CVE-2014-0446
First published: Mon Apr 14 2014(Updated: )
It was discovered that the system logger was not properly protected against using handlers of custom loggers created prior to the system logger. An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/icedtea | <1.13.3 | 1.13.3 |
| redhat/icedtea | <2.4.7 | 2.4.7 |
| Ubuntu Linux | =10.04 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =12.10 | |
| Ubuntu Linux | =13.10 | |
| Ubuntu Linux | =14.04 | |
| Oracle JDK 6 | =1.5.0-update61 | |
| Oracle JDK 6 | =1.6.0-update71 | |
| Oracle JDK 6 | =1.7.0-update51 | |
| Oracle JDK 6 | =1.8.0 | |
| Oracle Java Runtime Environment (JRE) | =1.5.0-update61 | |
| Oracle Java Runtime Environment (JRE) | =1.6.0-update71 | |
| Oracle Java Runtime Environment (JRE) | =1.7.0-update51 | |
| Oracle Java Runtime Environment (JRE) | =1.8.0 | |
| Debian GNU/Linux | =6.0 | |
| Debian GNU/Linux | =7.0 | |
| Debian GNU/Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://marc.info/?l=bugtraq&m=140852886808946&w=2
- http://marc.info/?l=bugtraq&m=140852974709252&w=2
- http://rhn.redhat.com/errata/RHSA-2014-0675.html
- http://rhn.redhat.com/errata/RHSA-2014-0685.html
- http://secunia.com/advisories/58415
- http://secunia.com/advisories/59058
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://security.gentoo.org/glsa/glsa-201502-12.xml
- http://www-01.ibm.com/support/docview.wss?uid=swg21672080
- http://www-01.ibm.com/support/docview.wss?uid=swg21676746
- http://www.debian.org/security/2014/dsa-2912
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
- http://www.securityfocus.com/bid/66903
- http://www.ubuntu.com/usn/USN-2187-1
- http://www.ubuntu.com/usn/USN-2191-1
- https://access.redhat.com/errata/RHSA-2014:0413
- https://access.redhat.com/errata/RHSA-2014:0414
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027214.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2014-April/027222.html
- http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html#AppendixJAVA
- https://rhn.redhat.com/errata/RHSA-2014-0407.html
- https://rhn.redhat.com/errata/RHSA-2014-0406.html
- https://rhn.redhat.com/errata/RHSA-2014-0408.html
- https://rhn.redhat.com/errata/RHSA-2014-0413.html
- https://rhn.redhat.com/errata/RHSA-2014-0412.html
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c44b970b4c40
- https://rhn.redhat.com/errata/RHSA-2014-0414.html
- https://rhn.redhat.com/errata/RHSA-2014-0486.html
- https://rhn.redhat.com/errata/RHSA-2014-0508.html
- https://rhn.redhat.com/errata/RHSA-2014-0509.html
- https://rhn.redhat.com/errata/RHSA-2014-0675.html
- https://rhn.redhat.com/errata/RHSA-2014-0685.html
- https://rhn.redhat.com/errata/RHSA-2014-0705.html
- https://rhn.redhat.com/errata/RHSA-2014-0982.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1087439
Frequently Asked Questions
What is the severity of CVE-2014-0446?
CVE-2014-0446 is generally considered a high severity vulnerability due to its potential to bypass Java sandbox restrictions.
How do I fix CVE-2014-0446?
To fix CVE-2014-0446, upgrade to the patched versions of the affected packages, such as icedtea 1.13.3 or 2.4.7.
Which software is affected by CVE-2014-0446?
CVE-2014-0446 affects various versions of Oracle Java SE, including JDK and JRE from 1.5.0 to 1.8.0, as well as multiple versions of icedtea.
Can CVE-2014-0446 be exploited remotely?
Yes, CVE-2014-0446 can potentially be exploited remotely by untrusted Java applications or applets.
What is the impact of CVE-2014-0446?
The impact of CVE-2014-0446 includes potential unauthorized access and control over the system by bypassing security restrictions.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-0446
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/references
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/10.04
- version/ubuntu linux/12.04
- version/ubuntu linux/12.10
- version/ubuntu linux/13.10
- version/ubuntu linux/14.04
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.5.0-update61
- version/oracle jdk 6/1.6.0-update71
- version/oracle jdk 6/1.7.0-update51
- version/oracle jdk 6/1.8.0
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.5.0-update61
- version/oracle java runtime environment (jre)/1.6.0-update71
- version/oracle java runtime environment (jre)/1.7.0-update51
- version/oracle java runtime environment (jre)/1.8.0
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/6.0
- version/debian gnu/linux/7.0
- version/debian gnu/linux/8.0