First published: Mon Oct 21 2013(Updated: )
These packages provide the OpenJDK 7 Java Runtime Environment and the<br>OpenJDK 7 Software Development Kit.<br>Multiple input checking flaws were found in the 2D component native image<br>parsing code. A specially crafted image file could trigger a Java Virtual<br>Machine memory corruption and, possibly, lead to arbitrary code execution<br>with the privileges of the user running the Java Virtual Machine.<br>(CVE-2013-5782)<br>The class loader did not properly check the package access for non-public<br>proxy classes. A remote attacker could possibly use this flaw to execute<br>arbitrary code with the privileges of the user running the Java Virtual<br>Machine. (CVE-2013-5830)<br>Multiple improper permission check issues were discovered in the 2D, CORBA,<br>JNDI, and Libraries components in OpenJDK. An untrusted Java application or<br>applet could use these flaws to bypass Java sandbox restrictions.<br>(CVE-2013-5829, CVE-2013-5814, CVE-2013-5817, CVE-2013-5842, CVE-2013-5850,<br>CVE-2013-5838)<br>Multiple input checking flaws were discovered in the JPEG image reading and<br>writing code in the 2D component. An untrusted Java application or applet<br>could use these flaws to corrupt the Java Virtual Machine memory and bypass<br>Java sandbox restrictions. (CVE-2013-5809)<br>The FEATURE_SECURE_PROCESSING setting was not properly honored by the<br>javax.xml.transform package transformers. A remote attacker could use this<br>flaw to supply a crafted XML that would be processed without the intended<br>security restrictions. (CVE-2013-5802)<br>Multiple errors were discovered in the way the JAXP and Security components<br>processes XML inputs. A remote attacker could create a crafted XML that<br>would cause a Java application to use an excessive amount of CPU and memory<br>when processed. (CVE-2013-5825, CVE-2013-4002, CVE-2013-5823)<br>Multiple improper permission check issues were discovered in the Libraries,<br>Swing, JAX-WS, JAXP, JGSS, AWT, Beans, and Scripting components in OpenJDK.<br>An untrusted Java application or applet could use these flaws to bypass<br>certain Java sandbox restrictions. (CVE-2013-3829, CVE-2013-5840,<br>CVE-2013-5774, CVE-2013-5783, CVE-2013-5820, CVE-2013-5851, CVE-2013-5800,<br>CVE-2013-5849, CVE-2013-5790, CVE-2013-5784)<br>It was discovered that the 2D component image library did not properly<br>check bounds when performing image conversions. An untrusted Java<br>application or applet could use this flaw to disclose portions of the Java<br>Virtual Machine memory. (CVE-2013-5778)<br>Multiple input sanitization flaws were discovered in javadoc. When javadoc<br>documentation was generated from an untrusted Java source code and hosted<br>on a domain not controlled by the code author, these issues could make it<br>easier to perform cross-site scripting attacks. (CVE-2013-5804,<br>CVE-2013-5797)<br>Various OpenJDK classes that represent cryptographic keys could leak<br>private key information by including sensitive data in strings returned by<br>toString() methods. These flaws could possibly lead to an unexpected<br>exposure of sensitive key data. (CVE-2013-5780)<br>The Java Heap Analysis Tool (jhat) failed to properly escape all data added<br>into the HTML pages it generated. Crafted content in the memory of a Java<br>program analyzed using jhat could possibly be used to conduct cross-site<br>scripting attacks. (CVE-2013-5772)<br>The Kerberos implementation in OpenJDK did not properly parse KDC<br>responses. A malformed packet could cause a Java application using JGSS to<br>exit. (CVE-2013-5803)<br>All users of java-1.7.0-openjdk are advised to upgrade to these updated<br>packages, which resolve these issues. All running instances of OpenJDK Java<br>must be restarted for the update to take effect.<br>
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/java | <1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-debuginfo-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-demo-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-devel-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-javadoc-1.7.0.45-2.4.3.1.el5_10 |
redhat/java | <1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10 | 1.7.0-openjdk-src-1.7.0.45-2.4.3.1.el5_10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.