icedtea-web-1.7.1-2.0.1.el7.AXS7

エラータID: AXSA:2019-3964:01

Release date: 
Wednesday, August 7, 2019 - 02:23
Subject: 
icedtea-web-1.7.1-2.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies.

Security Fix(es):

* icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182)

* icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185)

* icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2019-10181
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-10182
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2019-10185
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Solution: 

Update packages.

CVEs: 
CVE-2019-10181
It was found that in icedtea-web up to and including 1.7.2 and 1.8.2 executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.
CVE-2019-10182
It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.
CVE-2019-10185
It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.
Additional Info: 

N/A

Download: 

SRPMS
  1. icedtea-web-1.7.1-2.0.1.el7.AXS7.src.rpm
    MD5: 3683b69577438f8c18dea41aa7e2de86
    SHA-256: 6f3ffd70d0111e40a29d3d8989b407b4e2c5d441255a8c68086dd82a9246098f
    Size: 2.29 MB

Asianux Server 7 for x86_64
  1. icedtea-web-1.7.1-2.0.1.el7.AXS7.x86_64.rpm
    MD5: 419cddc81bf7204f4aa72a0d67eada55
    SHA-256: b03945f17199fa260aff684ee023af1066693d261bafc05c1b8034a2fbe344ff
    Size: 1.74 MB