Bug 777499 - VUL-0: CVE-2012-4681: java-1_7_0-openjdk: remote exploit
VUL-0: CVE-2012-4681: java-1_7_0-openjdk: remote exploit
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Critical
: ---
Assigned To: Security Team bot
Security Team bot
http://blog.fuseyism.com/index.php/20...
maint:released:sle11-sp2:49041
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-27 15:38 UTC by Marcus Meissner
Modified: 2015-03-19 12:26 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2012-08-27 22:00:45 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2012-08-28 06:05:37 UTC
CVE-2012-3539

From: David Jorm <djorm@redhat.com>
Subject: [oss-security] CVE Request: Java 7 code execution 0day

Hi All

A 0-day flaw exploited in the wild has been reported to affect Java 7:

http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html
http://pastie.org/4594319

This issue was confirmed to allow unsigned applet to bypass Java applet restrictions and run arbitrary code on users' systems. A lot of public information is now available for this flaw:

http://www.h-online.com/security/news/item/Warning-on-critical-Java-hole-1676219.html
http://www.deependresearch.org/2012/08/java-7-0-day-vulnerability-information.html
https://community.rapid7.com/community/metasploit/blog/2012/08/27/lets-start-the-week-with-a-new-java-0day
https://github.com/rapid7/metasploit-framework/commit/52ca1083c22de7022baf7dca8a1756909f803341

This flaw does not have a CVE ID assigned. I contacted Oracle asking if they have assigned one, but got no response. Can someone please assign a CVE ID to this flaw?

Thanks
-- 
David Jorm / Red Hat Security Response Team
Comment 3 Marcus Meissner 2012-08-28 06:06:49 UTC
actually incorrect CVE, Mitre assigned:

CVE-2012-4681

Oracle Java 7 Update 6, and possibly other versions, allows remote
attackers to execute arbitrary code via a crafted applet, as exploited
in the wild in August 2012 using Gondzz.class and Gondvv.class.
Comment 4 Marcus Meissner 2012-08-29 08:58:17 UTC
with:
 icedtea-web-1.2.1-10.1.x86_64
 java-1_6_0-openjdk-1.6.0.0_b24.1.11.3-9.1.x86_64


http://isjavaexploitable.com/

reports:

WARNING: Your Java version is exploitable! Java Version 6 Update 50 detected. To secure this system you should disable the browser plugin or uninstall Java.


(I am unsure of the detection method, if it does version compares or actual exploit testing.)

If we are exploitable we should kill the icedtea-web plugin and the old java-1_6_0-sun-plugins asap via online update.
Comment 5 Michal Vyskocil 2012-08-29 13:54:10 UTC
(In reply to comment #4)
> am unsure of the detection method, if it does version compares or actual
> exploit testing.)
> 

It does the version compare - I have never heard that openjdk6 is affected. 

BTW: Mark Wielaard from RedHat posted a fix upstream

http://thread.gmane.org/gmane.comp.java.openjdk.beans.devel/34
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html
Comment 6 Sebastian Krahmer 2012-08-29 14:36:35 UTC
Via OSS-sec:


According to the
  http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020065.html
OpenJDK <= 7u4-b31 is also affected.
--
Eygene
Comment 7 Michal Vyskocil 2012-08-30 06:56:55 UTC
I am working on the icedtea 2.3.1 update
Comment 8 Marcus Meissner 2012-08-30 07:35:39 UTC
(also list in comment for indexing)
http://blog.fuseyism.com/index.php/2012/08/30/security-icedtea-2-3-1-released/
Comment 9 Michal Vyskocil 2012-08-31 11:16:15 UTC
So, I've submitted revision 29 to Java:openjdk6:Factory with 2.3.1, however I made a lot of changes in a specfile because of icedtea tarball usage, thus I am not sure if it will built or not :(

In adition I made file permissions explicit in file list - there were things like files with 0664 mode, so until now all files are 0644 by default and few libraries and binaries are marked with %attr(755).

The last, but not least, change is sane versioned scheme - as this version comforms to JDK7 u6, rpm version is 1.7.0.6.
Comment 10 Matthias Weckbecker 2012-09-01 07:12:50 UTC
Just to note: there is an additional bunch of other CVEs:

- CVE-2012-1682
- CVE-2012-3136
- CVE-2012-0547

http://oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Comment 11 Michael Skiba 2012-09-02 10:31:57 UTC
Today Sebastian Siebert posted a testcase on the ML opensuse-de. You can reach the site here: http://www.sebastian-siebert.de/downloads/Gondvv.html

Seems like the current openJDK + IcedTea 1.2.1 is not affected, but you might want to verify that for yourself (/with plain openSUSE repos)

I also took the liberty to decompile his java class to verify what's going on before exposing myself (feel free to wget/decompile the script yourself) or take a look at my paste:
http://paste.opensuse.org/685a1c56
Comment 12 Michal Vyskocil 2012-09-03 09:29:21 UTC
http://blog.fuseyism.com/index.php/2012/08/31/security-icedtea6-1-10-9-1-11-4-icedtea-2-3-2-released/

That means 

for openjdk7 - we have to resping to 2.3.2 (12.2+)
for openjdk6 - we have to update to 1.11.4 (sle11, 11.4+)

@security team - do you want to track it in this bnc?
Comment 13 Marcus Meissner 2012-09-03 09:47:13 UTC
yes, use this bug. should we write icedtea-web in the summary instead? ;)

this also affects SLE, right?
Comment 14 Michal Vyskocil 2012-09-03 11:13:39 UTC
(In reply to comment #13)
> yes, use this bug. should we write icedtea-web in the summary instead? ;)

All bugs and the fixes belongs to openjdk, not to the icedtea-web (the plugin/java webstart is the most common attack vector, but bug is in JRE).

> 
> this also affects SLE, right?

Yes, there are following fixes

openjdk6 (sle11, 11.4, 12.1)
S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
S7163201, CVE-2012-0547: Simplify toolkit internals references

openjdk7 (12.2, factory)
S7162476, CVE-2012-1682: XMLDecoder security issue via ClassFinder
S7163201, CVE-2012-0547: Simplify toolkit internals references
S7194567, CVE-2012-3136: Improve long term persistence of java.beans objects

... and the remote zero-day beast fixed by icedtea-2.3.1 (openjdk7)
RH852051, CVE-2012-4681, S7162473: Reintroduce PackageAccessible checks removed in 6788531.
Comment 15 Michal Vyskocil 2012-09-03 11:57:16 UTC
revision 30 in Java:openjdk6:Factory/java-1_7_0-openjdk contains 2.3.2 - waiting for build
Comment 16 Michal Vyskocil 2012-09-03 13:59:29 UTC
openjdk6:

 sle11: 21614
 11.4:  132408
 12.1:  132410

openjdk7: WIP
Comment 19 Michal Vyskocil 2012-09-06 09:35:19 UTC
got some zero fixes from @Dirk - thanks!

factory: 132912
12.2:    132913
Comment 20 Michal Vyskocil 2012-09-06 09:36:07 UTC
 * forgot to reassign to security-team *
Comment 21 Bernhard Wiedemann 2012-09-06 10:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (777499) was mentioned in
https://build.opensuse.org/request/show/132912 Factory / java-1_7_0-openjdk
Comment 22 Bernhard Wiedemann 2012-09-06 13:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (777499) was mentioned in
https://build.opensuse.org/request/show/132956 Factory / java-1_7_0-openjdk
Comment 23 Bernhard Wiedemann 2012-09-10 14:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (777499) was mentioned in
https://build.opensuse.org/request/show/133509 Factory / java-1_7_0-openjdk
Comment 24 Swamp Workflow Management 2012-09-12 00:10:56 UTC
Update released for: java-1_6_0-openjdk, java-1_6_0-openjdk-debuginfo, java-1_6_0-openjdk-debugsource, java-1_6_0-openjdk-demo, java-1_6_0-openjdk-devel, java-1_6_0-openjdk-javadoc, java-1_6_0-openjdk-plugin, java-1_6_0-openjdk-src
Products:
SLE-DEBUGINFO 11-SP2 (i386, x86_64)
SLE-DESKTOP 11-SP2 (i386, x86_64)
Comment 25 Swamp Workflow Management 2012-09-12 17:08:57 UTC
openSUSE-SU-2012:1154-1: An update that fixes four vulnerabilities is now available.

Category: security (critical)
Bug References: 770040,777499
CVE References: CVE-2012-0547,CVE-2012-1682,CVE-2012-3136,CVE-2012-4681
Sources used:
openSUSE 12.2 (src):    java-1_7_0-openjdk-1.7.0.6-3.12.1
Comment 26 Marcus Meissner 2012-09-14 12:01:12 UTC
OpenJDK: done, for SLE and for openSUSE.

IBM Java: affected, but will be tracked in a seperate IBM Java bug.


Oracle/Sun Java: affected, but we do not ship it or support it anymore.
Comment 27 Swamp Workflow Management 2012-09-14 12:14:01 UTC
openSUSE-SU-2012:1175-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 777499
CVE References: CVE-2012-0547,CVE-2012-1682
Sources used:
openSUSE 12.1 (src):    java-1_6_0-openjdk-1.6.0.0_b24.1.11.4-12.1
openSUSE 11.4 (src):    java-1_6_0-openjdk-1.6.0.0_b24.1.11.4-0.17.1
Comment 28 Bernhard Wiedemann 2012-09-20 09:00:46 UTC
This is an autogenerated message for OBS integration:
This bug (777499) was mentioned in
https://build.opensuse.org/request/show/135110 Evergreen:11.2 / java-1_6_0-openjdk
Comment 29 Bernhard Wiedemann 2012-09-21 12:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (777499) was mentioned in
https://build.opensuse.org/request/show/135243 Evergreen:11.2 / java-1_6_0-openjdk