Important: java-1.7.0-openjdk

2012-10-23T10:38:00
ID ALAS-2012-137
Type amazon
Reporter Amazon
Modified 2014-09-14T17:14:00

Description

Issue Overview:

Multiple improper permission check issues were discovered in the Beans, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-5086 __, CVE-2012-5084 __, CVE-2012-5089 __)

Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2012-5068 __, CVE-2012-5071 __, CVE-2012-5069 __, CVE-2012-5073 __, CVE-2012-5072 __)

It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2012-5079 __)

It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception. (CVE-2012-5081 __)

It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. (CVE-2012-5075 __)

A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory. (CVE-2012-4416 __)

It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. (CVE-2012-5077 __)

It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory. (CVE-2012-3216 __)

This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, "jdk.net.registerGopherProtocol", to true. (CVE-2012-5085 __)

Affected Packages:

java-1.7.0-openjdk

Issue Correction:
Run yum update java-1.7.0-openjdk to update your system.

New Packages:

i686:  
    java-1.7.0-openjdk-1.7.0.9-2.3.3.13.amzn1.i686  
    java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.13.amzn1.i686  
    java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.13.amzn1.i686  
    java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.13.amzn1.i686  
    java-1.7.0-openjdk-src-1.7.0.9-2.3.3.13.amzn1.i686

noarch:  
    java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.3.13.amzn1.noarch

src:  
    java-1.7.0-openjdk-1.7.0.9-2.3.3.13.amzn1.src

x86_64:  
    java-1.7.0-openjdk-debuginfo-1.7.0.9-2.3.3.13.amzn1.x86_64  
    java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.13.amzn1.x86_64  
    java-1.7.0-openjdk-1.7.0.9-2.3.3.13.amzn1.x86_64  
    java-1.7.0-openjdk-src-1.7.0.9-2.3.3.13.amzn1.x86_64  
    java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.13.amzn1.x86_64