|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2012-4681: java-1_7_0-openjdk: remote exploit | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Critical | ||
| Priority: | P1 - Urgent | CC: | dmueller, lnussel, meissner, security-team, trans |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/ | ||
| Whiteboard: | maint:released:sle11-sp2:49041 | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Marcus Meissner
2012-08-27 15:38:34 UTC
bugbot adjusting priority CVE-2012-3539 From: David Jorm <djorm@redhat.com> Subject: [oss-security] CVE Request: Java 7 code execution 0day Hi All A 0-day flaw exploited in the wild has been reported to affect Java 7: http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html http://pastie.org/4594319 This issue was confirmed to allow unsigned applet to bypass Java applet restrictions and run arbitrary code on users' systems. A lot of public information is now available for this flaw: http://www.h-online.com/security/news/item/Warning-on-critical-Java-hole-1676219.html http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day https://github.com/rapid7/metasploit-framework/commit/52ca1083c22de7022baf7dca8a1756909f803341 This flaw does not have a CVE ID assigned. I contacted Oracle asking if they have assigned one, but got no response. Can someone please assign a CVE ID to this flaw? Thanks -- David Jorm / Red Hat Security Response Team actually incorrect CVE, Mitre assigned: CVE-2012-4681 Oracle Java 7 Update 6, and possibly other versions, allows remote attackers to execute arbitrary code via a crafted applet, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class. with: icedtea-web-1.2.1-10.1.x86_64 java-1_6_0-openjdk-1.6.0.0_b24.1.11.3-9.1.x86_64 http://isjavaexploitable.com/ reports: WARNING: Your Java version is exploitable! Java Version 6 Update 50 detected. To secure this system you should disable the browser plugin or uninstall Java. (I am unsure of the detection method, if it does version compares or actual exploit testing.) If we are exploitable we should kill the icedtea-web plugin and the old java-1_6_0-sun-plugins asap via online update. (In reply to comment #4) > am unsure of the detection method, if it does version compares or actual > exploit testing.) > It does the version compare - I have never heard that openjdk6 is affected. BTW: Mark Wielaard from RedHat posted a fix upstream http://thread.gmane.org/gmane.comp.java.openjdk.beans.devel/34 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html Via OSS-sec: According to the http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html OpenJDK <= 7u4-b31 is also affected. -- Eygene I am working on the icedtea 2.3.1 update (also list in comment for indexing) http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/ So, I've submitted revision 29 to Java:openjdk6:Factory with 2.3.1, however I made a lot of changes in a specfile because of icedtea tarball usage, thus I am not sure if it will built or not :( In adition I made file permissions explicit in file list - there were things like files with 0664 mode, so until now all files are 0644 by default and few libraries and binaries are marked with %attr(755). The last, but not least, change is sane versioned scheme - as this version comforms to JDK7 u6, rpm version is 1.7.0.6. Just to note: there is an additional bunch of other CVEs: - CVE-2012-1682 - CVE-2012-3136 - CVE-2012-0547 http://oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html Today Sebastian Siebert posted a testcase on the ML opensuse-de. You can reach the site here: http://www.sebastian-siebert.de/downloads/Gondvv.html Seems like the current openJDK + IcedTea 1.2.1 is not affected, but you might want to verify that for yourself (/with plain openSUSE repos) I also took the liberty to decompile his java class to verify what's going on before exposing myself (feel free to wget/decompile the script yourself) or take a look at my paste: http://paste.opensuse.org/685a1c56 http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/ That means for openjdk7 - we have to resping to 2.3.2 (12.2+) for openjdk6 - we have to update to 1.11.4 (sle11, 11.4+) @security team - do you want to track it in this bnc? yes, use this bug. should we write icedtea-web in the summary instead? ;) this also affects SLE, right? (In reply to comment #13) > yes, use this bug. should we write icedtea-web in the summary instead? ;) All bugs and the fixes belongs to openjdk, not to the icedtea-web (the plugin/java webstart is the most common attack vector, but bug is in JRE). > > this also affects SLE, right? Yes, there are following fixes openjdk6 (sle11, 11.4, 12.1) S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder S7163201, CVE-2012-0547: Simplify toolkit internals references openjdk7 (12.2, factory) S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder S7163201, CVE-2012-0547: Simplify toolkit internals references S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects ... and the remote zero-day beast fixed by icedtea-2.3.1 (openjdk7) RH852051, CVE-2012-4681, S7162473: Reintroduce PackageAccessible checks removed in 6788531. revision 30 in Java:openjdk6:Factory/java-1_7_0-openjdk contains 2.3.2 - waiting for build openjdk6: sle11: 21614 11.4: 132408 12.1: 132410 openjdk7: WIP got some zero fixes from @Dirk - thanks! factory: 132912 12.2: 132913 * forgot to reassign to security-team * This is an autogenerated message for OBS integration: This bug (777499) was mentioned in https://build.opensuse.org/request/show/132912 Factory / java-1_7_0-openjdk This is an autogenerated message for OBS integration: This bug (777499) was mentioned in https://build.opensuse.org/request/show/132956 Factory / java-1_7_0-openjdk This is an autogenerated message for OBS integration: This bug (777499) was mentioned in https://build.opensuse.org/request/show/133509 Factory / java-1_7_0-openjdk Update released for: java-1_6_0-openjdk, java-1_6_0-openjdk-debuginfo, java-1_6_0-openjdk-debugsource, java-1_6_0-openjdk-demo, java-1_6_0-openjdk-devel, java-1_6_0-openjdk-javadoc, java-1_6_0-openjdk-plugin, java-1_6_0-openjdk-src Products: SLE-DEBUGINFO 11-SP2 (i386, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) openSUSE-SU-2012:1154-1: An update that fixes four vulnerabilities is now available. Category: security (critical) Bug References: 770040,777499 CVE References: CVE-2012-0547,CVE-2012-1682,CVE-2012-3136,CVE-2012-4681 Sources used: openSUSE 12.2 (src): java-1_7_0-openjdk-1.7.0.6-3.12.1 OpenJDK: done, for SLE and for openSUSE. IBM Java: affected, but will be tracked in a seperate IBM Java bug. Oracle/Sun Java: affected, but we do not ship it or support it anymore. openSUSE-SU-2012:1175-1: An update that fixes two vulnerabilities is now available. Category: security (critical) Bug References: 777499 CVE References: CVE-2012-0547,CVE-2012-1682 Sources used: openSUSE 12.1 (src): java-1_6_0-openjdk-1.6.0.0_b24.1.11.4-12.1 openSUSE 11.4 (src): java-1_6_0-openjdk-1.6.0.0_b24.1.11.4-0.17.1 This is an autogenerated message for OBS integration: This bug (777499) was mentioned in https://build.opensuse.org/request/show/135110 Evergreen:11.2 / java-1_6_0-openjdk This is an autogenerated message for OBS integration: This bug (777499) was mentioned in https://build.opensuse.org/request/show/135243 Evergreen:11.2 / java-1_6_0-openjdk |