The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Java JDK/JRE/SDK: several vulnerabilities

Synthesis of the vulnerability 

Several vulnerabilities were announced in Java JDK/JRE/SDK.
Vulnerable products: Fedora, NLD, OES, openSUSE, Java Oracle, RHEL, SLES, ESX.
Severity of this weakness: 4/4.
Number of vulnerabilities in this bulletin: 7.
Creation date: 04/03/2008.
Revision date: 06/03/2008.
Références of this bulletin: 233321, 233322, 233323, 233324, 233325, 233326, 233327, 6587132, 6588002, 6593303, 6605184, 6605187, 6608712, 6609756, 6611594, 6623233, 6633265, 6633278, 6634129, 6660121, 6660717, BID-28083, BID-28125, CERTA-2008-AVI-118, CERTA-2008-AVI-476, CESA-2007-005, CVE-2008-1185, CVE-2008-1186, CVE-2008-1187, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, CVE-2008-1192, CVE-2008-1193, CVE-2008-1194, CVE-2008-1195, CVE-2008-1196, FEDORA-2008-2229, RHSA-2008:0186-01, RHSA-2008:0210-01, RHSA-2008:0243-01, RHSA-2008:0244-01, RHSA-2008:0245-01, RHSA-2008:0267-01, RHSA-2008:0555-01, SUSE-SA:2008:018, SUSE-SA:2008:025, VIGILANCE-VUL-7632, VMSA-2008-00010.3, VU#223028, ZDI-08-009, ZDI-08-010.

Description of the vulnerability 

Several vulnerabilities were announced in Java JDK/JRE/SDK.

An applet can use two vulnerabilities of Java Runtime Environment Virtual Machine in order to access to files or to execute code. [severity:4/4; 233321, 6587132, 6593303, CERTA-2008-AVI-118, CERTA-2008-AVI-476, CVE-2008-1185, CVE-2008-1186]

An applet can use XSLT to access to resources via an url, execute code or create a denial of service. [severity:3/4; 233322, 6588002, CVE-2008-1187]

Three buffer overflows of Java Web Start permit an application to execute code. Two other vulnerabilities can be used to access to files. [severity:4/4; 233323, 6605184, 6605187, 6609756, 6611594, 6623233, CVE-2008-1188, CVE-2008-1189, CVE-2008-1190, CVE-2008-1191, ZDI-08-009, ZDI-08-010]

An applet can execute software installed on the computer. [severity:3/4; 233324, 6608712, CVE-2008-1192]

An applet can use a malicious image in order to execute code or to create a denial of service. [severity:4/4; 233325, 6633265, 6633278, 6660717, BID-28125, CESA-2007-005, CVE-2008-1193, CVE-2008-1194]

A JavaScript code can use the JRE to connect to network services. [severity:2/4; 233326, 6634129, CVE-2008-1195]

An application can create an overflow in Java Web Start in order to execute code. [severity:4/4; 233327, 6660121, CVE-2008-1196, VU#223028]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity vulnerability impacts software or systems such as Fedora, NLD, OES, openSUSE, Java Oracle, RHEL, SLES, ESX.

Our Vigil@nce team determined that the severity of this vulnerability is critical.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 7 vulnerabilities.

An attacker with a expert ability can exploit this weakness alert.

Solutions for this threat 

Java JDK/JRE: version 6 Update 5.
Version 6 Update 5 is corrected:
  http://java.sun.com/

Java JDK/JRE: version 5.0 Update 15.
Version 5.0 Update 15 is corrected:
  http://java.sun.com/

Java SDK/JRE: version 1.4.2_17.
Version 1.4.2_17 is corrected:
  http://java.sun.com/

Java SDK/JRE: version 1.3.1_22.
Version 1.3.1_22 is corrected:
  http://java.sun.com/

Fedora 7: new phpMyAdmin packages.
New packages are available:
  phpMyAdmin-2.11.5-1.fc7

RHEL 3E, 4E, 5S: new java-1.4.2-bea packages.
New packages are available:
Red Hat Enterprise Linux AS version 3 Extras: java-1.4.2-bea-1.4.2.16-1jpp.2.el3
Red Hat Enterprise Linux AS version 4 Extras: java-1.4.2-bea-1.4.2.16-1jpp.4.el4
RHEL Desktop Supplementary version 5: java-1.4.2-bea-1.4.2.16-1jpp.2.el5

RHEL 3E, 4E, 5S: new java-1.4.2-ibm packages.
New packages are available:
Red Hat Enterprise Linux version 3 Extras: java-1.4.2-ibm-1.4.2.11-1jpp.2.el3
Red Hat Enterprise Linux version 4 Extras: java-1.4.2-ibm-1.4.2.11-1jpp.2.el4
Red Hat Enterprise Linux version 5 Supplementary: java-1.4.2-ibm-1.4.2.11-1jpp.2.el5

RHEL 4E, 5S: new java-1.5.0-bea packages.
New packages are available:
Red Hat Enterprise Linux AS version 4 Extras: java-1.5.0-bea-1.5.0.14-1jpp.2.el4
RHEL Supplementary version 5: java-1.5.0-bea-1.5.0.14-1jpp.2.el5

RHEL 4E, 5S: new java-1.5.0-ibm packages.
New packages are available.

RHEL 4E, 5S: new java-1.5.0-sun packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras: java-1.5.0-sun-1.5.0.15-1jpp.2.el4
Red Hat Enterprise Linux version 4 Supplementary: java-1.5.0-sun-1.5.0.15-1jpp.2.el5

RHEL 5S: new java-1.6.0-bea packages.
New packages are available:
RHEL Desktop Supplementary version: java-1.6.0-bea-1.6.0.03-1jpp.2.el5

RHEL 5S: new java-1.6.0-ibm packages.
New packages are available:
  java-1.6.0-ibm-1.6.0.1-1jpp.2.el5

SUSE: new IBM Java packages.
New packages are available:
   SUSE Linux Enterprise Desktop 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
   SUSE Linux Enterprise Server 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   SLE SDK 10 SP1
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   Open Enterprise Server
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   Novell Linux POS 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   SUSE SLES 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html

SUSE: new Sun Java packages.
New packages are available.

VMware ESX: patch for Tomcat and Java JRE.
A patch is available:
VMware ESX 3.5 patch ESX350-200806404-SG
http://download3.vmware.com/software/esx/ESX350-200806404-SG.zip
md5sum: 669e97880a21cce13eb7e9051f403162
http://kb.vmware.com/kb/1005219
ESX 3.0.3 patch ESX303-200808407-SG
http://download3.vmware.com/software/vi/ESX303-200808407-SG.zip
md5sum: 083cee0475a8f73e511199800e8c3af4
http://kb.vmware.com/kb/1006358
ESX 3.0.2 patch ESX-1006360
http://download3.vmware.com/software/vi/ESX-1006360.tgz
md5sum: 5d2d629b6c4b1894571742569ae2e2da
http://kb.vmware.com/kb/1006360
ESX 3.0.1 patch ESX-1006359
http://download3.vmware.com/software/vi/ESX-1006359.tgz
md5sum: 2224d6e27b86f3155ce9d5895f1f191a
http://kb.vmware.com/kb/1006359
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security alert. The Vigil@nce vulnerability database contains several thousand vulnerabilities.