SUSE 5149 Published by

New IBM Java 5 packages are available for SUSE Linux Enterprise to fix a remote code execution vulnerability



______________________________________________________________________________

SUSE Security Announcement

Package: java-1_5_0-ibm
Announcement ID: SUSE-SA:2010:028
Date: Tue, 06 Jul 2010 16:00:00 +0000
Affected Products: SUSE SLES 9
Open Enterprise Server
Novell Linux POS 9
SUSE Linux Enterprise Desktop 10 SP3
SUSE Linux Enterprise Server 10 SP3
Vulnerability Type: remote code execution
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
SUSE Default Package: yes
Cross-References: CVE-2009-3555, CVE-2010-0084, CVE-2010-0085
CVE-2010-0087, CVE-2010-0088, CVE-2010-0089
CVE-2010-0091, CVE-2010-0092, CVE-2010-0094
CVE-2010-0095, CVE-2010-0837, CVE-2010-0838
CVE-2010-0839, CVE-2010-0840, CVE-2010-0841
CVE-2010-0842, CVE-2010-0843, CVE-2010-0844
CVE-2010-0846, CVE-2010-0847, CVE-2010-0848
CVE-2010-0849

Content of This Advisory:
1) Security Vulnerability Resolved:
IBM Java 5 security update
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
See SUSE Security Summary Report.
6) Authenticity Verification and Additional Information

______________________________________________________________________________

1) Problem Description and Brief Discussion

This update of IBM Java 1.5.0 to SR11 FP2 brings various bug and lots
of security fixes.

Following security issues were fixed:
CVE-2010-0084: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to
affect confidentiality via unknown vectors.

CVE-2010-0085: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers
to affect confidentiality, integrity, and availability via unknown
vectors.

CVE-2010-0087: Unspecified vulnerability in the Java Web Start, Java
Plug-in component in Oracle Java SE and Java for Business 6 Update 18,
5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0088: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers
to affect confidentiality, integrity, and availability via unknown
vectors.

CVE-2010-0089: Unspecified vulnerability in the Java Web Start, Java
Plug-in component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect
availability via unknown vectors.

CVE-2010-0091: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to
affect confidentiality via unknown vectors.

CVE-2010-0092: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6
Update 18, and 5.0 Update 23 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2009-3555: The TLS protocol, and the SSL protocol 3.0 and possibly
earlier, as used in Microsoft Internet Information Services (IIS) 7.0,
mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before
0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services
(NSS) 3.12.4 and earlier, multiple Cisco products, and other products,
does not properly associate renegotiation handshakes with an existing
connection, which allows man-in-the-middle attackers to insert data
into HTTPS sessions, and possibly other types of sessions protected
by TLS or SSL, by sending an unauthenticated request that is processed
retroactively by a server in a post-renegotiation context, related to a
"plaintext injection" attack, aka the "Project Mogul" issue.

CVE-2010-0094: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6 Update
18 and 5.0 Update 23 allows remote attackers to affect confidentiality,
integrity, and availability via unknown vectors. NOTE: the previous
information was obtained from the March 2010 CPU. Oracle has not
commented on claims from a reliable researcher that this is due to
missing privilege checks during deserialization of RMIConnectionImpl
objects, which allows remote attackers to call system-level Java
functions via the ClassLoader of a constructor that is being
deserialized.

CVE-2010-0095: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0837: Unspecified vulnerability in the Pack200 component
in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update,
and 23 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors.

CVE-2010-0838: Unspecified vulnerability in the Java 2D component
in Oracle Java SE and Java for Business 6 Update 18, 5.0, Update,
and 23 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information
was obtained from the March 2010 CPU. Oracle has not commented on
claims from a reliable researcher that this is a stack-based buffer
overflow using an untrusted size value in the readMabCurveData function
in the CMM module in the JVM.

CVE-2010-0839: Unspecified vulnerability in the Sound component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0840: Unspecified vulnerability in the Java Runtime
Environment component in Oracle Java SE and Java for Business 6 Update
18, 5.0 Update 23, and 1.4.2_25 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this is
related to improper checks when executing privileged methods in the
Java Runtime Environment (JRE), which allows attackers to execute
arbitrary code via (1) an untrusted object that extends the trusted
class but has not modified a certain method, or (2) "a similar trust
issue with interfaces," aka "Trusted Methods Chaining Remote Code
Execution Vulnerability."

CVE-2010-0841: Unspecified vulnerability in the ImageIO component in
Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, and
1.4.2_25 allows remote attackers to affect confidentiality, integrity,
and availability via unknown vectors. NOTE: the previous information
was obtained from the March 2010 CPU. Oracle has not commented on
claims from a reliable researcher that this is an integer overflow in
the Java Runtime Environment that allows remote attackers to execute
arbitrary code via a JPEG image that contains subsample dimensions
with large values, related to JPEGImageReader and "stepX".

CVE-2010-0842: Unspecified vulnerability in the Sound component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this is
an uncontrolled array index that allows remote attackers to execute
arbitrary code via a MIDI file with a crafted MixerSequencer object,
related to the GM_Song structure.

CVE-2010-0843: Unspecified vulnerability in the Sound component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this is
related to XNewPtr and improper handling of an integer parameter
when allocating heap memory in the com.sun.media.sound libraries,
which allows remote attackers to execute arbitrary code.

CVE-2010-0844: Unspecified vulnerability in the Sound component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this
is for improper parsing of a crafted MIDI stream when creating a
MixerSequencer object, which causes a pointer to be corrupted and
allows a NULL byte to be written to arbitrary memory.

CVE-2010-0846: Unspecified vulnerability in the ImageIO component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this is
a heap-based buffer overflow that allows remote attackers to execute
arbitrary code, related to an "invalid assignment" and inconsistent
length values in a JPEG image encoder (JPEGImageEncoderImpl).

CVE-2010-0847: Unspecified vulnerability in the Java 2D component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this is
a heap-based buffer overflow that allows arbitrary code execution
via a crafted image.

CVE-2010-0848: Unspecified vulnerability in the Java 2D component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors.

CVE-2010-0849: Unspecified vulnerability in the Java 2D component
in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update
23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
the previous information was obtained from the March 2010 CPU. Oracle
has not commented on claims from a reliable researcher that this
is a heap-based buffer overflow in a decoding routine used by the
JPEGImageDecoderImpl interface, which allows code execution via a
crafted JPEG image.

IBMs JDK Alerts page listing them can be found on:
http://www.ibm.com/developerworks/java/jdk/alerts/

2) Solution or Work-Around

There is no known workaround, please install the update packages.

3) Special Instructions and Notes

Please restart applications using IBM Java after the update.

4) Package Location and Checksums

The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command

rpm -Fhv

to apply the update, replacing with the filename of the
downloaded RPM package.

Our maintenance customers are notified individually. The packages are
offered for installation from the maintenance web:

Open Enterprise Server
http://download.novell.com/patch/finder/?keywords=860976aefb8f9cbced0310de97a9d876

Novell Linux POS 9
http://download.novell.com/patch/finder/?keywords=860976aefb8f9cbced0310de97a9d876

SUSE SLES 9
http://download.novell.com/patch/finder/?keywords=860976aefb8f9cbced0310de97a9d876

SUSE Linux Enterprise Server 10 SP3
http://download.novell.com/patch/finder/?keywords=3b591511d815dc7c85fac2e9b6b66d53

SUSE Linux Enterprise Desktop 10 SP3
http://download.novell.com/patch/finder/?keywords=3b591511d815dc7c85fac2e9b6b66d53

______________________________________________________________________________

5) Pending Vulnerabilities, Solutions, and Work-Arounds:

See SUSE Security Summary Report.
______________________________________________________________________________

6) Authenticity Verification and Additional Information

- Announcement authenticity verification:

SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.

To verify the signature of the announcement, save it as text into a file
and run the command

gpg --verify

replacing with the name of the file where you saved the
announcement. The output for a valid signature looks like:

gpg: Signature made using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team "

where is replaced by the date the document was signed.

If the security team's key is not contained in your key ring, you can
import it from the first installation CD. To import the key, use the
command

gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

- Package authenticity verification:

SUSE update packages are available on many mirror FTP servers all over the
world. While this service is considered valuable and important to the free
and open source software community, the authenticity and the integrity of
a package needs to be verified to ensure that it has not been tampered
with.

The internal rpm package signatures provide an easy way to verify the
authenticity of an RPM package. Use the command

rpm -v --checksig

to verify the signature of the package, replacing with the
filename of the RPM package downloaded. The package is unmodified if it
contains a valid signature from build@suse.de with the key ID 9C800ACA.

This key is automatically imported into the RPM database (on
RPMv4-based distributions) and the gpg key ring of 'root' during
installation. You can also find it on the first installation CD and at
the end of this announcement.