Important: java-1.6.0-openjdk

2013-04-25T20:40:00
ID ALAS-2013-185
Type amazon
Reporter Amazon
Modified 2013-04-25T20:40:00

Description

Issue Overview:

Multiple flaws were discovered in the font layout engine in the 2D component. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. (CVE-2013-1569 __, CVE-2013-2383 __, CVE-2013-2384 __)

Multiple improper permission check issues were discovered in the Beans, Libraries, JAXP, and RMI components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-1558 __, CVE-2013-2422 __, CVE-2013-1518 __, CVE-2013-1557 __)

The previous default value of the java.rmi.server.useCodebaseOnly property permitted the RMI implementation to automatically load classes from remotely specified locations. An attacker able to connect to an application using RMI could use this flaw to make the application execute arbitrary code. (CVE-2013-1537 __)

The 2D component did not properly process certain images. An untrusted Java application or applet could possibly use this flaw to trigger Java Virtual Machine memory corruption. (CVE-2013-2420 __)

It was discovered that the Hotspot component did not properly handle certain intrinsic frames, and did not correctly perform MethodHandle lookups. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2013-2431 __, CVE-2013-2421 __)

It was discovered that JPEGImageReader and JPEGImageWriter in the ImageIO component did not protect against modification of their state while performing certain native code operations. An untrusted Java application or applet could possibly use these flaws to trigger Java Virtual Machine memory corruption. (CVE-2013-2429 __, CVE-2013-2430 __)

The JDBC driver manager could incorrectly call the toString() method in JDBC drivers, and the ConcurrentHashMap class could incorrectly call the defaultReadObject() method. An untrusted Java application or applet could possibly use these flaws to bypass Java sandbox restrictions. (CVE-2013-1488 __, CVE-2013-2426 __)

The sun.awt.datatransfer.ClassLoaderObjectInputStream class may incorrectly invoke the system class loader. An untrusted Java application or applet could possibly use this flaw to bypass certain Java sandbox restrictions. (CVE-2013-0401 __)

Flaws were discovered in the Network component's InetAddress serialization, and the 2D component's font handling. An untrusted Java application or applet could possibly use these flaws to crash the Java Virtual Machine. (CVE-2013-2417 __, CVE-2013-2419 __)

The MBeanInstantiator class implementation in the OpenJDK JMX component did not properly check class access before creating new instances. An untrusted Java application or applet could use this flaw to create instances of non-public classes. (CVE-2013-2424 __)

It was discovered that JAX-WS could possibly create temporary files with insecure permissions. A local attacker could use this flaw to access temporary files created by an application using JAX-WS. (CVE-2013-2415 __)

Affected Packages:

java-1.6.0-openjdk

Issue Correction:
Run yum update java-1.6.0-openjdk to update your system.

New Packages:

i686:  
    java-1.6.0-openjdk-debuginfo-1.6.0.0-61.1.11.11.53.amzn1.i686  
    java-1.6.0-openjdk-javadoc-1.6.0.0-61.1.11.11.53.amzn1.i686  
    java-1.6.0-openjdk-devel-1.6.0.0-61.1.11.11.53.amzn1.i686  
    java-1.6.0-openjdk-demo-1.6.0.0-61.1.11.11.53.amzn1.i686  
    java-1.6.0-openjdk-src-1.6.0.0-61.1.11.11.53.amzn1.i686  
    java-1.6.0-openjdk-1.6.0.0-61.1.11.11.53.amzn1.i686

src:  
    java-1.6.0-openjdk-1.6.0.0-61.1.11.11.53.amzn1.src

x86_64:  
    java-1.6.0-openjdk-src-1.6.0.0-61.1.11.11.53.amzn1.x86_64  
    java-1.6.0-openjdk-demo-1.6.0.0-61.1.11.11.53.amzn1.x86_64  
    java-1.6.0-openjdk-javadoc-1.6.0.0-61.1.11.11.53.amzn1.x86_64  
    java-1.6.0-openjdk-1.6.0.0-61.1.11.11.53.amzn1.x86_64  
    java-1.6.0-openjdk-devel-1.6.0.0-61.1.11.11.53.amzn1.x86_64  
    java-1.6.0-openjdk-debuginfo-1.6.0.0-61.1.11.11.53.amzn1.x86_64