CVE-2014-0368
First published: Tue Jan 14 2014(Updated: )
A flaw was found in the way the Networking component of OpenJDK checked permissions of code to listen on network ports. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/icedtea | <2.4.4 | 2.4.4 |
| redhat/icedtea | <2.3.13 | 2.3.13 |
| redhat/icedtea | <1.12.8 | 1.12.8 |
| redhat/icedtea | <1.13.1 | 1.13.1 |
| Oracle JDK 6 | =1.5.0-update55 | |
| Oracle Java Runtime Environment (JRE) | =1.5.0-update55 | |
| Oracle JDK 6 | =1.6.0-update65 | |
| Oracle Java Runtime Environment (JRE) | =1.6.0-update65 | |
| Oracle JDK 6 | =1.7.0-update45 | |
| Oracle Java Runtime Environment (JRE) | =1.7.0-update45 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/e6160aedadd5
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00000.html
- http://marc.info/?l=bugtraq&m=139402697611681&w=2
- http://marc.info/?l=bugtraq&m=139402749111889&w=2
- http://rhn.redhat.com/errata/RHSA-2014-0026.html
- http://rhn.redhat.com/errata/RHSA-2014-0027.html
- http://rhn.redhat.com/errata/RHSA-2014-0030.html
- http://rhn.redhat.com/errata/RHSA-2014-0097.html
- http://rhn.redhat.com/errata/RHSA-2014-0134.html
- http://rhn.redhat.com/errata/RHSA-2014-0135.html
- http://rhn.redhat.com/errata/RHSA-2014-0136.html
- http://secunia.com/advisories/56432
- http://secunia.com/advisories/56485
- http://secunia.com/advisories/56486
- http://secunia.com/advisories/56535
- http://secunia.com/advisories/59235
- http://secunia.com/advisories/59339
- http://www-01.ibm.com/support/docview.wss?uid=swg21676978
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
- http://www.securityfocus.com/bid/64758
- http://www.securityfocus.com/bid/64930
- http://www.securitytracker.com/id/1029608
- http://www.ubuntu.com/usn/USN-2089-1
- http://www.ubuntu.com/usn/USN-2124-1
- https://access.redhat.com/errata/RHSA-2014:0414
- https://bugzilla.redhat.com/show_bug.cgi?id=1052919
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777
- http://www.oracle.com/technetwork/java/javase/7u51-relnotes-2085002.html
- https://rhn.redhat.com/errata/RHSA-2014-0027.html
- https://rhn.redhat.com/errata/RHSA-2014-0026.html
- https://rhn.redhat.com/errata/RHSA-2014-0030.html
- http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/e935cd4139c6
- https://rhn.redhat.com/errata/RHSA-2014-0097.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-January/025800.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-January/025947.html
- http://mail.openjdk.java.net/pipermail/jdk6-dev/2014-January/003212.html
- https://rhn.redhat.com/errata/RHSA-2014-0136.html
- https://rhn.redhat.com/errata/RHSA-2014-0135.html
- https://rhn.redhat.com/errata/RHSA-2014-0134.html
- https://rhn.redhat.com/errata/RHSA-2014-0414.html
- https://rhn.redhat.com/errata/RHSA-2014-0705.html
- https://rhn.redhat.com/errata/RHSA-2014-0982.html
Frequently Asked Questions
What is the severity of CVE-2014-0368?
CVE-2014-0368 is classified as a moderate severity vulnerability allowing untrusted Java applications to bypass sandbox restrictions.
How do I fix CVE-2014-0368?
To fix CVE-2014-0368, upgrade to the latest version of IcedTea or the Oracle Java versions that are no longer vulnerable.
What software is affected by CVE-2014-0368?
CVE-2014-0368 affects specific versions of Oracle JDK and JRE as well as multiple versions of the IcedTea package.
What type of attack can CVE-2014-0368 facilitate?
CVE-2014-0368 can facilitate attacks that allow malicious Java code to listen on network ports, bypassing security restrictions.
Is CVE-2014-0368 specific to a particular Java version?
Yes, CVE-2014-0368 specifically affects Oracle Java SE versions 5.0u55, 6u65, and 7u45 among others.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-0368
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.5.0-update55
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.5.0-update55
- version/oracle jdk 6/1.6.0-update65
- version/oracle java runtime environment (jre)/1.6.0-update65
- version/oracle jdk 6/1.7.0-update45
- version/oracle java runtime environment (jre)/1.7.0-update45