RHSA-2008:1045
Vulnerability from csaf_redhat
Published
2008-12-18 18:33
Modified
2025-09-25 11:37
Summary
Red Hat Security Advisory: java-1.6.0-bea security update
Notes
Topic
java-1.6.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and Red Hat
Enterprise Linux 5 Supplementary, contains security flaws and should not be
used.
This update has been rated as having important security impact by the Red
Hat Security Response Team.
Details
The BEA WebLogic JRockit JRE and SDK contains BEA WebLogic JRockit Virtual
Machine and is certified for the Java™ 2 Platform, Standard Edition,
v1.6.0.
The java-1.6.0-bea packages are vulnerable to important security flaws and
should no longer be used.
A flaw was found in the Java Management Extensions (JMX) management agent.
When local monitoring was enabled, remote attackers could use this flaw to
perform illegal operations. (CVE-2008-3103)
Several flaws involving the handling of unsigned applets were found. A
remote attacker could misuse an unsigned applet in order to connect to
services on the host running the applet. (CVE-2008-3104)
Several flaws in the Java API for XML Web Services (JAX-WS) client and the
JAX-WS service implementation were found. A remote attacker who could cause
malicious XML to be processed by an application could access URLs, or cause
a denial of service. (CVE-2008-3105, CVE-2008-3106)
Several flaws within the Java Runtime Environment's (JRE) scripting support
were found. A remote attacker could grant an untrusted applet extended
privileges, such as reading and writing local files, executing local
programs, or querying the sensitive data of other applets. (CVE-2008-3109,
CVE-2008-3110)
The vulnerabilities concerning applets listed above can only be triggered
in java-1.6.0-bea, by calling the "appletviewer" application.
BEA was acquired by Oracle® during 2008 (the acquisition was completed on
April 29, 2008). Consequently, JRockit is now an Oracle offering and these
issues are addressed in the current release of Oracle JRockit. Due to a
license change by Oracle, however, Red Hat is unable to ship Oracle
JRockit.
Users who wish to continue using JRockit should get an update directly from
Oracle: http://oracle.com/technology/software/products/jrockit/.
Alternatives to Oracle JRockit include the Java 2 Technology Edition of the
IBM® Developer Kit for Linux and the Sun™ Java SE Development Kit (JDK),
both of which are available on the Extras or Supplementary channels. For
Java 6 users, the new OpenJDK open source JDK will be included in Red Hat
Enterprise Linux 5.3 and will be supported by Red Hat.
This update removes the java-1.6.0-bea packages due to their known security
vulnerabilities.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_informational_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "java-1.6.0-bea as shipped in Red Hat Enterprise Linux 4 Extras and Red Hat\nEnterprise Linux 5 Supplementary, contains security flaws and should not be\nused.\n\nThis update has been rated as having important security impact by the Red\nHat Security Response Team.",
"title": "Topic"
},
{
"category": "general",
"text": "The BEA WebLogic JRockit JRE and SDK contains BEA WebLogic JRockit Virtual\nMachine and is certified for the Java\u2122 2 Platform, Standard Edition,\nv1.6.0.\n\nThe java-1.6.0-bea packages are vulnerable to important security flaws and\nshould no longer be used.\n\nA flaw was found in the Java Management Extensions (JMX) management agent.\nWhen local monitoring was enabled, remote attackers could use this flaw to\nperform illegal operations. (CVE-2008-3103)\n\nSeveral flaws involving the handling of unsigned applets were found. A\nremote attacker could misuse an unsigned applet in order to connect to\nservices on the host running the applet. (CVE-2008-3104)\n\nSeveral flaws in the Java API for XML Web Services (JAX-WS) client and the\nJAX-WS service implementation were found. A remote attacker who could cause\nmalicious XML to be processed by an application could access URLs, or cause\na denial of service. (CVE-2008-3105, CVE-2008-3106)\n\nSeveral flaws within the Java Runtime Environment\u0027s (JRE) scripting support\nwere found. A remote attacker could grant an untrusted applet extended\nprivileges, such as reading and writing local files, executing local\nprograms, or querying the sensitive data of other applets. (CVE-2008-3109,\nCVE-2008-3110)\n\nThe vulnerabilities concerning applets listed above can only be triggered\nin java-1.6.0-bea, by calling the \"appletviewer\" application.\n\nBEA was acquired by Oracle\u00ae during 2008 (the acquisition was completed on\nApril 29, 2008). Consequently, JRockit is now an Oracle offering and these\nissues are addressed in the current release of Oracle JRockit. Due to a\nlicense change by Oracle, however, Red Hat is unable to ship Oracle\nJRockit.\n\nUsers who wish to continue using JRockit should get an update directly from\nOracle: http://oracle.com/technology/software/products/jrockit/.\n\nAlternatives to Oracle JRockit include the Java 2 Technology Edition of the\nIBM\u00ae Developer Kit for Linux and the Sun\u2122 Java SE Development Kit (JDK),\nboth of which are available on the Extras or Supplementary channels. For\nJava 6 users, the new OpenJDK open source JDK will be included in Red Hat\nEnterprise Linux 5.3 and will be supported by Red Hat.\n\nThis update removes the java-1.6.0-bea packages due to their known security\nvulnerabilities.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2008:1045",
"url": "https://access.redhat.com/errata/RHSA-2008:1045"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://support.bea.com/application_content/product_portlets/securityadvisories/jrockitindex.html",
"url": "https://support.bea.com/application_content/product_portlets/securityadvisories/jrockitindex.html"
},
{
"category": "external",
"summary": "452649",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=452649"
},
{
"category": "external",
"summary": "452659",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=452659"
},
{
"category": "external",
"summary": "454601",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=454601"
},
{
"category": "external",
"summary": "454603",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=454603"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2008/rhsa-2008_1045.json"
}
],
"title": "Red Hat Security Advisory: java-1.6.0-bea security update",
"tracking": {
"current_release_date": "2025-09-25T11:37:56+00:00",
"generator": {
"date": "2025-09-25T11:37:56+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.8"
}
},
"id": "RHSA-2008:1045",
"initial_release_date": "2008-12-18T18:33:00+00:00",
"revision_history": [
{
"date": "2008-12-18T18:33:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2008-12-18T13:33:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-09-25T11:37:56+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Supplementary (v. 5)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Supplementary (v. 5)",
"product_id": "5Client-Supplementary",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras:5::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Supplementary (v. 5)",
"product": {
"name": "Red Hat Enterprise Linux Server Supplementary (v. 5)",
"product_id": "5Server-Supplementary",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras:5::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux AS version 4 Extras",
"product": {
"name": "Red Hat Enterprise Linux AS version 4 Extras",
"product_id": "4AS-LACD",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras:4"
}
}
},
{
"category": "product_name",
"name": "Red Hat Desktop version 4 Extras",
"product": {
"name": "Red Hat Desktop version 4 Extras",
"product_id": "4Desktop-LACD",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras:4"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ES version 4 Extras",
"product": {
"name": "Red Hat Enterprise Linux ES version 4 Extras",
"product_id": "4ES-LACD",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras:4"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux WS version 4 Extras",
"product": {
"name": "Red Hat Enterprise Linux WS version 4 Extras",
"product_id": "4WS-LACD",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_extras:4"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux Supplementary"
},
{
"branches": [
{
"category": "product_version",
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.i686",
"product": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.i686",
"product_id": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/java-1.6.0-bea-uninstall@1.6.0.03-1jpp.6.el5?arch=i686\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686",
"product": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686",
"product_id": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/java-1.6.0-bea-uninstall@1.6.0.03-1jpp.4.el4?arch=i686\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "i686"
},
{
"branches": [
{
"category": "product_version",
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.x86_64",
"product": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.x86_64",
"product_id": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/java-1.6.0-bea-uninstall@1.6.0.03-1jpp.6.el5?arch=x86_64\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64",
"product": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64",
"product_id": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/java-1.6.0-bea-uninstall@1.6.0.03-1jpp.4.el4?arch=x86_64\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686 as a component of Red Hat Enterprise Linux AS version 4 Extras",
"product_id": "4AS-LACD:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686",
"relates_to_product_reference": "4AS-LACD"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64 as a component of Red Hat Enterprise Linux AS version 4 Extras",
"product_id": "4AS-LACD:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64",
"relates_to_product_reference": "4AS-LACD"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686 as a component of Red Hat Desktop version 4 Extras",
"product_id": "4Desktop-LACD:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686",
"relates_to_product_reference": "4Desktop-LACD"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64 as a component of Red Hat Desktop version 4 Extras",
"product_id": "4Desktop-LACD:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64",
"relates_to_product_reference": "4Desktop-LACD"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686 as a component of Red Hat Enterprise Linux ES version 4 Extras",
"product_id": "4ES-LACD:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686",
"relates_to_product_reference": "4ES-LACD"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64 as a component of Red Hat Enterprise Linux ES version 4 Extras",
"product_id": "4ES-LACD:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64",
"relates_to_product_reference": "4ES-LACD"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686 as a component of Red Hat Enterprise Linux WS version 4 Extras",
"product_id": "4WS-LACD:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.i686",
"relates_to_product_reference": "4WS-LACD"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64 as a component of Red Hat Enterprise Linux WS version 4 Extras",
"product_id": "4WS-LACD:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.4.el4.x86_64",
"relates_to_product_reference": "4WS-LACD"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.i686 as a component of Red Hat Enterprise Linux Desktop Supplementary (v. 5)",
"product_id": "5Client-Supplementary:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.i686"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.i686",
"relates_to_product_reference": "5Client-Supplementary"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.x86_64 as a component of Red Hat Enterprise Linux Desktop Supplementary (v. 5)",
"product_id": "5Client-Supplementary:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.x86_64"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.x86_64",
"relates_to_product_reference": "5Client-Supplementary"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.i686 as a component of Red Hat Enterprise Linux Server Supplementary (v. 5)",
"product_id": "5Server-Supplementary:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.i686"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.i686",
"relates_to_product_reference": "5Server-Supplementary"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.x86_64 as a component of Red Hat Enterprise Linux Server Supplementary (v. 5)",
"product_id": "5Server-Supplementary:java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.x86_64"
},
"product_reference": "java-1.6.0-bea-uninstall-1:1.6.0.03-1jpp.6.el5.x86_64",
"relates_to_product_reference": "5Server-Supplementary"
}
]
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…