Bug 8685

Summary: multiple security issues in openjdk/icedtea
Product: Mageia Reporter: Oden Eriksson <oe>
Component: SecurityAssignee: Oden Eriksson <oe>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: Normal CC: dmorganec, luigiwalser, qa-bugs
Version: 2   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
Whiteboard:
Source RPM: CVE:
Status comment:

Description Oden Eriksson 2013-01-14 12:36:01 CET 
======================================================
Name: CVE-2013-0422
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0422
Reference: MISC:http://blog.fireeye.com/research/2013/01/happy-new-year-from-new-java-zero-day.html
Reference: MISC:http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
Reference: MISC:http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
Reference: MISC:http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
Reference: MISC:https://threatpost.com/en_us/blogs/nasty-new-java-zero-day-found-exploit-kits-already-have-it-011013
Reference: CERT-VN:VU#625617
Reference: URL:http://www.kb.cert.org/vuls/id/625617

The MBeanInstantiator in Oracle Java Runtime Environment (JRE) 1.7 in
Java 7 Update 10 and earlier allows remote attackers to execute
arbitrary code via vectors related to unspecified classes that allow
access to the class loader, as exploited in the wild in January 2013,
as demonstrated by Blackhole and Nuclear Pack, and a different
vulnerability than CVE-2012-4681.
Comment 1 Oden Eriksson 2013-01-14 12:37:52 CET 
https://blogs.oracle.com/security/entry/security_alert_for_cve_2013

"« October 2012 Critica... | Main
Security Alert for CVE-2013-0422 Released
By Eric P. Maurice on Jan 13, 2013

Hi, this is Eric Maurice again.

Oracle has just released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers.  These vulnerabilities do not affect Java on servers, Java desktop applications, or embedded Java.  The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174.  These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0.  Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited âin the wildâ and some exploits are available in various hacking tools.

The exploit conditions for these vulnerabilities are the same.  To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website.  The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system.  These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets. 

With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to âhighâ by default.  The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel."

According to public information these fixes aren't enough.
Comment 2 Oden Eriksson 2013-01-14 12:42:49 CET 
https://bugzilla.redhat.com/show_bug.cgi?id=894172

"Vincent Danen 2013-01-10 16:54:16 EST

CERT VU#625617 [1] describes a flaw in Java 7 Update 10 and earlier, which contains an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

This is currently being exploited in the wild and is reported to be incorporated into exploit kits.  It is recommended that all users disable the java browser plugin in their browsers.

[1] http://www.kb.cert.org/vuls/id/625617

Other references:

http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/"
Comment 3 Oden Eriksson 2013-01-14 12:44:06 CET 
https://bugzilla.redhat.com/show_bug.cgi?id=894934

"David Jorm 2013-01-13 22:59:06 EST

Oracle Java SE 7 Update 11 resolves CVE-2012-3174, an unknown flaw that allows for remote arbitrary code execution. The impact is similar to CVE-2013-0422.

External Reference:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html"
Oden Eriksson 2013-01-14 12:46:48 CET

Assignee: bugsquad => qa-bugs

Oden Eriksson 2013-01-14 12:48:38 CET

CC: (none) => dmorganec

Comment 4 Oden Eriksson 2013-01-14 12:57:46 CET 
It's not clear if older java is affected or will be fixed.

https://blogs.oracle.com/henrik/entry/java_6_eol_h_h
Comment 5 claire robinson 2013-01-14 14:23:34 CET 
Why is this one assigned to QA please Oden?
Comment 6 claire robinson 2013-01-15 01:26:31 CET 
Assigning Oden until this is ready for QA.
Please reassign when done, thanks.

CC: (none) => qa-bugs
Assignee: qa-bugs => oe

Comment 7 Oden Eriksson 2013-01-18 10:47:14 CET 
CVE-2012-3174 and CVE-2013-0422 was fixed by redhat:

https://rhn.redhat.com/errata/RHSA-2013-0165.html

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-January/021413.html

This was fixed with icedtea 2.1.4, 2.2.4 and 2.3.4.
Comment 8 David Walser 2013-01-31 22:43:42 CET 

*** This bug has been marked as a duplicate of bug 8728 ***

Status: NEW => RESOLVED
CC: (none) => luigiwalser
Resolution: (none) => DUPLICATE