Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 591
Alerts This Week
Warning Icon 1 591

Arch Linux: ASA-201509-7 Critical: Icedtea-Web Security Flaw

Archlinux Large Esm H446
The package icedtea-web before version 1.6.1-1 is vulnerable to multiple authorization bypass vulnerabilities.
Arch Linux Security Advisory ASA-201509-6
========================================
Severity: Medium
Date    : 2015-09-14
CVE-ID  : CVE-2015-5234 CVE-2015-5235
Package : icedtea-web
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package icedtea-web before version 1.6.1-1 is vulnerable to multiple
authorization bypass vulnerabilities.

Resolution
=========
Upgrade to 1.6.1-1.

# pacman -Syu "icedtea-web>=1.6.1-1"

The problem has been fixed upstream in version 1.6.1.

Workaround
=========
None.

Description
==========
- CVE-2015-5234 (unexpected permanent authorization of unsigned applets)

It was discovered that IcedTea-Web did not properly sanitize applet URLs
when storing applet trust settings. A malicious web page could use this
flaw to inject trust-settings configuration, and cause applets to be
executed without user approval.

- CVE-2015-5235 (applet origin spoofing)

It was discovered that IcedTea-Web did not properly determine an
applet's origin when asking the user if the applet should be run. A
malicious page could use this flaw to cause IcedTea-Web to execute the
applet without user approval, or confuse the user into approving applet
execution based on an incorrectly indicated applet origin.

Impact
=====
A remote attacker is able to execute a malicious applet without user
approval via multiple vectors.

References
=========
https://mail.openjdk.org/pipermail/distro-pkg-dev/2015-September/033546.html
https://access.redhat.com/security/cve/CVE-2015-5234
https://access.redhat.com/security/cve/CVE-2015-5235