The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Java JRE/JDK/SDK: several vulnerabilities

Synthesis of the vulnerability 

Several vulnerabilities of Java JRE/JDK/SDK can be used by a malicious applet/application in order to execute code or to obtain information. A legitimate applet/application, handling malicious data, can also be forced to execute code.
Impacted software: Fedora, HPE NNMi, HP-UX, Mandriva Linux, NLD, OES, Java OpenJDK, openSUSE, Java Oracle, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.
Severity of this computer vulnerability: 3/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 31/03/2010.
Références of this announce: BID-39062, BID-39065, BID-39067, BID-39068, BID-39069, BID-39070, BID-39071, BID-39072, BID-39073, BID-39075, BID-39077, BID-39078, BID-39081, BID-39082, BID-39083, BID-39084, BID-39085, BID-39086, BID-39088, BID-39089, BID-39090, BID-39091, BID-39093, BID-39094, BID-39095, BID-39096, BID-39559, c02122104, c03405642, CERTA-2009-AVI-528, CERTA-2010-AVI-149, CERTA-2010-AVI-192, CERTA-2010-AVI-196, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-276, CERTA-2010-AVI-365, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2011-AVI-253, CERTA-2012-AVI-241, CERTA-2012-AVI-395, CVE-2009-3555, CVE-2009-3910, CVE-2010-0082, CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850, FEDORA-2010-6025, FEDORA-2010-6039, FEDORA-2010-6279, HPSBMU02799, HPSBUX02524, javacpumar2010, MDVSA-2010:084, RHSA-2010:0337-01, RHSA-2010:0338-01, RHSA-2010:0339-01, RHSA-2010:0383-01, RHSA-2010:0408-01, RHSA-2010:0471-01, RHSA-2010:0489-01, RHSA-2010:0574-01, RHSA-2010:0586-01, RHSA-2010:0865-02, SSRT100089, SSRT100867, SUSE-SA:2010:026, SUSE-SA:2010:028, SUSE-SR:2010:008, SUSE-SR:2010:011, SUSE-SR:2010:013, SUSE-SR:2010:017, VIGILANCE-VUL-9550, VMSA-2011-0003, VMSA-2011-0003.1, VMSA-2011-0003.2, VU#507652, ZDI-10-051, ZDI-10-052, ZDI-10-053, ZDI-10-054, ZDI-10-055, ZDI-10-056, ZDI-10-057, ZDI-10-059, ZDI-10-060, ZDI-10-061.

Description of the vulnerability 

Several vulnerabilities were announced in Java JRE/JDK/SDK. The most severe vulnerabilities lead to code execution.

Twenty four vulnerabilities lead to code execution. [severity:3/4; BID-39062, BID-39065, BID-39067, BID-39068, BID-39069, BID-39070, BID-39071, BID-39072, BID-39073, BID-39075, BID-39077, BID-39078, BID-39081, BID-39082, BID-39083, BID-39084, BID-39085, BID-39086, BID-39088, BID-39089, BID-39090, BID-39091, BID-39094, CERTA-2009-AVI-528, CERTA-2010-AVI-149, CERTA-2010-AVI-196, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-276, CERTA-2010-AVI-365, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2011-AVI-253, CERTA-2012-AVI-241, CVE-2009-3555, CVE-2010-0082, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088, CVE-2010-0090, CVE-2010-0092, CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837, CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841, CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845, CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849, CVE-2010-0850, VU#507652, ZDI-10-051, ZDI-10-052, ZDI-10-053, ZDI-10-054, ZDI-10-055, ZDI-10-056, ZDI-10-057, ZDI-10-059, ZDI-10-060, ZDI-10-061]

An attacker can obtain sensitive information. [severity:2/4; BID-39093, CERTA-2010-AVI-192, CVE-2010-0084]

An attacker can generate a denial of service of Java Web Start. [severity:2/4; BID-39095, CVE-2010-0089]

An attacker can obtain sensitive information. [severity:2/4; BID-39096, CVE-2010-0091]

A buffer overflow of HsbParser.getSoundBank() leads to code execution. [severity:3/4; BID-39559, CVE-2009-3910]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness bulletin impacts software or systems such as Fedora, HPE NNMi, HP-UX, Mandriva Linux, NLD, OES, Java OpenJDK, openSUSE, Java Oracle, RHEL, SLES, ESX, ESXi, vCenter Server, VirtualCenter, VMware vSphere, VMware vSphere Hypervisor.

Our Vigil@nce team determined that the severity of this computer threat announce is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 5 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this threat announce.

Solutions for this threat 

Java JRE/JDK: version 6 Update 19.
Version 6 Update 19 is corrected:
  http://java.com/
  http://java.sun.com/

Java JRE/JDK: version 5.0 Update 24.
Version 5.0 Update 24 is corrected:
  http://java.com/
  http://java.sun.com/

Java JRE/SDK: version 1.4.2_26.
Version 1.4.2_26 is corrected:
  http://java.com/
  http://java.sun.com/

Fedora: new java-1.6.0-openjdk packages.
New packages are available:
  java-1.6.0-openjdk-1.6.0.0-34.b17.fc11
  java-1.6.0-openjdk-1.6.0.0-37.b17.fc12
  java-1.6.0-openjdk-1.6.0.0-37.b17.fc13

HP NNMi 9.0: hotfix for JDK.
A hotfix is available:
  HP-UX : Patch 5 : Hotfix-NNMi-9.0xP5-HP-UX-JDK-20120710.zip
  Linux : Patch 5 : Hotfix-NNMi-9.0xP5-Linux-JDK-20120523.zip
  Solaris : Patch 5 : Hotfix-NNMi-9.0xP5-Solaris-JDK-20120523.zip
  Windows : Patch 5 : Hotfix-NNMi-9.0xP5-Windows-JDK-20120523.zip

HP-UX: version 1.4.2.25.00, 1.5.0.20.00, 1.6.0.07.00.
Following revisions are corrected:
http://www.hp.com/go/java
  1.4.2.25.00
  1.5.0.20.00
  1.6.0.07.00

Mandriva: new java-1.6.0-openjdk packages.
New packages are available:
  Mandriva Linux 2009.0: java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.0
  Mandriva Linux 2009.1: java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2009.1
  Mandriva Linux 2010.0: java-1.6.0-openjdk-1.6.0.0-2.b18.2mdv2010.0
  Mandriva Enterprise Server 5: java-1.6.0-openjdk-1.6.0.0-2.b18.2mdvmes5.1

Red Hat Network Satellite Server: new java-1.6.0-ibm packages.
New packages are available:
Red Hat Network Satellite Server 5.3 (RHEL v.4):
  java-1.6.0-ibm-1.6.0.8-1jpp.1.el4
Red Hat Network Satellite Server 5.3 (RHEL v.5):
  java-1.6.0-ibm-1.6.0.8-1jpp.1.el5

RHEL 3E, 4E, 5S: new java-1.4.2-ibm packages.
New packages are available:
Red Hat Enterprise Linux version 3 Extras:
  java-1.4.2-ibm-1.4.2.13.5-1jpp.1.el3
Red Hat Enterprise Linux version 4 Extras:
  java-1.4.2-ibm-1.4.2.13.5-1jpp.1.el4
Red Hat Enterprise Linux version 5 Supplementary:
  java-1.4.2-ibm-1.4.2.13.5-1jpp.1.el5

RHEL 4, 5 SAP: new java-1.4.2-ibm packages.
New packages are available:
RHEL 4 AS for SAP:
  java-1.4.2-ibm-1.4.2.13.4.sap-1jpp.1.el4_8
RHEL 5 Server for SAP:
  java-1.4.2-ibm-1.4.2.13.4.sap-1jpp.1.el5

RHEL 4E, 5S: new java-1.5.0-ibm packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras:
  java-1.5.0-ibm-1.5.0.11.2-1jpp.1.el4
Red Hat Enterprise Linux version 5 Supplementary:
  java-1.5.0-ibm-1.5.0.11.2-1jpp.1.el5

RHEL 4E, 5S: new java-1.5.0-sun packages.
New packages are available:
These packages uninstall old versions.
Red Hat Enterprise Linux version 4 Extras:
  java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el4
Red Hat Enterprise Linux version 5 Supplementary:
  java-1.5.0-sun-uninstall-1.5.0.22-1jpp.3.el5

RHEL 4E, 5S: new java-1.6.0-ibm packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras:
  java-1.6.0-ibm-1.6.0.8-1jpp.1.el4
Red Hat Enterprise Linux version 5 Supplementary:
  java-1.6.0-ibm-1.6.0.8-1jpp.1.el5

RHEL 4E, 5S: new java-1.6.0-sun packages.
New packages are available:
Red Hat Enterprise Linux version 4 Extras:
  java-1.6.0-sun-1.6.0.19-1jpp.1.el4
Red Hat Enterprise Linux version 5 Supplementary :
  java-1.6.0-sun-1.6.0.19-1jpp.1.el5

RHEL 5: new java-1.6.0-openjdk packages.
New packages are available:
Red Hat Enterprise Linux 5:
  java-1.6.0-openjdk-1.6.0.0-1.11.b16.el5

RHEL 6.0: new java-1.6.0-openjdk packages.
New packages are available:
  java-1.6.0-openjdk-1.6.0.0-1.31.b17.el6_0

RHEL SAP: new java-1.4.2-ibm-sap packages.
New packages are available:
RHEL 4 for SAP:
  java-1.4.2-ibm-sap-1.4.2.13.5.sap-1jpp.1.el4_8
RHEL 5 for SAP:
  java-1.4.2-ibm-sap-1.4.2.13.5.sap-1jpp.1.el5

SUSE LE 11: new java-1_6_0-ibm packages.
New packages are available:
SUSE Linux Enterprise Server 11 SP1
SUSE Linux Enterprise Java 11 SP1
SUSE Linux Enterprise Software Development Kit 11 SP1
  http://download.novell.com/patch/finder/?keywords=22b7b43ee38cfc5dac6ddc1fad1d45e5
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Software Development Kit 11
  http://download.novell.com/patch/finder/?keywords=a1c03b73aa6d1ead4ac038bf35d86be9

SUSE LE 9, 10: new java-1_5_0-ibm packages.
New packages are available, as indicated in information sources.

SUSE: new packages (07/04/2010).
New packages are available, as indicated in information sources.

SUSE: new packages (10/05/2010).
New packages are available, as indicated in information sources.

SUSE: new packages (14/06/2010).
New packages are available, as indicated in information sources.

SUSE: new packages (21/09/2010).
New packages are available, as indicated in information sources.

VMware: corrected versions.
Following versions are corrected:
VMware vCenter Server 4.1 Update 1 and modules
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://downloads.vmware.com/support/pubs/vs_pages/vsp_pubs_esx41_vc41.html
VMware vCenter Server 4.0 Update 3
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://www.vmware.com/support/vsphere4/doc/vsp_vc40_u3_rel_notes.html
ESXi 4.1 Installable Update 1
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://downloads.vmware.com/support/vsphere4/doc/vsp_esxi41_u1_rel_notes.html
  http://kb.vmware.com/kb/1027919
ESX 4.1 Update 1
  http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vsphere_4/4_0
  http://downloads.vmware.com/support/vsphere4/doc/vsp_esx41_u1_rel_notes.html
  http://kb.vmware.com/kb/1029353
ESXi 4.0
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-274-20110303-677367/ESXi400-201103001.zip
  http://kb.vmware.com/kb/1032823
ESX 4.0
  https://hostupdate.vmware.com/software/VUM/OFFLINE/release-273-20110303-574144/ESX400-201103001.zip
  http://kb.vmware.com/kb/1032822
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a network vulnerability bulletin. The technology watch team tracks security threats targeting the computer system.