ID CVE-2012-0507
Summary Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE-2011-3571, but that identifier was already assigned to a different issue.
References
Vulnerable Configurations
  • Sun JRE 1.5.0
    cpe:2.3:a:sun:jre:1.5.0
  • Sun JRE 1.5.0_1 (JRE 5.0 Update 1)
    cpe:2.3:a:sun:jre:1.5.0:update1
  • Sun JRE 1.5.0_10 (JRE 5.0 Update 10)
    cpe:2.3:a:sun:jre:1.5.0:update10
  • Sun JRE 1.5.0_11 (JRE 5.0 Update 11)
    cpe:2.3:a:sun:jre:1.5.0:update11
  • Sun JRE 1.5.0_12 (JRE 5.0 Update 12)
    cpe:2.3:a:sun:jre:1.5.0:update12
  • Sun JRE 1.5.0_13 (JRE 5.0 Update 13)
    cpe:2.3:a:sun:jre:1.5.0:update13
  • Sun JRE 1.5.0_14 (JRE 5.0 Update 14)
    cpe:2.3:a:sun:jre:1.5.0:update14
  • Sun JRE 1.5.0_15 (JRE 5.0 Update 15)
    cpe:2.3:a:sun:jre:1.5.0:update15
  • Sun JRE 1.5.0_16 (JRE 5.0 Update 16)
    cpe:2.3:a:sun:jre:1.5.0:update16
  • Sun JRE 1.5.0_17 (JRE 5.0 Update 17)
    cpe:2.3:a:sun:jre:1.5.0:update17
  • Sun JRE 1.5.0_18 (JRE 5.0 Update 18)
    cpe:2.3:a:sun:jre:1.5.0:update18
  • Sun JRE 1.5.0_19 (JRE 5.0 Update 19)
    cpe:2.3:a:sun:jre:1.5.0:update19
  • Sun JRE 1.5.0_2 (JRE 5.0 Update 2)
    cpe:2.3:a:sun:jre:1.5.0:update2
  • Sun JRE 1.5.0_20 (JRE 5.0 Update 20)
    cpe:2.3:a:sun:jre:1.5.0:update20
  • Sun JRE 1.5.0_21 (JRE 5.0 Update 21)
    cpe:2.3:a:sun:jre:1.5.0:update21
  • Sun JRE 1.5.0_22 (JRE 5.0 Update 22)
    cpe:2.3:a:sun:jre:1.5.0:update22
  • Sun JRE 1.5.0_23 (JRE 5.0 Update 23)
    cpe:2.3:a:sun:jre:1.5.0:update23
  • Sun JRE 1.5.0_24 (JRE 5.0 Update 24)
    cpe:2.3:a:sun:jre:1.5.0:update24
  • Sun JRE 1.5.0_25 (JRE 5.0 Update 25)
    cpe:2.3:a:sun:jre:1.5.0:update25
  • Sun JRE 1.5.0_26 (JRE 5.0 Update 26)
    cpe:2.3:a:sun:jre:1.5.0:update26
  • Sun JRE 1.5.0_27 (JRE 5.0 Update 27)
    cpe:2.3:a:sun:jre:1.5.0:update27
  • Sun JRE 1.5.0_28 (JRE 5.0 Update 28)
    cpe:2.3:a:sun:jre:1.5.0:update28
  • Sun JRE 1.5.0_29 (JRE 5.0 Update 29)
    cpe:2.3:a:sun:jre:1.5.0:update29
  • Sun JRE 1.5.0_3 (JRE 5.0 Update 3)
    cpe:2.3:a:sun:jre:1.5.0:update3
  • Sun JRE 1.5.0_31 (JRE 5.0 Update 31)
    cpe:2.3:a:sun:jre:1.5.0:update31
  • Sun JRE 1.5.0_33 (JRE 5.0 Update 33)
    cpe:2.3:a:sun:jre:1.5.0:update33
  • Sun JRE 1.5.0_4 (JRE 5.0 Update 4)
    cpe:2.3:a:sun:jre:1.5.0:update4
  • Sun JRE 1.5.0_5 (JRE 5.0 Update 5)
    cpe:2.3:a:sun:jre:1.5.0:update5
  • Sun JRE 1.5.0_6 (JRE 5.0 Update 6)
    cpe:2.3:a:sun:jre:1.5.0:update6
  • Sun JRE 1.5.0_7 (JRE 5.0 Update 7)
    cpe:2.3:a:sun:jre:1.5.0:update7
  • Sun JRE 1.5.0_8 (JRE 5.0 Update 8)
    cpe:2.3:a:sun:jre:1.5.0:update8
  • Sun JRE 1.5.0_9 (JRE 5.0 Update 9)
    cpe:2.3:a:sun:jre:1.5.0:update9
  • Oracle JRE 1.6.0 Update 22
    cpe:2.3:a:oracle:jre:1.6.0:update_22
  • Oracle JRE 1.6.0 Update 23
    cpe:2.3:a:oracle:jre:1.6.0:update_23
  • Oracle JRE 1.6.0 Update 24
    cpe:2.3:a:oracle:jre:1.6.0:update_24
  • Oracle JRE 1.6.0 Update 25
    cpe:2.3:a:oracle:jre:1.6.0:update_25
  • Oracle JRE 1.6.0 Update 26
    cpe:2.3:a:oracle:jre:1.6.0:update_26
  • Oracle JRE 1.6.0 Update 27
    cpe:2.3:a:oracle:jre:1.6.0:update_27
  • Oracle JRE 1.6.0 Update 29
    cpe:2.3:a:oracle:jre:1.6.0:update_29
  • Oracle JRE 1.6.0 Update 30
    cpe:2.3:a:oracle:jre:1.6.0:update_30
  • Sun JRE 1.6.0
    cpe:2.3:a:sun:jre:1.6.0
  • Sun JRE 1.6.0 Update 1
    cpe:2.3:a:sun:jre:1.6.0:update_1
  • Sun JRE 1.6.0 Update 10
    cpe:2.3:a:sun:jre:1.6.0:update_10
  • Sun JRE 1.6.0 Update 11
    cpe:2.3:a:sun:jre:1.6.0:update_11
  • Sun JRE 1.6.0 Update 12
    cpe:2.3:a:sun:jre:1.6.0:update_12
  • Sun JRE 1.6.0 Update 13
    cpe:2.3:a:sun:jre:1.6.0:update_13
  • Sun JRE 1.6.0 Update 14
    cpe:2.3:a:sun:jre:1.6.0:update_14
  • Sun JRE 1.6.0 Update 15
    cpe:2.3:a:sun:jre:1.6.0:update_15
  • Sun JRE 1.6.0 Update 16
    cpe:2.3:a:sun:jre:1.6.0:update_16
  • Sun JRE 1.6.0 Update 17
    cpe:2.3:a:sun:jre:1.6.0:update_17
  • Sun JRE 1.6.0 Update 18
    cpe:2.3:a:sun:jre:1.6.0:update_18
  • Sun JRE 1.6.0 Update 19
    cpe:2.3:a:sun:jre:1.6.0:update_19
  • Sun JRE 1.6.0 Update 2
    cpe:2.3:a:sun:jre:1.6.0:update_2
  • Sun JRE 1.6.0 Update 20
    cpe:2.3:a:sun:jre:1.6.0:update_20
  • Sun JRE 1.6.0 Update 21
    cpe:2.3:a:sun:jre:1.6.0:update_21
  • Sun JRE 1.6.0 Update 3
    cpe:2.3:a:sun:jre:1.6.0:update_3
  • Sun JRE 1.6.0 Update 4
    cpe:2.3:a:sun:jre:1.6.0:update_4
  • Sun JRE 1.6.0 Update 5
    cpe:2.3:a:sun:jre:1.6.0:update_5
  • Sun JRE 1.6.0 Update 6
    cpe:2.3:a:sun:jre:1.6.0:update_6
  • Sun JRE 1.6.0 Update 7
    cpe:2.3:a:sun:jre:1.6.0:update_7
  • Oracle JRE 1.7.0
    cpe:2.3:a:oracle:jre:1.7.0
  • Oracle JRE 1.7.0 update1
    cpe:2.3:a:oracle:jre:1.7.0:update1
  • Oracle JRE 1.7.0 update2
    cpe:2.3:a:oracle:jre:1.7.0:update2
CVSS
Base: 10.0 (as of 08-06-2012 - 13:24)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
exploit-db via4
description Java AtomicReferenceArray Type Violation Vulnerability. CVE-2012-0507. Remote exploits for multiple platform
id EDB-ID:18679
last seen 2016-02-02
modified 2012-03-30
published 2012-03-30
reporter metasploit
source https://www.exploit-db.com/download/18679/
title Java AtomicReferenceArray Type Violation Vulnerability
metasploit via4
  • description This module exploits a vulnerability due to the fact that AtomicReferenceArray uses the Unsafe class to store a reference in an array directly, which may violate type safety if not used properly. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.
    id MSF:EXPLOIT/MULTI/BROWSER/JAVA_ATOMICREFERENCEARRAY
    last seen 2018-09-04
    modified 2017-07-24
    published 2012-03-29
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_atomicreferencearray.rb
    title Java AtomicReferenceArray Type Violation Vulnerability
  • description This module exploits a vulnerability in HotSpot bytecode verifier where an invalid optimization of GETFIELD/PUTFIELD/GETSTATIC/PUTSTATIC instructions leads to insufficient type checks. This allows a way to escape the JRE sandbox, and load additional classes in order to perform malicious operations.
    id MSF:EXPLOIT/MULTI/BROWSER/JAVA_VERIFIER_FIELD_ACCESS
    last seen 2018-08-27
    modified 2017-08-29
    published 2012-07-10
    reliability Excellent
    reporter Rapid7
    source https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/browser/java_verifier_field_access.rb
    title Java Applet Field Bytecode Verifier Cache Remote Code Execution
nessus via4
  • NASL family Misc.
    NASL id VMWARE_VCENTER_VMSA-2012-0013.NASL
    description The version of VMware vCenter installed on the remote host is 4.0 earlier than Update 4a, 4.1 earlier than Update 3, or 5.0 earlier than Update 2. As such, it is potentially affected by multiple vulnerabilities in the included Oracle (Sun) Java Runtime Environment.
    last seen 2018-09-01
    modified 2018-08-06
    plugin id 66806
    published 2013-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66806
    title VMware vCenter Multiple Vulnerabilities (VMSA-2012-0013)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_JAVA_10_6_UPDATE7.NASL
    description The remote Mac OS X host is running a version of Java for Mac OS X 10.6 that is missing Update 7, which updates the Java version to 1.6.0_31. As such, it is affected by several security vulnerabilities, the most serious of which may allow an untrusted Java applet to execute arbitrary code with the privileges of the current user outside the Java sandbox.
    last seen 2018-09-01
    modified 2018-07-14
    plugin id 58605
    published 2012-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58605
    title Mac OS X : Java for Mac OS X 10.6 Update 7
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2012-0135.NASL
    description Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2012-0505) The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2011-3571) It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. (CVE-2012-0503) The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. (CVE-2011-5035) The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. (CVE-2011-3563) A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. (CVE-2012-0502) It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. (CVE-2012-0506) An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. (CVE-2012-0501) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 57961
    published 2012-02-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57961
    title CentOS 6 : java-1.6.0-openjdk (CESA-2012:0135)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0322.NASL
    description From Red Hat Security Advisory 2012:0322 : Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2012-0505) The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2011-3571) It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. (CVE-2012-0503) The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. (CVE-2011-5035) The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. (CVE-2011-3563) A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. (CVE-2012-0502) It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. (CVE-2012-0506) An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. (CVE-2012-0501) This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2018-09-02
    modified 2016-05-20
    plugin id 68487
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68487
    title Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2012-0322)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0514.NASL
    description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The IBM Java SE version 6 release includes the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 6 Runtime Environment and the IBM Java 6 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM 'Security alerts' page, listed in the References section. (CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507) All users of java-1.6.0-ibm are advised to upgrade to these updated packages, containing the IBM Java 6 SR10-FP1 release. All running instances of IBM Java must be restarted for the update to take effect.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 58866
    published 2012-04-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58866
    title RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2012:0514)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_JAVA_10_7_2012-001.NASL
    description The remote Mac OS X host is running a version of Java for Mac OS X 10.7 that is missing update 2012-001, which updates the Java version to 1.6.0_31. As such, it is affected by several security vulnerabilities, the most serious of which may allow an untrusted Java applet to execute arbitrary code with the privileges of the current user outside the Java sandbox.
    last seen 2018-09-01
    modified 2018-07-14
    plugin id 58606
    published 2012-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58606
    title Mac OS X : Java for OS X Lion 2012-001
  • NASL family Windows
    NASL id ORACLE_JAVA_CPU_FEB_2012.NASL
    description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 3 / 6 Update 31 / 5.0 Update 34 / 1.4.2_36 and is, therefore, potentially affected by security issues in the following components : - 2D - AWT - CORBA - Concurrency - Deployment - I18n - Install - Java Runtime Environment - Lightweight HTTP Server - Serialization - Sound
    last seen 2018-11-17
    modified 2018-11-15
    plugin id 57959
    published 2012-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57959
    title Oracle Java SE Multiple Vulnerabilities (February 2012 CPU)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_JAVA-1_6_0-IBM-120427.NASL
    description IBM Java 1.6.0 was updated to SR10-FP1, fixing various security issues. More information can be found on : http://www.ibm.com/developerworks/java/jdk/alerts/
    last seen 2018-09-01
    modified 2013-11-18
    plugin id 64164
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64164
    title SuSE 11.1 Security Update : IBM Java 1.6.0 (SAT Patch Number 6225)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2012-0135.NASL
    description From Red Hat Security Advisory 2012:0135 : Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2012-0505) The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2011-3571) It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. (CVE-2012-0503) The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. (CVE-2011-5035) The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. (CVE-2011-3563) A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. (CVE-2012-0502) It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. (CVE-2012-0506) An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. (CVE-2012-0501) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2018-09-01
    modified 2018-07-18
    plugin id 68459
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68459
    title Oracle Linux 6 : java-1.6.0-openjdk (ELSA-2012-0135)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1373-2.NASL
    description USN 1373-1 fixed vulnerabilities in OpenJDK 6 in Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04 for all architectures except for ARM (armel). This provides the corresponding OpenJDK 6 update for use with the ARM (armel) architecture in Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04. It was discovered that the Java HttpServer class did not limit the number of headers read from a HTTP request. A remote attacker could cause a denial of service by sending special requests that trigger hash collisions predictably. (CVE-2011-5035) ATTENTION: this update changes previous Java HttpServer class behavior by limiting the number of request headers to 200. This may be increased by adjusting the sun.net.httpserver.maxReqHeaders property. It was discovered that the Java Sound component did not properly check buffer boundaries. A remote attacker could use this to cause a denial of service or view confidential data. (CVE-2011-3563) It was discovered that the Java2D implementation does not properly check graphics rendering objects before passing them to the native renderer. A remote attacker could use this to cause a denial of service or to bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that an off-by-one error exists in the Java ZIP file processing code. An attacker could us this to cause a denial of service through a maliciously crafted ZIP file. (CVE-2012-0501) It was discovered that the Java AWT KeyboardFocusManager did not properly enforce keyboard focus security policy. A remote attacker could use this with an untrusted application or applet to grab keyboard focus and possibly expose confidential data. (CVE-2012-0502) It was discovered that the Java TimeZone class did not properly enforce security policy around setting the default time zone. A remote attacker could use this with an untrusted application or applet to set a new default time zone and bypass Java sandbox restrictions. (CVE-2012-0503) It was discovered the Java ObjectStreamClass did not throw an accurately identifiable exception when a deserialization failure occurred. A remote attacker could use this with an untrusted application or applet to bypass Java sandbox restrictions. (CVE-2012-0505) It was discovered that the Java CORBA implementation did not properly protect repository identifiers on certain CORBA objects. A remote attacker could use this to corrupt object data. (CVE-2012-0506) It was discovered that the Java AtomicReferenceArray class implementation did not properly check if an array was of the expected Object[] type. A remote attacker could use this with a malicious application or applet to bypass Java sandbox restrictions. (CVE-2012-0507). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 58179
    published 2012-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58179
    title Ubuntu 10.04 LTS / 10.10 / 11.04 : openjdk-6b18 vulnerabilities (USN-1373-2)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2420.NASL
    description Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform. - CVE-2011-3377 The IcedTea browser plugin included in the openjdk-6 package does not properly enforce the Same Origin Policy on web content served under a domain name which has a common suffix with the required domain name. - CVE-2011-3563 The Java Sound component did not properly check for array boundaries. A malicious input or an untrusted Java application or applet could use this flaw to cause Java Virtual Machine to crash or disclose portion of its memory. - CVE-2011-5035 The OpenJDK embedded web server did not guard against an excessive number of a request parameters, leading to a denial of service vulnerability involving hash collisions. - CVE-2012-0497 It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. This could lead to JVM crash or Java sandbox bypass. - CVE-2012-0501 The ZIP central directory parser used by java.util.zip.ZipFile entered an infinite recursion in native code when processing a crafted ZIP file, leading to a denial of service. - CVE-2012-0502 A flaw was found in the AWT KeyboardFocusManager class that could allow untrusted Java applets to acquire keyboard focus and possibly steal sensitive information. - CVE-2012-0503 The java.util.TimeZone.setDefault() method lacked a security manager invocation, allowing an untrusted Java application or applet to set a new default time zone. - CVE-2012-0505 The Java serialization code leaked references to serialization exceptions, possibly leaking critical objects to untrusted code in Java applets and applications. - CVE-2012-0506 It was discovered that CORBA implementation in Java did not properly protect repository identifiers (that can be obtained using _ids() method) on certain Corba objects. This could have been used to perform modification of the data that should have been immutable. - CVE-2012-0507 The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine to crash or bypass Java sandbox restrictions.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 58148
    published 2012-02-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58148
    title Debian DSA-2420-1 : openjdk-6 - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0139.NASL
    description Updated java-1.6.0-sun packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras, and Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Sun 1.6.0 Java release includes the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. This update fixes several vulnerabilities in the Sun Java 6 Runtime Environment and the Sun Java 6 Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch page, listed in the References section. (CVE-2011-3563, CVE-2011-3571, CVE-2011-5035, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506) All users of java-1.6.0-sun are advised to upgrade to these updated packages, which provide JDK and JRE 6 Update 31 and resolve these issues. All running instances of Sun Java must be restarted for the update to take effect.
    last seen 2018-11-27
    modified 2018-11-26
    plugin id 57991
    published 2012-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57991
    title RHEL 4 / 5 / 6 : java-1.6.0-sun (RHSA-2012:0139)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0508.NASL
    description Updated java-1.5.0-ibm packages that fix several security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The IBM 1.5.0 Java release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. This update fixes several vulnerabilities in the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. Detailed vulnerability descriptions are linked from the IBM 'Security alerts' page, listed in the References section. (CVE-2011-3389, CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507) All users of java-1.5.0-ibm are advised to upgrade to these updated packages, containing the IBM 1.5.0 SR13-FP1 Java release. All running instances of IBM Java must be restarted for this update to take effect.
    last seen 2018-11-27
    modified 2018-11-26
    plugin id 58840
    published 2012-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58840
    title RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2012:0508) (BEAST)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0135.NASL
    description Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2012-0505) The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2011-3571) It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. (CVE-2012-0503) The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. (CVE-2011-5035) The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. (CVE-2011-3563) A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. (CVE-2012-0502) It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. (CVE-2012-0506) An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. (CVE-2012-0501) Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2018-11-27
    modified 2018-11-26
    plugin id 57956
    published 2012-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57956
    title RHEL 6 : java-1.6.0-openjdk (RHSA-2012:0135)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1373-1.NASL
    description It was discovered that the Java HttpServer class did not limit the number of headers read from a HTTP request. A remote attacker could cause a denial of service by sending special requests that trigger hash collisions predictably. (CVE-2011-5035) ATTENTION: this update changes previous Java HttpServer class behavior by limiting the number of request headers to 200. This may be increased by adjusting the sun.net.httpserver.maxReqHeaders property. It was discovered that the Java Sound component did not properly check buffer boundaries. A remote attacker could use this to cause a denial of service or view confidential data. (CVE-2011-3563) It was discovered that the Java2D implementation does not properly check graphics rendering objects before passing them to the native renderer. A remote attacker could use this to cause a denial of service or to bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that an off-by-one error exists in the Java ZIP file processing code. An attacker could us this to cause a denial of service through a maliciously crafted ZIP file. (CVE-2012-0501) It was discovered that the Java AWT KeyboardFocusManager did not properly enforce keyboard focus security policy. A remote attacker could use this with an untrusted application or applet to grab keyboard focus and possibly expose confidential data. (CVE-2012-0502) It was discovered that the Java TimeZone class did not properly enforce security policy around setting the default time zone. A remote attacker could use this with an untrusted application or applet to set a new default time zone and bypass Java sandbox restrictions. (CVE-2012-0503) It was discovered the Java ObjectStreamClass did not throw an accurately identifiable exception when a deserialization failure occurred. A remote attacker could use this with an untrusted application or applet to bypass Java sandbox restrictions. (CVE-2012-0505) It was discovered that the Java CORBA implementation did not properly protect repository identifiers on certain CORBA objects. A remote attacker could use this to corrupt object data. (CVE-2012-0506) It was discovered that the Java AtomicReferenceArray class implementation did not properly check if an array was of the expected Object[] type. A remote attacker could use this with a malicious application or applet to bypass Java sandbox restrictions. (CVE-2012-0507). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-12-02
    modified 2018-12-01
    plugin id 58130
    published 2012-02-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58130
    title Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : openjdk-6 vulnerabilities (USN-1373-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2012-0322.NASL
    description Updated java-1.6.0-openjdk packages that fix several security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. These packages provide the OpenJDK 6 Java Runtime Environment and the OpenJDK 6 Software Development Kit. It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. Malicious input, or an untrusted Java application or applet could use this flaw to crash the Java Virtual Machine (JVM), or bypass Java sandbox restrictions. (CVE-2012-0497) It was discovered that the exception thrown on deserialization failure did not always contain a proper identification of the cause of the failure. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2012-0505) The AtomicReferenceArray class implementation did not properly check if the array was of the expected Object[] type. A malicious Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2011-3571) It was discovered that the use of TimeZone.setDefault() was not restricted by the SecurityManager, allowing an untrusted Java application or applet to set a new default time zone, and hence bypass Java sandbox restrictions. (CVE-2012-0503) The HttpServer class did not limit the number of headers read from HTTP requests. A remote attacker could use this flaw to make an application using HttpServer use an excessive amount of CPU time via a specially crafted request. This update introduces a header count limit controlled using the sun.net.httpserver.maxReqHeaders property. The default value is 200. (CVE-2011-5035) The Java Sound component did not properly check buffer boundaries. Malicious input, or an untrusted Java application or applet could use this flaw to cause the Java Virtual Machine (JVM) to crash or disclose a portion of its memory. (CVE-2011-3563) A flaw was found in the AWT KeyboardFocusManager that could allow an untrusted Java application or applet to acquire keyboard focus and possibly steal sensitive information. (CVE-2012-0502) It was discovered that the CORBA (Common Object Request Broker Architecture) implementation in Java did not properly protect repository identifiers on certain CORBA objects. This could have been used to modify immutable object data. (CVE-2012-0506) An off-by-one flaw, causing a stack overflow, was found in the unpacker for ZIP files. A specially crafted ZIP archive could cause the Java Virtual Machine (JVM) to crash when opened. (CVE-2012-0501) This erratum also upgrades the OpenJDK package to IcedTea6 1.10.6. Refer to the NEWS file, linked to in the References, for further information. All users of java-1.6.0-openjdk are advised to upgrade to these updated packages, which resolve these issues. All running instances of OpenJDK Java must be restarted for the update to take effect.
    last seen 2018-11-27
    modified 2018-11-26
    plugin id 58084
    published 2012-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=58084
    title RHEL 5 : java-1.6.0-openjdk (RHSA-2012:0322)
  • NASL family Misc.
    NASL id ORACLE_JAVA_CPU_FEB_2012_UNIX.NASL
    description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is earlier than 7 Update 3 / 6 Update 31 / 5.0 Update 34 / 1.4.2_36 and is, therefore, potentially affected by security issues in the following components : - 2D - AWT - CORBA - Concurrency - Deployment - I18n - Install - Java Runtime Environment - Lightweight HTTP Server - Serialization - Sound
    last seen 2018-11-17
    modified 2018-11-15
    plugin id 64847
    published 2013-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64847
    title Oracle Java SE Multiple Vulnerabilities (February 2012 CPU) (Unix)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1455.NASL
    description Updated java-1.6.0-ibm packages that fix several security issues are now available for Red Hat Network Satellite Server 5.4. The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. This update corrects several security vulnerabilities in the IBM Java Runtime Environment shipped as part of Red Hat Network Satellite Server 5.4. In a typical operating environment, these are of low security risk as the runtime is not used on untrusted applets. Several flaws were fixed in the IBM Java 2 Runtime Environment. (CVE-2011-0802, CVE-2011-0814, CVE-2011-0862, CVE-2011-0863, CVE-2011-0865, CVE-2011-0867, CVE-2011-0868, CVE-2011-0869, CVE-2011-0871, CVE-2011-0873, CVE-2011-3389, CVE-2011-3516, CVE-2011-3521, CVE-2011-3544, CVE-2011-3545, CVE-2011-3546, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3550, CVE-2011-3551, CVE-2011-3552, CVE-2011-3553, CVE-2011-3554, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560, CVE-2011-3561, CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0498, CVE-2012-0499, CVE-2012-0500, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507, CVE-2012-0547, CVE-2012-0551, CVE-2012-1531, CVE-2012-1532, CVE-2012-1533, CVE-2012-1541, CVE-2012-1682, CVE-2012-1713, CVE-2012-1716, CVE-2012-1717, CVE-2012-1718, CVE-2012-1719, CVE-2012-1721, CVE-2012-1722, CVE-2012-1725, CVE-2012-3143, CVE-2012-3159, CVE-2012-3213, CVE-2012-3216, CVE-2012-3342, CVE-2012-4820, CVE-2012-4822, CVE-2012-4823, CVE-2012-5068, CVE-2012-5069, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5075, CVE-2012-5079, CVE-2012-5081, CVE-2012-5083, CVE-2012-5084, CVE-2012-5089, CVE-2013-0169, CVE-2013-0351, CVE-2013-0401, CVE-2013-0409, CVE-2013-0419, CVE-2013-0423, CVE-2013-0424, CVE-2013-0425, CVE-2013-0426, CVE-2013-0427, CVE-2013-0428, CVE-2013-0432, CVE-2013-0433, CVE-2013-0434, CVE-2013-0435, CVE-2013-0438, CVE-2013-0440, CVE-2013-0441, CVE-2013-0442, CVE-2013-0443, CVE-2013-0445, CVE-2013-0446, CVE-2013-0450, CVE-2013-0809, CVE-2013-1473, CVE-2013-1476, CVE-2013-1478, CVE-2013-1480, CVE-2013-1481, CVE-2013-1486, CVE-2013-1487, CVE-2013-1491, CVE-2013-1493, CVE-2013-1500, CVE-2013-1537, CVE-2013-1540, CVE-2013-1557, CVE-2013-1563, CVE-2013-1569, CVE-2013-1571, CVE-2013-2383, CVE-2013-2384, CVE-2013-2394, CVE-2013-2407, CVE-2013-2412, CVE-2013-2417, CVE-2013-2418, CVE-2013-2419, CVE-2013-2420, CVE-2013-2422, CVE-2013-2424, CVE-2013-2429, CVE-2013-2430, CVE-2013-2432, CVE-2013-2433, CVE-2013-2435, CVE-2013-2437, CVE-2013-2440, CVE-2013-2442, CVE-2013-2443, CVE-2013-2444, CVE-2013-2446, CVE-2013-2447, CVE-2013-2448, CVE-2013-2450, CVE-2013-2451, CVE-2013-2452, CVE-2013-2453, CVE-2013-2454, CVE-2013-2455, CVE-2013-2456, CVE-2013-2457, CVE-2013-2459, CVE-2013-2463, CVE-2013-2464, CVE-2013-2465, CVE-2013-2466, CVE-2013-2468, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473, CVE-2013-3743) Users of Red Hat Network Satellite Server 5.4 are advised to upgrade to these updated packages, which contain the IBM Java SE 6 SR14 release. For this update to take effect, Red Hat Network Satellite Server must be restarted ('/usr/sbin/rhn-satellite restart'), as well as all running instances of IBM Java.
    last seen 2018-11-27
    modified 2018-11-26
    plugin id 78975
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78975
    title RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1455) (BEAST) (ROBOT)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201401-30.NASL
    description The remote host is affected by the vulnerability described in GLSA-201401-30 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities have been reported in the Oracle Java implementation. Please review the CVE identifiers referenced below for details. Impact : An unauthenticated, remote attacker could exploit these vulnerabilities to execute arbitrary code. Furthermore, a local or remote attacker could exploit these vulnerabilities to cause unspecified impact, possibly including remote execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2018-09-01
    modified 2018-01-03
    plugin id 72139
    published 2014-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=72139
    title GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT)
packetstorm via4
data source https://packetstormsecurity.com/files/download/111412/java_atomicreferencearray.rb.txt
id PACKETSTORM:111412
last seen 2016-12-05
published 2012-03-30
reporter egypt
source https://packetstormsecurity.com/files/111412/Java-AtomicReferenceArray-Type-Violation.html
title Java AtomicReferenceArray Type Violation
redhat via4
advisories
  • bugzilla
    id 789301
    title CVE-2012-0497 OpenJDK: insufficient checking of the graphics rendering object (2D, 7112642)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment java-1.6.0-openjdk is earlier than 1:1.6.0.0-1.43.1.10.6.el6_2
          oval oval:com.redhat.rhsa:tst:20120135005
        • comment java-1.6.0-openjdk is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100865006
      • AND
        • comment java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-1.43.1.10.6.el6_2
          oval oval:com.redhat.rhsa:tst:20120135007
        • comment java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100865010
      • AND
        • comment java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-1.43.1.10.6.el6_2
          oval oval:com.redhat.rhsa:tst:20120135013
        • comment java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100865008
      • AND
        • comment java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-1.43.1.10.6.el6_2
          oval oval:com.redhat.rhsa:tst:20120135009
        • comment java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100865014
      • AND
        • comment java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-1.43.1.10.6.el6_2
          oval oval:com.redhat.rhsa:tst:20120135011
        • comment java-1.6.0-openjdk-src is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100865012
    rhsa
    id RHSA-2012:0135
    released 2012-02-14
    severity Critical
    title RHSA-2012:0135: java-1.6.0-openjdk security update (Critical)
  • bugzilla
    id 789301
    title CVE-2012-0497 OpenJDK: insufficient checking of the graphics rendering object (2D, 7112642)
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment java-1.6.0-openjdk is earlier than 1:1.6.0.0-1.25.1.10.6.el5_8
          oval oval:com.redhat.rhsa:tst:20120322002
        • comment java-1.6.0-openjdk is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377003
      • AND
        • comment java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-1.25.1.10.6.el5_8
          oval oval:com.redhat.rhsa:tst:20120322010
        • comment java-1.6.0-openjdk-demo is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377011
      • AND
        • comment java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-1.25.1.10.6.el5_8
          oval oval:com.redhat.rhsa:tst:20120322004
        • comment java-1.6.0-openjdk-devel is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377005
      • AND
        • comment java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-1.25.1.10.6.el5_8
          oval oval:com.redhat.rhsa:tst:20120322008
        • comment java-1.6.0-openjdk-javadoc is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377007
      • AND
        • comment java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-1.25.1.10.6.el5_8
          oval oval:com.redhat.rhsa:tst:20120322006
        • comment java-1.6.0-openjdk-src is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20090377009
    rhsa
    id RHSA-2012:0322
    released 2012-02-21
    severity Important
    title RHSA-2012:0322: java-1.6.0-openjdk security update (Important)
  • rhsa
    id RHSA-2012:0508
  • rhsa
    id RHSA-2012:0514
  • rhsa
    id RHSA-2013:1455
rpms
  • java-1.6.0-openjdk-1:1.6.0.0-1.43.1.10.6.el6_2
  • java-1.6.0-openjdk-demo-1:1.6.0.0-1.43.1.10.6.el6_2
  • java-1.6.0-openjdk-devel-1:1.6.0.0-1.43.1.10.6.el6_2
  • java-1.6.0-openjdk-javadoc-1:1.6.0.0-1.43.1.10.6.el6_2
  • java-1.6.0-openjdk-src-1:1.6.0.0-1.43.1.10.6.el6_2
  • java-1.6.0-openjdk-1:1.6.0.0-1.25.1.10.6.el5_8
  • java-1.6.0-openjdk-demo-1:1.6.0.0-1.25.1.10.6.el5_8
  • java-1.6.0-openjdk-devel-1:1.6.0.0-1.25.1.10.6.el5_8
  • java-1.6.0-openjdk-javadoc-1:1.6.0.0-1.25.1.10.6.el5_8
  • java-1.6.0-openjdk-src-1:1.6.0.0-1.25.1.10.6.el5_8
refmap via4
bid 52161
confirm
debian DSA-2420
hp
  • HPSBMU02797
  • HPSBMU02799
  • HPSBUX02757
  • HPSBUX02760
  • HPSBUX02784
  • SSRT100779
  • SSRT100805
  • SSRT100867
  • SSRT100871
misc
secunia
  • 48589
  • 48692
  • 48915
  • 48948
  • 48950
suse
  • SUSE-SU-2012:0602
  • SUSE-SU-2012:0603
saint via4
bid 52161
description Java SE AtomicReferenceArray Unsafe Security Bypass
id web_client_jre
osvdb 80724
title java_se_atomicreferencearray_unsafe
type client
the hacker news via4
id THN:74600659E59FBC081B6540EF1DCE11D3
last seen 2017-01-08
modified 2012-12-05
published 2012-12-05
reporter Mohit Kumar
source http://thehackernews.com/2012/12/new-mac-malware-dockster-found-on-dalai.html
title New Mac Malware 'Dockster' Found on Dalai Lama site
vmware via4
description The Oracle (Sun) JRE is updated to version 1.6.0_31which addresses multiple security issues. Oracle has documented the CVE identifiers that are addressed by this update in the Oracle Java SE Critical Patch Update Advisory of February 2012.
id VMSA-2012-0013
last_updated 2012-12-20T00:00:00
published 2012-08-30T00:00:00
title vCenter and ESX update to JRE 1.6.0 Update 31
Last major update 22-08-2016 - 22:05
Published 07-06-2012 - 18:55
Last modified 28-12-2017 - 21:29
Back to Top