CVE-2014-0376
First published: Sun Jan 12 2014(Updated: )
It was discovered that the JAXP (Java API for XML Processing) component in OpenJDK did not properly check code permissions when creating document builder factories. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/icedtea | <2.4.4 | 2.4.4 |
| redhat/icedtea | <2.3.13 | 2.3.13 |
| redhat/icedtea | <1.12.8 | 1.12.8 |
| redhat/icedtea | <1.13.1 | 1.13.1 |
| Oracle JDK 6 | =1.7.0-update45 | |
| Oracle Java Runtime Environment (JRE) | =1.7.0-update45 | |
| Oracle JDK 6 | =1.6.0-update65 | |
| Oracle Java Runtime Environment (JRE) | =1.6.0-update65 | |
| Oracle JDK 6 | =1.5.0-update55 | |
| Oracle Java Runtime Environment (JRE) | =1.5.0-update55 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/rev/42be8e6266ab
- http://hg.openjdk.java.net/jdk7u/jdk7u/jaxp/rev/783ceae9b736
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00009.html
- http://lists.opensuse.org/opensuse-security-announce/2014-02/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2014-03/msg00024.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00105.html
- http://lists.opensuse.org/opensuse-updates/2014-01/msg00107.html
- http://lists.opensuse.org/opensuse-updates/2014-02/msg00000.html
- http://marc.info/?l=bugtraq&m=139402697611681&w=2
- http://marc.info/?l=bugtraq&m=139402749111889&w=2
- http://osvdb.org/102018
- http://rhn.redhat.com/errata/RHSA-2014-0026.html
- http://rhn.redhat.com/errata/RHSA-2014-0027.html
- http://rhn.redhat.com/errata/RHSA-2014-0030.html
- http://rhn.redhat.com/errata/RHSA-2014-0097.html
- http://rhn.redhat.com/errata/RHSA-2014-0134.html
- http://rhn.redhat.com/errata/RHSA-2014-0135.html
- http://rhn.redhat.com/errata/RHSA-2014-0136.html
- http://secunia.com/advisories/56432
- http://secunia.com/advisories/56485
- http://secunia.com/advisories/56486
- http://secunia.com/advisories/56535
- http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
- http://www.securityfocus.com/bid/64758
- http://www.securityfocus.com/bid/64907
- http://www.securitytracker.com/id/1029608
- http://www.ubuntu.com/usn/USN-2089-1
- http://www.ubuntu.com/usn/USN-2124-1
- https://access.redhat.com/errata/RHSA-2014:0414
- https://bugzilla.redhat.com/show_bug.cgi?id=1051923
- https://exchange.xforce.ibmcloud.com/vulnerabilities/90350
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04166777
Frequently Asked Questions
What is the severity of CVE-2014-0376?
CVE-2014-0376 is considered a high severity vulnerability due to its potential to bypass Java sandbox restrictions.
How do I fix CVE-2014-0376?
To fix CVE-2014-0376, update to the latest version of the affected software packages such as icedtea or Oracle Java runtimes.
Which versions of software are affected by CVE-2014-0376?
CVE-2014-0376 affects several versions of icedtea, Oracle JDK, and Oracle JRE, specifically versions prior to 2.4.4 and 1.7.0-update45.
What components are involved in CVE-2014-0376?
CVE-2014-0376 involves the JAXP component in OpenJDK, which improperly checks code permissions.
Can an attacker exploit CVE-2014-0376 remotely?
Yes, an attacker can exploit CVE-2014-0376 remotely using an untrusted Java application or applet.
- agent/type
- agent/first-publish-date
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-0376
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.7.0-update45
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.7.0-update45
- version/oracle jdk 6/1.6.0-update65
- version/oracle java runtime environment (jre)/1.6.0-update65
- version/oracle jdk 6/1.5.0-update55
- version/oracle java runtime environment (jre)/1.5.0-update55