Red Hat: RHSA-2008:0955-01 Critical: Java Applet Remote Threat
Nov 25, 2008
•
LinuxSecurity Advisories
10 - 20 min read
Updated java-1.4.2-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4
Extras, and Red Hat Enterprise Linux 5 Supplementary.
Multiple vulnerabilities with unsigned applets were reported. A remote
attacker could misuse an unsigned applet to connect to localhost services
running on the host running the applet. (CVE-2008-3104)
==================================================================== Red Hat Security Advisory
Synopsis: Critical: java-1.4.2-ibm security update
Advisory ID: RHSA-2008:0955-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://access.redhat.com/errata/RHSA-2008:0955.html
Issue date: 2008-11-25
Keywords: Security
CVE Names: CVE-2008-3104 CVE-2008-3112 CVE-2008-3113
CVE-2008-3114
====================================================================
1. Summary:
Updated java-1.4.2-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4
Extras, and Red Hat Enterprise Linux 5 Supplementary.
This update has been rated as having critical security impact by the Red
Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 3 Extras - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 Extras - i386, x86_64
Red Hat Enterprise Linux ES version 3 Extras - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 Extras - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, ia64, x86_64
RHEL Desktop Supplementary (v. 5 client) - i386, x86_64
RHEL Supplementary (v. 5 server) - i386, ia64, ppc, s390x, x86_64
3. Description:
IBM's 1.4.2 SR12 Java release includes the IBM Java 2 Runtime Environment
and the IBM Java 2 Software Development Kit.
Multiple vulnerabilities with unsigned applets were reported. A remote
attacker could misuse an unsigned applet to connect to localhost services
running on the host running the applet. (CVE-2008-3104)
Two file processing vulnerabilities in Java Web Start were found. Using an
untrusted Java Web Start application, a remote attacker was able to create
or delete arbitrary files with the permissions of the user running the
untrusted application. (CVE-2008-3112, CVE-2008-3113)
A vulnerability in Java Web Start when processing untrusted applications
was reported. An attacker was able to acquire sensitive information, such
as the cache location. (CVE-2008-3114)
All users of java-1.4.2-ibm are advised to upgrade to these updated
packages, which contain IBM's 1.4.2 SR12 Java release which resolves these
issues.
4. Solution:
Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
5. Bugs fixed (http://bugzilla.redhat.com/):
454601 - CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932)
454606 - CVE-2008-3112 Java Web Start, arbitrary file creation (6703909)
454607 - CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077)
454608 - CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074)
6. Package List:
Red Hat Enterprise Linux AS version 3 Extras:
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.i386.rpm
ia64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.ia64.rpm
ppc:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.ppc.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.ppc.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.ppc.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el3.ppc.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.ppc.rpm
s390:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.s390.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.s390.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.s390.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el3.s390.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.s390.rpm
s390x:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.s390x.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.s390x.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.s390x.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.s390x.rpm
x86_64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.x86_64.rpm
Red Hat Desktop version 3 Extras:
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.i386.rpm
x86_64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.x86_64.rpm
Red Hat Enterprise Linux ES version 3 Extras:
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.i386.rpm
ia64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.ia64.rpm
x86_64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.x86_64.rpm
Red Hat Enterprise Linux WS version 3 Extras:
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.i386.rpm
ia64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.ia64.rpm
x86_64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.x86_64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.x86_64.rpm
Red Hat Enterprise Linux AS version 4 Extras:
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.i386.rpm
ia64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.ia64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.ia64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.ia64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.ia64.rpm
ppc:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.ppc.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.ppc.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.ppc.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el4.ppc.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el4.ppc.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.ppc.rpm
s390:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.s390.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.s390.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.s390.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el4.s390.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.s390.rpm
s390x:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.s390x.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.s390x.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.s390x.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.s390x.rpm
x86_64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.x86_64.rpm
Red Hat Desktop version 4 Extras:
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.i386.rpm
x86_64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.x86_64.rpm
Red Hat Enterprise Linux ES version 4 Extras:
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.i386.rpm
ia64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.ia64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.ia64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.ia64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.ia64.rpm
x86_64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.x86_64.rpm
Red Hat Enterprise Linux WS version 4 Extras:
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el4.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.i386.rpm
ia64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.ia64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.ia64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.ia64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.ia64.rpm
x86_64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el4.x86_64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el4.x86_64.rpm
RHEL Desktop Supplementary (v. 5 client):
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.i386.rpm
x86_64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.x86_64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.x86_64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.x86_64.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el5.x86_64.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.x86_64.rpm
RHEL Supplementary (v. 5 server):
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.i386.rpm
ia64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.ia64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.ia64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.ia64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.ia64.rpm
ppc:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.ppc.rpm
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.ppc64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.ppc.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.ppc64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.ppc.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.ppc64.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el5.ppc.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el5.ppc64.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el5.ppc.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.ppc.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.ppc64.rpm
s390x:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.s390.rpm
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.s390x.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.s390.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.s390x.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.s390.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.s390x.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el5.s390.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.s390.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.s390x.rpm
x86_64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-1.4.2.12-1jpp.1.el5.x86_64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el5.x86_64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el5.x86_64.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-javacomm-1.4.2.12-1jpp.1.el5.x86_64.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key#package
7. References:
https://www.cve.org/CVERecord?id=CVE-2008-3104
https://www.cve.org/CVERecord?id=CVE-2008-3112
https://www.cve.org/CVERecord?id=CVE-2008-3113
https://www.cve.org/CVERecord?id=CVE-2008-3114
https://access.redhat.com/security/updates/classification#critical
8. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact
Copyright 2008 Red Hat, Inc.
PREVIOUS
NEXT
Red Hat: RHSA-2008:0955-01 Critical: Java Applet Remote Threat
red hat
November 25, 2008
Updated java-1.4.2-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4
Extras, and Red Hat Enterpris...
Solution
Before applying this update, make sure that all previously-released errata
relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use the Red
Hat Network to apply this update are available at
Summary
IBM's 1.4.2 SR12 Java release includes the IBM Java 2 Runtime Environment
and the IBM Java 2 Software Development Kit.
Multiple vulnerabilities with unsigned applets were reported. A remote
attacker could misuse an unsigned applet to connect to localhost services
running on the host running the applet. (CVE-2008-3104)
Two file processing vulnerabilities in Java Web Start were found. Using an
untrusted Java Web Start application, a remote attacker was able to create
or delete arbitrary files with the permissions of the user running the
untrusted application. (CVE-2008-3112, CVE-2008-3113)
A vulnerability in Java Web Start when processing untrusted applications
was reported. An attacker was able to acquire sensitive information, such
as the cache location. (CVE-2008-3114)
All users of java-1.4.2-ibm are advised to upgrade to these updated
packages, which contain IBM's 1.4.2 SR12 Java release which resolves these
issues.
References
https://www.cve.org/CVERecord?id=CVE-2008-3104 https://www.cve.org/CVERecord?id=CVE-2008-3112 https://www.cve.org/CVERecord?id=CVE-2008-3113 https://www.cve.org/CVERecord?id=CVE-2008-3114 https://access.redhat.com/security/updates/classification#critical
Package List
Red Hat Enterprise Linux AS version 3 Extras:
i386:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-plugin-1.4.2.12-1jpp.1.el3.i386.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.i386.rpm
ia64:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.ia64.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.ia64.rpm
ppc:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.ppc.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.ppc.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.ppc.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el3.ppc.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.ppc.rpm
s390:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.s390.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.s390.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.s390.rpm
java-1.4.2-ibm-jdbc-1.4.2.12-1jpp.1.el3.s390.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.s390.rpm
s390x:
java-1.4.2-ibm-1.4.2.12-1jpp.1.el3.s390x.rpm
java-1.4.2-ibm-demo-1.4.2.12-1jpp.1.el3.s390x.rpm
java-1.4.2-ibm-devel-1.4.2.12-1jpp.1.el3.s390x.rpm
java-1.4.2-ibm-src-1.4.2.12-1jpp.1.el3.s390x.rpm
x86_64:
Read the Full Advisory
Severity
critical
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2008:0955-01
Product: Red Hat Enterprise Linux Extras
Advisory URL: https://access.redhat.com/errata/RHSA-2008:0955.html
Issue date: 2008-11-25
Keywords: Security
Topic
Updated java-1.4.2-ibm packages that fix several security issues are now
available for Red Hat Enterprise Linux 3 Extras, Red Hat Enterprise Linux 4
Extras, and Red Hat Enterprise Linux 5 Supplementary.
This update has been rated as having critical security impact by the Red
Hat Security Response Team.
Relevant Releases Architectures
Red Hat Enterprise Linux AS version 3 Extras - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 Extras - i386, x86_64
Red Hat Enterprise Linux ES version 3 Extras - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 Extras - i386, ia64, x86_64
Red Hat Enterprise Linux AS version 4 Extras - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 4 Extras - i386, x86_64
Red Hat Enterprise Linux ES version 4 Extras - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 Extras - i386, ia64, x86_64
RHEL Desktop Supplementary (v. 5 client) - i386, x86_64
RHEL Supplementary (v. 5 server) - i386, ia64, ppc, s390x, x86_64
Bugs Fixed
454601 - CVE-2008-3104 Java RE allows Same Origin Policy to be Bypassed (6687932)
454606 - CVE-2008-3112 Java Web Start, arbitrary file creation (6703909)
454607 - CVE-2008-3113 Java Web Start arbitrary file creation/deletion file with user permissions (6704077)
454608 - CVE-2008-3114 Java Web Start, untrusted application may determine Cache Location (6704074)
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!