Uočeno je više sigurnosnih nedostataka u radu programskih paketa Sun Java JDK (Java Development Kit ) i JRE (Java Runtime Environment). Udaljeni napadač ih može iskoristiti za utjecanje na pouzdanost, integritet i dostupnost rada spomenutih paketa.
Paket:
Sun Java JDK 1.x, Sun Java JRE 1.x
Operacijski sustavi:
HP-UX 11.x
Kritičnost:
8.7
Problem:
nespecificirana pogreška
Iskorištavanje:
udaljeno
Posljedica:
dobivanje većih privilegija, izmjena podataka, neovlašteni pristup sustavu, otkrivanje osjetljivih informacija, uskraćivanje usluga (DoS)
Neki od nedostataka nastaju uslijed neodgovarajućeg rukovanja "surfaceData" objektima i JNLP datotekama, pogrešaka u u implementaciji SSL i TLS protokola, u komponentama Deployment, Deserialization, AWT, Serialization, itd. Za više se detalja o ranjivostima preporuča pregled originalne preporuke.
Posljedica:
Udaljeni napadač navedene ranjivosti može iskoristiti za otkrivanje i izmjenu podataka, dobivanje većih ovlasti, neovlašteni pristup sustavu, DoS napad, itd.
Rješenje:
Svim se korisnicima navedenog paketa savjetuje korištenje dostupnih nadogradnji i zakrpa.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03266681
Version: 1
HPSBUX02760 SSRT100805 rev.1 - HP-UX Running Java, Remote Unauthorized Access, Disclosure of Information, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2012-04-02
Last Updated: 2012-04-02
Potential Security Impact: Remote unauthorized access, disclosure of information, and other vulnerabilities
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote unauthorized access, disclosure of information, and other vulnerabilities.
References: CVE-2011-3389, CVE-2011-3521, CVE-2011-3545, CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3554, CVE-2011-3556, CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0498, CVE-2012-0499, CVE-2012-0501 CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running HP JDK and JRE 5.0.24 or earlier
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference and Affectivity
Base Vector
Base Score
CVE-2011-3389
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2011-3521
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3545
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3547
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2011-3548
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3549
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3552
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.6
CVE-2011-3554
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3556
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2011-3557
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
6.8
CVE-2011-3560
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
6.4
CVE-2011-3563
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
6.4
CVE-2012-0498
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2012-0499
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2012-0501
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2012-0502
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
6.4
CVE-2012-0503
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2012-0505
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2012-0506
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
CVE-2012-0507
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP has provided the following Java version upgrades to resolve these vulnerabilities.
The upgrades are available from the following location
http://www.hp.com/go/java
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v5.0.25 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v5.0.24 and earlier, update to Java v5.0.25 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
===========
Jdk15.JDK15
Jdk15.JDK15-COM
Jdk15.JDK15-DEMO
Jdk15.JDK15-IPF32
Jdk15.JDK15-IPF64
Jdk15.JDK15-COM
Jdk15.JDK15-DEMO
Jdk15.JDK15-PA20
Jdk15.JDK15-PA20W
Jre15.JRE15
Jre15.JRE15-COM
Jre15.JRE15-IPF32
Jre15.JRE15-IPF32-HS
Jre15.JRE15-IPF64
Jre15.JRE15-IPF64-HS
Jre15.JRE15-PA20
Jre15.JRE15-PA20-HS
Jre15.JRE15-PA20W
Jre15.JRE15-PA20W-HS
action: install revision 1.5.0.25.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 2 April 2012 Initial release
Posljednje sigurnosne preporuke