java-1.7.0-openjdk-1.7.0.5-2.2.1.AXS4
エラータID: AXSA:2012-909:02
リリース日:
2012/09/17 Monday - 14:31
題名:
java-1.7.0-openjdk-1.7.0.5-2.2.1.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
-Oracle Java SE の Java Runtime Environment (JRE) には、AWTに関する処理に不備があるため、AWTを介して他の脆弱性を悪用される脆弱性が存在します。 (CVE-2012-0547)
-Oracle Java の Java Runtime Environment コンポーネントには詳細不明の脆弱性が存在し,Beansに関連する要因によって,リモートの攻撃者が機密性,整合性,可用性に影響を与える脆弱性があります。
なお,CVE-2012-1682, CVE-2012-3136 はそれぞれ異なる脆弱性です。(CVE-2012-1682, CVE-2012-3136)
-Oracle Java の Java Runtime Environment コンポーネントには複数の脆弱性が存在し,SecurityManagerの制限を迂回する巧妙に細工したアプレットによって,リモートの攻撃者が任意のコードを実行する脆弱性があります。(CVE-2012-4681)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2012-0547
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "toolkit internals references."
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "toolkit internals references."
CVE-2012-1682
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "XMLDecoder security issue via ClassFinder."
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-3136. NOTE: Oracle has not commented on claims from a downstream vendor that this issue is related to "XMLDecoder security issue via ClassFinder."
CVE-2012-3136
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-1682.
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans, a different vulnerability than CVE-2012-1682.
CVE-2012-4681
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
Multiple vulnerabilities in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier allow remote attackers to execute arbitrary code via a crafted applet that bypasses SecurityManager restrictions by (1) using com.sun.beans.finder.ClassFinder.findClass and leveraging an exception with the forName method to access restricted classes from arbitrary packages such as sun.awt.SunToolkit, then (2) using "reflection with a trusted immediate caller" to leverage the getField method to access and modify private fields, as exploited in the wild in August 2012 using Gondzz.class and Gondvv.class.
追加情報:
N/A
ダウンロード:
SRPMS
- java-1.7.0-openjdk-1.7.0.5-2.2.1.AXS4.3.src.rpm
MD5: a2b6e301f54174e14bfd8829bc9cf529
SHA-256: fc6bfef75647d62638689332b87affd73d057970e8d9fafba03bf3f801862d2e
Size: 66.47 MB
Asianux Server 4 for x86
- java-1.7.0-openjdk-1.7.0.5-2.2.1.AXS4.3.i686.rpm
MD5: d42e35bad51e050203e91c7081c606cc
SHA-256: 6150247675960026026878fb0e8b4eca1471093e95291b65a27c89a416607b26
Size: 26.73 MB
Asianux Server 4 for x86_64
- java-1.7.0-openjdk-1.7.0.5-2.2.1.AXS4.3.x86_64.rpm
MD5: 08c8c6f57c73e25dcf30cbe04e17a165
SHA-256: f6dd007d822d585e24b674ce1ef32ad6b5dff3f69cb574c80c66e84677f94882
Size: 25.54 MB