Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Patches » RHSA-2012:0322-01

Overview

Id RHSA-2012:0322-01
Name Red Hat 2012:0322-01 RHSA Important: java-1.6.0-openjdk security update for RHEL 5 x86
Vendor Name red_hat
Product None
Content Type Critical Critical
Language(s)
Operating System(s) Linux 
Released On 21 Feb 2012 12:00:00

RHSA-2012:0322-01

Red Hat 2012:0322-01 RHSA Important: java-1.6.0-openjdk security update for RHEL 5 x86

Vendor Name

red_hat

Product

None

Released On

21 Feb 2012 12:00:00

Url

https://rhn.redhat.com/errata/RHSA-2012-0322.html

Description

LSAC(v2)
These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2012-0505) The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2011-3571) It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. (CVE-2012-0503) The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially-crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. (CVE-2011-5035) The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. (CVE-2011-3563) A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. (CVE-2012-0502) It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. (CVE-2012-0506) An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially-crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. (CVE-2012-0501) This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.

Related Resources

Related Vulnerabilities

CVE-2011-3563   CVE-2011-3571   CVE-2011-5035   CVE-2012-0497   CVE-2012-0501   CVE-2012-0502   CVE-2012-0503   CVE-2012-0505   CVE-2012-0506   CVE-2012-0507  

Related Patches

Superseded Patches


Last Updated: 27 May 2016 11:12:47