RHSA-2014:0406: Critical: java-1.7.0-openjdk security update

First published: Wed Apr 16 2014(Updated: )

The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime<br>Environment and the OpenJDK 7 Java Software Development Kit.<br>An input validation flaw was discovered in the medialib library in the 2D<br>component. A specially crafted image could trigger Java Virtual Machine<br>memory corruption when processed. A remote attacker, or an untrusted Java<br>application or applet, could possibly use this flaw to execute arbitrary<br>code with the privileges of the user running the Java Virtual Machine.<br>(CVE-2014-0429)<br>Multiple flaws were discovered in the Hotspot and 2D components in OpenJDK.<br>An untrusted Java application or applet could use these flaws to trigger<br>Java Virtual Machine memory corruption and possibly bypass Java sandbox<br>restrictions. (CVE-2014-0456, CVE-2014-2397, CVE-2014-2421)<br>Multiple improper permission check issues were discovered in the Libraries<br>component in OpenJDK. An untrusted Java application or applet could use<br>these flaws to bypass Java sandbox restrictions. (CVE-2014-0457,<br>CVE-2014-0455, CVE-2014-0461)<br>Multiple improper permission check issues were discovered in the AWT,<br>JAX-WS, JAXB, Libraries, Security, Sound, and 2D components in OpenJDK.<br>An untrusted Java application or applet could use these flaws to bypass<br>certain Java sandbox restrictions. (CVE-2014-2412, CVE-2014-0451,<br>CVE-2014-0458, CVE-2014-2423, CVE-2014-0452, CVE-2014-2414, CVE-2014-2402,<br>CVE-2014-0446, CVE-2014-2413, CVE-2014-0454, CVE-2014-2427, CVE-2014-0459)<br>Multiple flaws were identified in the Java Naming and Directory Interface<br>(JNDI) DNS client. These flaws could make it easier for a remote attacker<br>to perform DNS spoofing attacks. (CVE-2014-0460)<br>It was discovered that the JAXP component did not properly prevent access<br>to arbitrary files when a SecurityManager was present. This flaw could<br>cause a Java application using JAXP to leak sensitive information, or<br>affect application availability. (CVE-2014-2403)<br>It was discovered that the Security component in OpenJDK could leak some<br>timing information when performing PKCS#1 unpadding. This could possibly<br>lead to the disclosure of some information that was meant to be protected<br>by encryption. (CVE-2014-0453)<br>It was discovered that the fix for CVE-2013-5797 did not properly resolve<br>input sanitization flaws in javadoc. When javadoc documentation was<br>generated from an untrusted Java source code and hosted on a domain not<br>controlled by the code author, these issues could make it easier to perform<br>cross-site scripting (XSS) attacks. (CVE-2014-2398)<br>An insecure temporary file use flaw was found in the way the unpack200<br>utility created log files. A local attacker could possibly use this flaw to<br>perform a symbolic link attack and overwrite arbitrary files with the<br>privileges of the user running unpack200. (CVE-2014-1876)<br>Note: If the web browser plug-in provided by the icedtea-web package was<br>installed, the issues exposed via Java applets could have been exploited<br>without user interaction if a user visited a malicious website.<br>All users of java-1.7.0-openjdk are advised to upgrade to these updated<br>packages, which resolve these issues. All running instances of OpenJDK Java<br>must be restarted for the update to take effect.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2014:0406
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness
• package-manager/redhat