Test ID:	1.3.6.1.4.1.25623.1.0.881557
Category:	CentOS Local Security Checks
Title:	CentOS Update for java CESA-2013:0165 centos5
Summary:	The remote host is missing an update for the 'java'; package(s) announced via the referenced advisory.
Description:	Summary: The remote host is missing an update for the 'java' package(s) announced via the referenced advisory. Vulnerability Insight: These packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Software Development Kit. Two improper permission check issues were discovered in the reflection API in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-3174, CVE-2013-0422) This erratum also upgrades the OpenJDK package to IcedTea7 2.3.4. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.7.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect. Affected Software/OS: java on CentOS 5 Solution: Please install the updated packages. CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-3174 http://www.mandriva.com/security/advisories?name=MDVSA-2013:095 http://blog.fuseyism.com/index.php/2013/01/15/security-icedtea-2-1-4-2-2-4-2-3-4-released/ RedHat Security Advisories: RHSA-2013:0156 http://rhn.redhat.com/errata/RHSA-2013-0156.html RedHat Security Advisories: RHSA-2013:0165 http://rhn.redhat.com/errata/RHSA-2013-0165.html SuSE Security Announcement: openSUSE-SU-2013:0199 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2013-01/msg00025.html http://www.ubuntu.com/usn/USN-1693-1 Common Vulnerability Exposure (CVE) ID: CVE-2013-0422 Bugtraq: 20130110 [SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code (Google Search) http://seclists.org/bugtraq/2013/Jan/48 Cert/CC Advisory: TA13-010A http://www.us-cert.gov/cas/techalerts/TA13-010A.html CERT/CC vulnerability note: VU#625617 http://www.kb.cert.org/vuls/id/625617 http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html http://immunityproducts.blogspot.ca/2013/01/confirmed-java-only-fixed-one-of-two.html http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/ http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/ http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html https://partners.immunityinc.com/idocs/Java%20MBeanInstantiator.findClass%200day%20Analysis.pdf https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013 https://www-304.ibm.com/connections/blogs/PSIRT/entry/oracle_java_7_security_manager_bypass_vulnerability_cve_2013_04224?lang=en_us
Copyright	Copyright (C) 2013 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.