Test ID:	1.3.6.1.4.1.25623.1.0.71077
Category:	Ubuntu Local Security Checks
Title:	Ubuntu USN-1263-2 (icedtea-6-jre-cacao)
Summary:	NOSUMMARY
Description:	Description: The remote host is missing an update to icedtea-6-jre-cacao announced via advisory USN-1263-2. Details: USN-1263-1 fixed vulnerabilities in OpenJDK 6. The upstream patch for the chosen plaintext attack on the block-wise AES encryption algorithm (CVE-2011-3389) introduced a regression that caused TLS/SSL connections to fail when using certain algorithms. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Deepak Bhole discovered a flaw in the Same Origin Policy (SOP) implementation in the IcedTea web browser plugin. This could allow a remote attacker to open connections to certain hosts that should not be permitted. (CVE-2011-3377) Juliano Rizzo and Thai Duong discovered that the block-wise AES encryption algorithm block-wise as used in TLS/SSL was vulnerable to a chosen-plaintext attack. This could allow a remote attacker to view confidential data. (CVE-2011-3389) It was discovered that a type confusion flaw existed in the in the Internet Inter-Orb Protocol (IIOP) deserialization code. A remote attacker could use this to cause an untrusted application or applet to execute arbitrary code by deserializing malicious input. (CVE-2011-3521) It was discovered that the Java scripting engine did not perform SecurityManager checks. This could allow a remote attacker to cause an untrusted application or applet to execute arbitrary code with the full privileges of the JVM. (CVE-2011-3544) It was discovered that the InputStream class used a global buffer to store input bytes skipped. An attacker could possibly use this to gain access to sensitive information. (CVE-2011-3547) It was discovered that a vulnerability existed in the AWTKeyStroke class. A remote attacker could cause an untrusted application or applet to execute arbitrary code. (CVE-2011-3548) It was discovered that an integer overflow vulnerability existed in the TransformHelper class in the Java2D implementation. A remote attacker could use this cause a denial of service via an application or applet crash or possibly execute arbitrary code. (CVE-2011-3551) It was discovered that the default number of available UDP sockets for applications running under SecurityManager restrictions was set too high. A remote attacker could use this with a malicious application or applet exhaust the number of available UDP sockets to cause a denial of service for other applets or applications running within the same JVM. (CVE-2011-3552) It was discovered that Java API for XML Web Services (JAX-WS) could incorrectly expose a stack trace. A remote attacker could potentially use this to gain access to sensitive information. (CVE-2011-3553) It was discovered that the unpacker for pack200 JAR files did not sufficiently check for errors. An attacker could cause a denial of service or possibly execute arbitrary code through a specially crafted pack200 JAR file. (CVE-2011-3554) It was discovered that the RMI registration implementation did not properly restrict privileges of remotely executed code. A remote attacker could use this to execute code with elevated privileges. (CVE-2011-3556, CVE-2011-3557) It was discovered that the HotSpot VM could be made to crash, allowing an attacker to cause a denial of service or possibly leak sensitive information. (CVE-2011-3558) It was discovered that the HttpsURLConnection class did not properly perform SecurityManager checks in certain situations. This could allow a remote attacker to bypass restrictions on HTTPS connections. (CVE-2011-3560) Solution: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: icedtea-6-jre-cacao 6b23~ pre11-0ubuntu1.11.10.1 icedtea-6-jre-jamvm 6b23~ pre11-0ubuntu1.11.10.1 openjdk-6-jre 6b23~ pre11-0ubuntu1.11.10.1 openjdk-6-jre-headless 6b23~ pre11-0ubuntu1.11.10.1 openjdk-6-jre-lib 6b23~ pre11-0ubuntu1.11.10.1 openjdk-6-jre-zero 6b23~ pre11-0ubuntu1.11.10.1 Ubuntu 11.04: icedtea-6-jre-cacao 6b22-1.10.4-0ubuntu1~ 11.04.2 icedtea-6-jre-jamvm 6b22-1.10.4-0ubuntu1~ 11.04.2 openjdk-6-jre 6b22-1.10.4-0ubuntu1~ 11.04.2 openjdk-6-jre-headless 6b22-1.10.4-0ubuntu1~ 11.04.2 openjdk-6-jre-lib 6b22-1.10.4-0ubuntu1~ 11.04.2 openjdk-6-jre-zero 6b22-1.10.4-0ubuntu1~ 11.04.2 Ubuntu 10.10: icedtea-6-jre-cacao 6b20-1.9.10-0ubuntu1~ 10.10.3 openjdk-6-jre 6b20-1.9.10-0ubuntu1~ 10.10.3 openjdk-6-jre-headless 6b20-1.9.10-0ubuntu1~ 10.10.3 openjdk-6-jre-lib 6b20-1.9.10-0ubuntu1~ 10.10.3 openjdk-6-jre-zero 6b20-1.9.10-0ubuntu1~ 10.10.3 Ubuntu 10.04 LTS: icedtea-6-jre-cacao 6b20-1.9.10-0ubuntu1~ 10.04.3 openjdk-6-jre 6b20-1.9.10-0ubuntu1~ 10.04.3 openjdk-6-jre-headless 6b20-1.9.10-0ubuntu1~ 10.04.3 openjdk-6-jre-lib 6b20-1.9.10-0ubuntu1~ 10.04.3 openjdk-6-jre-zero 6b20-1.9.10-0ubuntu1~ 10.04.3 http://www.securityspace.com/smysecure/catid.html?in=USN-1263-2 CVSS Score: 10.0 CVSS Vector: AV:L/AC:L/Au:NR/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2011-3389 http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html http://lists.apple.com/archives/Security-announce/2011//Oct/msg00002.html http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html http://lists.apple.com/archives/security-announce/2012/May/msg00001.html http://lists.apple.com/archives/security-announce/2012/Jul/msg00001.html http://lists.apple.com/archives/security-announce/2012/Sep/msg00004.html http://lists.apple.com/archives/security-announce/2013/Oct/msg00004.html BugTraq ID: 49388 http://www.securityfocus.com/bid/49388 BugTraq ID: 49778 http://www.securityfocus.com/bid/49778 Cert/CC Advisory: TA12-010A http://www.us-cert.gov/cas/techalerts/TA12-010A.html CERT/CC vulnerability note: VU#864643 http://www.kb.cert.org/vuls/id/864643 Debian Security Information: DSA-2398 (Google Search) http://www.debian.org/security/2012/dsa-2398 http://security.gentoo.org/glsa/glsa-201203-02.xml http://security.gentoo.org/glsa/glsa-201406-32.xml HPdes Security Advisory: HPSBMU02742 http://marc.info/?l=bugtraq&m=132872385320240&w=2 HPdes Security Advisory: HPSBMU02797 http://marc.info/?l=bugtraq&m=134254957702612&w=2 HPdes Security Advisory: HPSBMU02799 http://marc.info/?l=bugtraq&m=134254866602253&w=2 HPdes Security Advisory: HPSBMU02900 https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03839862 HPdes Security Advisory: HPSBUX02730 http://marc.info/?l=bugtraq&m=132750579901589&w=2 HPdes Security Advisory: HPSBUX02760 http://marc.info/?l=bugtraq&m=133365109612558&w=2 HPdes Security Advisory: HPSBUX02777 http://marc.info/?l=bugtraq&m=133728004526190&w=2 HPdes Security Advisory: SSRT100710 HPdes Security Advisory: SSRT100740 HPdes Security Advisory: SSRT100805 HPdes Security Advisory: SSRT100854 HPdes Security Advisory: SSRT100867 http://www.mandriva.com/security/advisories?name=MDVSA-2012:058 http://ekoparty.org/2011/juliano-rizzo.php http://eprint.iacr.org/2004/111 http://eprint.iacr.org/2006/136 http://isc.sans.edu/diary/SSL+TLS+part+3+/11635 http://vnhacker.blogspot.com/2011/09/beast.html http://www.educatedguesswork.org/2011/09/security_impact_of_the_rizzodu.html http://www.insecure.cl/Beast-SSL.rar https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02 Microsoft Security Bulletin: MS12-006 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-006 http://osvdb.org/74829 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14752 http://www.redhat.com/support/errata/RHSA-2011-1384.html http://www.redhat.com/support/errata/RHSA-2012-0006.html RedHat Security Advisories: RHSA-2012:0508 http://rhn.redhat.com/errata/RHSA-2012-0508.html RedHat Security Advisories: RHSA-2013:1455 http://rhn.redhat.com/errata/RHSA-2013-1455.html http://www.securitytracker.com/id?1025997 http://www.securitytracker.com/id?1026103 http://www.securitytracker.com/id?1026704 http://www.securitytracker.com/id/1029190 http://secunia.com/advisories/45791 http://secunia.com/advisories/47998 http://secunia.com/advisories/48256 http://secunia.com/advisories/48692 http://secunia.com/advisories/48915 http://secunia.com/advisories/48948 http://secunia.com/advisories/49198 http://secunia.com/advisories/55322 http://secunia.com/advisories/55350 http://secunia.com/advisories/55351 SuSE Security Announcement: SUSE-SU-2012:0114 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00049.html SuSE Security Announcement: SUSE-SU-2012:0122 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00051.html SuSE Security Announcement: SUSE-SU-2012:0602 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html SuSE Security Announcement: openSUSE-SU-2012:0030 (Google Search) https://hermes.opensuse.org/messages/13154861 SuSE Security Announcement: openSUSE-SU-2012:0063 (Google Search) https://hermes.opensuse.org/messages/13155432 SuSE Security Announcement: openSUSE-SU-2020:0086 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html http://www.ubuntu.com/usn/USN-1263-1 Common Vulnerability Exposure (CVE) ID: CVE-2011-3377 BugTraq ID: 50610 http://www.securityfocus.com/bid/50610 Debian Security Information: DSA-2420 (Google Search) http://www.debian.org/security/2012/dsa-2420 https://bugzilla.redhat.com/show_bug.cgi?id=742515 http://www.osvdb.org/76940 RedHat Security Advisories: RHSA-2011:1441 http://rhn.redhat.com/errata/RHSA-2011-1441.html SuSE Security Announcement: openSUSE-SU-2012:0371 (Google Search) http://lists.opensuse.org/opensuse-updates/2012-03/msg00028.html Common Vulnerability Exposure (CVE) ID: CVE-2011-3521 BugTraq ID: 50215 http://www.securityfocus.com/bid/50215 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13662 http://www.securitytracker.com/id?1026215 http://secunia.com/advisories/48308 XForce ISS Database: oracle-jre-deserialization-unspecified(70850) https://exchange.xforce.ibmcloud.com/vulnerabilities/70850 Common Vulnerability Exposure (CVE) ID: CVE-2011-3544 BugTraq ID: 50218 http://www.securityfocus.com/bid/50218 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13947 XForce ISS Database: oracle-jre-scripting-unspecified(70849) https://exchange.xforce.ibmcloud.com/vulnerabilities/70849 Common Vulnerability Exposure (CVE) ID: CVE-2011-3547 BugTraq ID: 50243 http://www.securityfocus.com/bid/50243 http://osvdb.org/76511 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14339 http://www.redhat.com/support/errata/RHSA-2011-1478.html XForce ISS Database: jre-networking-info-disclosure(70846) https://exchange.xforce.ibmcloud.com/vulnerabilities/70846 Common Vulnerability Exposure (CVE) ID: CVE-2011-3548 BugTraq ID: 50211 http://www.securityfocus.com/bid/50211 http://osvdb.org/76495 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14492 XForce ISS Database: jre-awt-unspecified(70845) https://exchange.xforce.ibmcloud.com/vulnerabilities/70845 Common Vulnerability Exposure (CVE) ID: CVE-2011-3551 BugTraq ID: 50224 http://www.securityfocus.com/bid/50224 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14318 XForce ISS Database: oracle-jre-2d-unspecified(70842) https://exchange.xforce.ibmcloud.com/vulnerabilities/70842 Common Vulnerability Exposure (CVE) ID: CVE-2011-3552 BugTraq ID: 50248 http://www.securityfocus.com/bid/50248 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14465 XForce ISS Database: oracle-jre-networking-unspecified(70841) https://exchange.xforce.ibmcloud.com/vulnerabilities/70841 Common Vulnerability Exposure (CVE) ID: CVE-2011-3553 BugTraq ID: 50246 http://www.securityfocus.com/bid/50246 http://osvdb.org/76512 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14311 XForce ISS Database: oracle-jre-jaxws-info-disc(70840) https://exchange.xforce.ibmcloud.com/vulnerabilities/70840 Common Vulnerability Exposure (CVE) ID: CVE-2011-3554 BugTraq ID: 50216 http://www.securityfocus.com/bid/50216 http://osvdb.org/76498 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14524 XForce ISS Database: oracle-java-jre-unspecified(70839) https://exchange.xforce.ibmcloud.com/vulnerabilities/70839 Common Vulnerability Exposure (CVE) ID: CVE-2011-3556 BugTraq ID: 50231 http://www.securityfocus.com/bid/50231 CERT/CC vulnerability note: VU#597809 https://www.kb.cert.org/vuls/id/597809 http://osvdb.org/76505 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14316 XForce ISS Database: jre-rmi-unspecified(70837) https://exchange.xforce.ibmcloud.com/vulnerabilities/70837 Common Vulnerability Exposure (CVE) ID: CVE-2011-3557 BugTraq ID: 50234 http://www.securityfocus.com/bid/50234 http://osvdb.org/76506 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14373 XForce ISS Database: oracle-jre-rmi-unspecified(70836) https://exchange.xforce.ibmcloud.com/vulnerabilities/70836 Common Vulnerability Exposure (CVE) ID: CVE-2011-3558 BugTraq ID: 50242 http://www.securityfocus.com/bid/50242 http://osvdb.org/76510 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13475 XForce ISS Database: oracle-java-hotspot-info-disc(70835) https://exchange.xforce.ibmcloud.com/vulnerabilities/70835 Common Vulnerability Exposure (CVE) ID: CVE-2011-3560 BugTraq ID: 50236 http://www.securityfocus.com/bid/50236 http://osvdb.org/76507 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14394 XForce ISS Database: oracle-jre-jsse-unspecified(70834) https://exchange.xforce.ibmcloud.com/vulnerabilities/70834
Copyright	Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.