Bug 7278 - java-1.7.0-openjdk new security issue CVE-2012-4681
Summary: java-1.7.0-openjdk new security issue CVE-2012-4681
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: High critical
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA2-64-OK MGA2-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-08-31 22:06 CEST by David Walser
Modified: 2012-09-08 23:10 CEST (History)
6 users (show)

See Also:
Source RPM: java-1.7.0-openjdk-1.7.0.3-2.2.1.0.2.mga2.src.rpm
CVE:
Status comment:


Attachments
Gondvv.java (2.61 KB, text/plain)
2012-09-08 18:48 CEST, Dave Hodgins
Details

Description David Walser 2012-08-31 22:06:30 CEST
D Morgan has built a *highly critical* update for java-1.7.0-openjdk.

This is for a very high profile zero day exploit that is publicly available and being actively exploited.

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerability:

A flaw in the Java security manager, which is used for sandboxing Java
applets and enforcing other security restrictions, allows for arbitrary
code execution (CVE-2012-4681).

This updates IcedTea to version 2.3.1 which fixes this issue, as well as
several other bugs.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681
http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.6-2.3.1.1.1.mga2
java-1.7.0-openjdk-devel-1.7.0.6-2.3.1.1.1.mga2
java-1.7.0-openjdk-demo-1.7.0.6-2.3.1.1.1.mga2
java-1.7.0-openjdk-src-1.7.0.6-2.3.1.1.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.1.1.1.mga2

from java-1.7.0-openjdk-1.7.0.6-2.3.1.1.1.mga2
David Walser 2012-08-31 22:06:47 CEST

Priority: Normal => High
CC: (none) => dmorganec
Severity: normal => critical

Comment 1 David Walser 2012-08-31 22:36:32 CEST
Luckily nothing in Mageia 2 requires java-1.7.0-openjdk, greatly reducing our exposure to this vulnerability.  I guess the only way to get exploited would be to run malicious code manually.
Comment 2 David Walser 2012-08-31 22:43:06 CEST
PoC:  http://pastie.org/4594319
Comment 3 Simon Putt 2012-08-31 22:43:39 CEST
Yes I just brought this up in the irc channel, but I believe that oracle also released a patched 1.6.35 to fix a similar problem (that would be exploited on 2 as its icedtea web is linked to openjdk-java-1.6)

CC: (none) => lemonzest

Comment 4 David Walser 2012-08-31 23:42:28 CEST
Thanks for letting us know Simon.

They have also updated IcedTea7 again, now to 2.3.2.

http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/

CC: (none) => qa-bugs
Assignee: qa-bugs => dmorganec

Comment 5 David Walser 2012-09-07 17:44:53 CEST
D Morgan has updated the IcedTea to 2.3.2.

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerability:

A flaw in the Java security manager, which is used for sandboxing Java
applets and enforcing other security restrictions, allows for arbitrary
code execution (CVE-2012-4681).

This updates IcedTea to version 2.3.2 which fixes this issue, an
XMLDecoder security issue via ClassFinder (CVE-2012-1682) and an issue
with AWT internals references (CVE-2012-0547), as well as several other
bugs.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681
http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/
http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2
java-1.7.0-openjdk-devel-1.7.0.6-2.3.2.1.1.mga2
java-1.7.0-openjdk-demo-1.7.0.6-2.3.2.1.1.mga2
java-1.7.0-openjdk-src-1.7.0.6-2.3.2.1.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.2.1.1.mga2

from java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2

Assignee: dmorganec => qa-bugs

Comment 6 David Walser 2012-09-07 17:46:14 CEST
Oops, forgot the other two CVE URLs in the references.

Advisory:
========================

Updated java-1.7.0-openjdk packages fix security vulnerability:

A flaw in the Java security manager, which is used for sandboxing Java
applets and enforcing other security restrictions, allows for arbitrary
code execution (CVE-2012-4681).

This updates IcedTea to version 2.3.2 which fixes this issue, an
XMLDecoder security issue via ClassFinder (CVE-2012-1682) and an issue
with AWT internals references (CVE-2012-0547), as well as several other
bugs.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681
http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/
http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/
========================

Updated packages in core/updates_testing:
========================
java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2
java-1.7.0-openjdk-devel-1.7.0.6-2.3.2.1.1.mga2
java-1.7.0-openjdk-demo-1.7.0.6-2.3.2.1.1.mga2
java-1.7.0-openjdk-src-1.7.0.6-2.3.2.1.1.mga2
java-1.7.0-openjdk-javadoc-1.7.0.6-2.3.2.1.1.mga2

from java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2
Comment 7 Dave Hodgins 2012-09-08 18:48:06 CEST
Created attachment 2770 [details]
Gondvv.java

Modified copy of the POC from Comment 2.

$ javac Gondvv.java
$ java Gondvv

Results in /usr/bin/kcalc running.
Comment 8 Dave Hodgins 2012-09-08 19:03:33 CEST
Testing complete on Mageia 2 i586 and x86-64.

After installing the update,
$ java Gondvv
java.lang.NoSuchMethodException: <unbound>=Class.getField(Class, "acc");

Could someone from the sysadmin team push the srpm
java-1.7.0-openjdk-1.7.0.6-2.3.2.1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated java-1.7.0-openjdk packages fix security vulnerability:

A flaw in the Java security manager, which is used for sandboxing Java
applets and enforcing other security restrictions, allows for arbitrary
code execution (CVE-2012-4681).

This updates IcedTea to version 2.3.2 which fixes this issue, an
XMLDecoder security issue via ClassFinder (CVE-2012-1682) and an issue
with AWT internals references (CVE-2012-0547), as well as several other
bugs.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-0547
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1682
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4681
http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/
http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/

https://bugs.mageia.org/show_bug.cgi?id=7278

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK

Comment 9 Thomas Backlund 2012-09-08 23:10:10 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0260

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.