripting, 7143535)
  • BZ - 865357 - CVE-2012-5073 OpenJDK: LogManager security bypass (Libraries, 7169884)
  • BZ - 865363 - CVE-2012-5075 OpenJDK: RMIConnectionImpl information disclosure (JMX, 7169888)
  • BZ - 865365 - CVE-2012-5072 OpenJDK: AccessController.doPrivilegedWithCombiner() information disclosure (Security, 7172522)
  • BZ - 865370 - CVE-2012-5081 OpenJDK: JSSE denial of service (JSSE, 7186286)
  • BZ - 865511 - CVE-2012-5084 OpenJDK: DefaultFormatter insufficient data validation (Swing, 7195194)
  • BZ - 865514 - CVE-2012-5089 OpenJDK: RMIConnectionImpl insufficient access control checks (JMX, 7198296)
  • BZ - 865519 - CVE-2012-5071 OpenJDK: DescriptorSupport insufficient package access checks (JMX, 7192975)
  • BZ - 865531 - CVE-2012-5069 OpenJDK: Executors state handling issues (Concurrency, 7189103)
  • BZ - 865568 - CVE-2012-5079 OpenJDK: ServiceLoader reject not subtype classes without instantiating (Libraries, 7195919)
  • BZ - 867185 - CVE-2012-1531 Oracle JDK: unspecified vulnerability (2D)
  • BZ - 867186 - CVE-2012-1532 Oracle JDK: unspecified vulnerability (Deployment)
  • BZ - 867187 - CVE-2012-1533 Oracle JDK: unspecified vulnerability (Deployment)
  • BZ - 867189 - CVE-2012-3143 Oracle JDK: unspecified vulnerability (JMX)
  • BZ - 867190 - CVE-2012-3159 Oracle JDK: unspecified vulnerability (Deployment)
  • BZ - 867193 - CVE-2012-5083 Oracle JDK: unspecified vulnerability (2D)
  • BZ - 876386 - CVE-2012-4820 IBM JDK: java.lang.reflect.Method invoke() code execution
  • BZ - 876388 - CVE-2012-4822 IBM JDK: java.lang.class code execution
  • BZ - 876389 - CVE-2012-4823 IBM JDK: java.lang.ClassLoder defineClass() code execution
  • BZ - 906813 - CVE-2013-0424 OpenJDK: RMI CGIHandler XSS issue (RMI, 6563318)
  • BZ - 906892 - CVE-2013-0435 OpenJDK: com.sun.xml.internal.* not restricted packages (JAX-WS, 7201068)
  • BZ - 906894 - CVE-2013-1478 OpenJDK: image parser insufficient raster parameter checks (2D, 8001972)
  • BZ - 906899 - CVE-2013-0442 OpenJDK: insufficient privilege checking issue (AWT, 7192977)
  • BZ - 906900 - CVE-2013-0445 OpenJDK: insufficient privilege checking issue (AWT, 8001057)
  • BZ - 906904 - CVE-2013-1480 OpenJDK: image parser insufficient raster parameter checks (AWT, 8002325)
  • BZ - 906911 - CVE-2013-0450 OpenJDK: RequiredModelMBean missing access control context checks (JMX, 8000537)
  • BZ - 906914 - CVE-2012-1541 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
  • BZ - 906916 - CVE-2013-0446 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
  • BZ - 906917 - CVE-2012-3342 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
  • BZ - 906918 - CVE-2013-0419 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
  • BZ - 906921 - CVE-2013-0423 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
  • BZ - 906923 - CVE-2013-0351 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
  • BZ - 906933 - CVE-2013-1473 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
  • BZ - 906935 - CVE-2013-0438 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Deployment)
  • BZ - 907207 - CVE-2013-0428 OpenJDK: reflection API incorrect checks for proxy classes (Libraries, 7197546, SE-2012-01 Issue 29)
  • BZ - 907219 - CVE-2013-0432 OpenJDK: insufficient clipboard access premission checks (AWT, 7186952)
  • BZ - 907223 - CVE-2012-3213 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (Scripting)
  • BZ - 907224 - CVE-2013-1481 Oracle JDK: unspecified vulnerability fixed in 6u39 (Sound)
  • BZ - 907226 - CVE-2013-0409 Oracle JDK: unspecified vulnerability fixed in 6u39 and 7u13 (JMX)
  • BZ - 907340 - CVE-2013-0443 OpenJDK: insufficient Diffie-Hellman public key checks (JSSE, 7192392)
  • BZ - 907344 - CVE-2013-0425 OpenJDK: logging insufficient access control checks (Libraries, 6664509)
  • BZ - 907346 - CVE-2013-0426 OpenJDK: logging insufficient access control checks (Libraries, 6664528)
  • BZ - 907453 - CVE-2013-0434 OpenJDK: loadPropertyFile missing restrictions (JAXP, 8001235)
  • BZ - 907455 - CVE-2013-0427 OpenJDK: invalid threads subject to interrupts (Libraries, 6776941)
  • BZ - 907456 - CVE-2013-0433 OpenJDK: InetSocketAddress serialization issue (Networking, 7201071)
  • BZ - 907457 - CVE-2013-1476 OpenJDK: missing ValueHandlerImpl class constructor access restriction (CORBA, 8000631)
  • BZ - 907458 - CVE-2013-0441 OpenJDK: missing serialization restriction (CORBA, 7201066)
  • BZ - 907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
  • BZ - 913014 - CVE-2013-1486 OpenJDK: MBeanServer insufficient privilege restrictions (JMX, 8006446)
  • BZ - 913030 - CVE-2013-1487 Oracle JDK: unspecified vulnerability fixed in 6u41 and 7u15 (Deployment)
  • BZ - 917550 - CVE-2013-0809 OpenJDK: Specially crafted sample model integer overflow (2D, 8007014)
  • BZ - 917553 - CVE-2013-1493 OpenJDK: CMM malformed raster memory corruption (2D, 8007675)
  • BZ - 920245 - CVE-2013-0401 OpenJDK: sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader (CanSecWest 2013, AWT, 8009305)
  • BZ - 920248 - CVE-2013-1491 Oracle JDK: unspecified sanbox bypass (CanSecWest 2013, 2D)
  • BZ - 952387 - CVE-2013-1537 OpenJDK: remote code loading enabled by default (RMI, 8001040)
  • BZ - 952509 - CVE-2013-2424 OpenJDK: MBeanInstantiator insufficient class access checks (JMX, 8006435)
  • BZ - 952521 - CVE-2013-2429 OpenJDK: JPEGImageWriter state corruption (ImageIO, 8007918)
  • BZ - 952524 - CVE-2013-2430 OpenJDK: JPEGImageReader state corruption (ImageIO, 8007667)
  • BZ - 952638 - CVE-2013-2420 OpenJDK: image processing vulnerability (2D, 8007617)
  • BZ - 952642 - CVE-2013-2422 OpenJDK: MethodUtil trampoline class incorrect restrictions (Libraries, 8009857)
  • BZ - 952648 - CVE-2013-1557 OpenJDK: LogStream.setDefaultStream() missing security restrictions (RMI, 8001329)
  • BZ - 952656 - CVE-2013-2419 ICU: Layout Engine font processing errors (JDK 2D, 8001031)
  • BZ - 952657 - CVE-2013-2417 OpenJDK: Network InetAddress serialization information disclosure (Networking, 8000724)
  • BZ - 952708 - CVE-2013-2383 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004986)
  • BZ - 952709 - CVE-2013-2384 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004987)
  • BZ - 952711 - CVE-2013-1569 ICU: Layout Engine font layout and glyph table errors (JDK 2D, 8004994)
  • BZ - 953166 - CVE-2013-1540 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
  • BZ - 953172 - CVE-2013-1563 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Install)
  • BZ - 953265 - CVE-2013-2394 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
  • BZ - 953267 - CVE-2013-2418 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
  • BZ - 953269 - CVE-2013-2432 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (2D)
  • BZ - 953270 - CVE-2013-2433 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
  • BZ - 953273 - CVE-2013-2435 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
  • BZ - 953275 - CVE-2013-2440 Oracle JDK: unspecified vulnerability fixed in 7u21 and 6u45 (Deployment)
  • BZ - 973474 - CVE-2013-1571 OpenJDK: Frame injection in generated HTML (Javadoc, 8012375)
  • BZ - 975099 - CVE-2013-2470 OpenJDK: ImagingLib byte lookup processing (2D, 8011243)
  • BZ - 975102 - CVE-2013-2471 OpenJDK: Incorrect IntegerComponentRaster size checks (2D, 8011248)
  • BZ - 975107 - CVE-2013-2472 OpenJDK: Incorrect ShortBandedRaster size checks (2D, 8011253)
  • BZ - 975110 - CVE-2013-2473 OpenJDK: Incorrect ByteBandedRaster size checks (2D, 8011257)
  • BZ - 975115 - CVE-2013-2463 OpenJDK: Incorrect image attribute verification (2D, 8012438)
  • BZ - 975118 - CVE-2013-2465 OpenJDK: Incorrect image channel verification (2D, 8012597)
  • BZ - 975120 - CVE-2013-2469 OpenJDK: Incorrect image layout verification (2D, 8012601)
  • BZ - 975121 - CVE-2013-2459 OpenJDK: Various AWT integer overflow checks (AWT, 8009071)
  • BZ - 975125 - CVE-2013-2448 OpenJDK: Better access restrictions (Sound, 8006328)
  • BZ - 975127 - CVE-2013-2407 OpenJDK: Integrate Apache Santuario, rework class loader (Libraries, 6741606, 8008744)
  • BZ - 975129 - CVE-2013-2454 OpenJDK: SerialJavaObject package restriction (JDBC, 8009554)
  • BZ - 975131 - CVE-2013-2444 OpenJDK: Resource denial of service (AWT, 8001038)
  • BZ - 975132 - CVE-2013-2446 OpenJDK: output stream access restrictions (CORBA, 8000642)
  • BZ - 975133 - CVE-2013-2457 OpenJDK: Proper class checking (JMX, 8008120)
  • BZ - 975134 - CVE-2013-2453 OpenJDK: MBeanServer Introspector package access (JMX, 8008124)
  • BZ - 975137 - CVE-2013-2443 OpenJDK: AccessControlContext check order issue (Libraries, 8001330)
  • BZ - 975138 - CVE-2013-2452 OpenJDK: Unique VMIDs (Libraries, 8001033)
  • BZ - 975139 - CVE-2013-2455 OpenJDK: getEnclosing* checks (Libraries, 8007812)
  • BZ - 975140 - CVE-2013-2447 OpenJDK: Prevent revealing the local address (Networking, 8001318)
  • BZ - 975141 - CVE-2013-2450 OpenJDK: ObjectStreamClass circular reference denial of service (Serialization, 8000638)
  • BZ - 975142 - CVE-2013-2456 OpenJDK: ObjectOutputStream access checks (Serialization, 8008132)
  • BZ - 975144 - CVE-2013-2412 OpenJDK: JConsole SSL support (Serviceability, 8003703)
  • BZ - 975146 - CVE-2013-2451 OpenJDK: exclusive port binding (Networking, 7170730)
  • BZ - 975148 - CVE-2013-1500 OpenJDK: Insecure shared memory permissions (2D, 8001034)
  • BZ - 975757 - CVE-2013-2464 Oracle JDK: unspecified vulnerability fixed in 7u25 (2D)
  • BZ - 975761 - CVE-2013-2468 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment)
  • BZ - 975764 - CVE-2013-2466 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment)
  • BZ - 975767 - CVE-2013-3743 Oracle JDK: unspecified vulnerability fixed in 6u51 and 5u51 (AWT)
  • BZ - 975770 - CVE-2013-2442 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment)
  • BZ - 975773 - CVE-2013-2437 Oracle JDK: unspecified vulnerability fixed in 7u25 (Deployment)

CVEs

Red Hat Satellite with Embedded Oracle 5.5 for RHEL 6

SRPM
java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.src.rpm SHA-256: e5ba59aafb623d8e269a92ccbc509fd485d2049e060781e526822b688c247193
x86_64
java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm SHA-256: ac8cc460006daaa76de428b5b78b5f06d2eb26c1ed693ca23117f7cb0a666707
java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.x86_64.rpm SHA-256: b31d2378af5e41c6a0866700f9c45031e8d013fd256374dbf034b243ec57f004
s390x
java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el6_4.s390x.rpm SHA-256: f557f5c4689957560e3309d4a53f2bf3deb9e92911ec98dff3cabee14bf9df6e
java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el6_4.s390x.rpm SHA-256: f3b2bb62e2b459f47c365fde9cfec44454b3661668086191568faf295add78a6

Red Hat Satellite with Embedded Oracle 5.5 for RHEL 5

SRPM
java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.src.rpm SHA-256: 6857cf8c3b1463bc39ab6a6e7d5ed636e16fbf02e727170dae2c06bb20b05735
x86_64
java-1.6.0-ibm-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm SHA-256: 39f193f5e1c1174a007a5fe5d98e3bcb7efba5ff9dac197fb2e98a1e7d05db30
java-1.6.0-ibm-devel-1.6.0.14.0-1jpp.1.el5_9.x86_64.rpm SHA-256: 62782116c889bf2dafa7dbee99dc969597d56df5031ecf2ed3478c47ddc74a54

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.