 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.71769 |
| Category: | Ubuntu Local Security Checks |
| Title: | Ubuntu USN-1373-1 (icedtea-6-jre-cacao) |
| Summary: | NOSUMMARY |
| Description: | Description: The remote host is missing an update to icedtea-6-jre-cacao announced via advisory USN-1373-1. Details: It was discovered that the Java HttpServer class did not limit the number of headers read from a HTTP request. A remote attacker could cause a denial of service by sending special requests that trigger hash collisions predictably. (CVE-2011-5035) ATTENTION: this update changes previous Java HttpServer class behavior by limiting the number of request headers to 200. This may be increased by adjusting the sun.net.httpserver.maxReqHeaders property. It was discovered that the Java Sound component did not properly check buffer boundaries. A remote attacker could use this to cause a denial of service or view confidential data. (CVE-2011-3563) It was discovered that the Java2D implementation does not properly check graphics rendering objects before passing them to the native renderer. A remote attacker could use this to cause a denial of service or to bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that an off-by-one error exists in the Java ZIP file processing code. An attacker could us this to cause a denial of service through a maliciously crafted ZIP file. (CVE-2012-0501) It was discovered that the Java AWT KeyboardFocusManager did not properly enforce keyboard focus security policy. A remote attacker could use this with an untrusted application or applet to grab keyboard focus and possibly expose confidential data. (CVE-2012-0502) It was discovered that the Java TimeZone class did not properly enforce security policy around setting the default time zone. A remote attacker could use this with an untrusted application or applet to set a new default time zone and bypass Java sandbox restrictions. (CVE-2012-0503) It was discovered the Java ObjectStreamClass did not throw an accurately identifiable exception when a deserialization failure occurred. A remote attacker could use this with an untrusted application or applet to bypass Java sandbox restrictions. (CVE-2012-0505) It was discovered that the Java CORBA implementation did not properly protect repository identifiers on certain CORBA objects. A remote attacker could use this to corrupt object data. (CVE-2012-0506) It was discovered that the Java AtomicReferenceArray class implementation did not properly check if an array was of the expected Object[] type. A remote attacker could use this with a malicious application or applet to bypass Java sandbox restrictions. (CVE-2012-0507) Solution: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: icedtea-6-jre-cacao 6b23~ pre11-0ubuntu1.11.10.2 icedtea-6-jre-jamvm 6b23~ pre11-0ubuntu1.11.10.2 openjdk-6-jre 6b23~ pre11-0ubuntu1.11.10.2 openjdk-6-jre-headless 6b23~ pre11-0ubuntu1.11.10.2 openjdk-6-jre-lib 6b23~ pre11-0ubuntu1.11.10.2 openjdk-6-jre-zero 6b23~ pre11-0ubuntu1.11.10.2 Ubuntu 11.04: icedtea-6-jre-cacao 6b22-1.10.6-0ubuntu1 icedtea-6-jre-jamvm 6b22-1.10.6-0ubuntu1 openjdk-6-jre 6b22-1.10.6-0ubuntu1 openjdk-6-jre-headless 6b22-1.10.6-0ubuntu1 openjdk-6-jre-lib 6b22-1.10.6-0ubuntu1 openjdk-6-jre-zero 6b22-1.10.6-0ubuntu1 Ubuntu 10.10: icedtea-6-jre-cacao 6b20-1.9.13-0ubuntu1~ 10.10.1 openjdk-6-jre 6b20-1.9.13-0ubuntu1~ 10.10.1 openjdk-6-jre-headless 6b20-1.9.13-0ubuntu1~ 10.10.1 openjdk-6-jre-lib 6b20-1.9.13-0ubuntu1~ 10.10.1 openjdk-6-jre-zero 6b20-1.9.13-0ubuntu1~ 10.10.1 Ubuntu 10.04 LTS: icedtea-6-jre-cacao 6b20-1.9.13-0ubuntu1~ 10.04.1 openjdk-6-jre 6b20-1.9.13-0ubuntu1~ 10.04.1 openjdk-6-jre-headless 6b20-1.9.13-0ubuntu1~ 10.04.1 openjdk-6-jre-lib 6b20-1.9.13-0ubuntu1~ 10.04.1 openjdk-6-jre-zero 6b20-1.9.13-0ubuntu1~ 10.04.1 http://www.securityspace.com/smysecure/catid.html?in=USN-1373-1 CVSS Score: 10.0 CVSS Vector: AV:L/AC:L/Au:NR/C:C/I:C/A:C |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2011-5035 Bugtraq: 20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table (Google Search) http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html CERT/CC vulnerability note: VU#903934 http://www.kb.cert.org/vuls/id/903934 Debian Security Information: DSA-2420 (Google Search) http://www.debian.org/security/2012/dsa-2420 http://security.gentoo.org/glsa/glsa-201406-32.xml HPdes Security Advisory: HPSBMU02797 http://marc.info/?l=bugtraq&m=134254957702612&w=2 HPdes Security Advisory: HPSBMU02799 http://marc.info/?l=bugtraq&m=134254866602253&w=2 HPdes Security Advisory: HPSBST02955 http://marc.info/?l=bugtraq&m=139344343412337&w=2 HPdes Security Advisory: HPSBUX02757 http://marc.info/?l=bugtraq&m=133364885411663&w=2 HPdes Security Advisory: HPSBUX02784 http://marc.info/?l=bugtraq&m=133847939902305&w=2 HPdes Security Advisory: SSRT100779 HPdes Security Advisory: SSRT100867 HPdes Security Advisory: SSRT100871 http://www.mandriva.com/security/advisories?name=MDVSA-2013:150 http://www.nruns.com/_downloads/advisory28122011.pdf http://www.ocert.org/advisories/ocert-2011-003.html https://github.com/FireFart/HashCollision-DOS-POC/blob/master/HashtablePOC.py https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16908 RedHat Security Advisories: RHSA-2012:0514 http://rhn.redhat.com/errata/RHSA-2012-0514.html RedHat Security Advisories: RHSA-2013:1455 http://rhn.redhat.com/errata/RHSA-2013-1455.html http://secunia.com/advisories/48073 http://secunia.com/advisories/48074 http://secunia.com/advisories/48589 http://secunia.com/advisories/48950 http://secunia.com/advisories/57126 SuSE Security Announcement: SUSE-SU-2012:0603 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00010.html Common Vulnerability Exposure (CVE) ID: CVE-2011-3563 BugTraq ID: 52012 http://www.securityfocus.com/bid/52012 HPdes Security Advisory: HPSBUX02760 http://marc.info/?l=bugtraq&m=133365109612558&w=2 HPdes Security Advisory: HPSBUX02777 http://marc.info/?l=bugtraq&m=133728004526190&w=2 HPdes Security Advisory: SSRT100805 HPdes Security Advisory: SSRT100854 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14942 RedHat Security Advisories: RHSA-2012:0508 http://rhn.redhat.com/errata/RHSA-2012-0508.html RedHat Security Advisories: RHSA-2012:0702 http://rhn.redhat.com/errata/RHSA-2012-0702.html RedHat Security Advisories: RHSA-2012:1080 http://rhn.redhat.com/errata/RHSA-2012-1080.html http://secunia.com/advisories/48692 http://secunia.com/advisories/48915 http://secunia.com/advisories/48948 http://secunia.com/advisories/49198 SuSE Security Announcement: SUSE-SU-2012:0602 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-05/msg00009.html SuSE Security Announcement: SUSE-SU-2012:0734 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-06/msg00009.html SuSE Security Announcement: SUSE-SU-2012:0881 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-07/msg00007.html SuSE Security Announcement: SUSE-SU-2012:1013 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00015.html Common Vulnerability Exposure (CVE) ID: CVE-2012-0497 BugTraq ID: 52009 http://www.securityfocus.com/bid/52009 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14772 Common Vulnerability Exposure (CVE) ID: CVE-2012-0501 BugTraq ID: 52013 http://www.securityfocus.com/bid/52013 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15069 Common Vulnerability Exposure (CVE) ID: CVE-2012-0502 BugTraq ID: 52011 http://www.securityfocus.com/bid/52011 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14900 Common Vulnerability Exposure (CVE) ID: CVE-2012-0503 BugTraq ID: 52018 http://www.securityfocus.com/bid/52018 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14813 Common Vulnerability Exposure (CVE) ID: CVE-2012-0505 BugTraq ID: 52017 http://www.securityfocus.com/bid/52017 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13976 Common Vulnerability Exposure (CVE) ID: CVE-2012-0506 BugTraq ID: 52014 http://www.securityfocus.com/bid/52014 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14082 Common Vulnerability Exposure (CVE) ID: CVE-2012-0507 BugTraq ID: 52161 http://www.securityfocus.com/bid/52161 http://blogs.technet.com/b/mmpc/archive/2012/03/20/an-interesting-case-of-jre-sandbox-breach-cve-2012-0507.aspx http://krebsonsecurity.com/2012/03/new-java-attack-rolled-into-exploit-packs/ http://weblog.ikvm.net/PermaLink.aspx?guid=cd48169a-9405-4f63-9087-798c4a1866d3 |
| Copyright | Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com |
| This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |