java-1.7.0-openjdk-1.7.0.9-2.3.7.1.AXS4

エラータID: AXSA:2013-98:02

リリース日:

2013/03/01 Friday - 18:46

題名:

影響のあるチャネル:

Asianux Server 4 for x86

Asianux Server 4 for x86_64

Severity:

High

Description:

以下項目について対処しました。

[Security Fix]
- Oracle の Java Runtime Environment (JRE) コンポーネントには，RMI に関連する要因によって，リモートの攻撃者が整合性に影響を与える脆弱性があります。(CVE-2013-0424)

- Oracle の Java Runtime Environment (JRE) コンポーネントには，ライブラリに関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。
なおこの脆弱性は CVE-2013-0428，CVE-2013-0426 とは異なる脆弱性です。(CVE-2013-0425)

-Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，ライブラリに関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。
なおこの脆弱性は CVE-2013-0425，CVE-2013-0428 とは異なる脆弱性です。(CVE-2013-0426)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，ライブラリに関連する要因によって，リモートの攻撃者が整合性に影響を与える脆弱性があります。(CVE-2013-0427)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，ライブラリに関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。
なおこの脆弱性は CVE-2013-0425，CVE-2013-0426 とは異なる脆弱性です。(CVE-2013-0428)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，CORBA に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。(CVE-2013-0429)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，AWT に関連する要因によって，リモートの攻撃者が機密性と整合性に影響を与える脆弱性があります。(CVE-2013-0432)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，ネットワーキングに関連する要因によって，リモートの攻撃者が整合性に影響を与える脆弱性があります。(CVE-2013-0433)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，JAXP に関連する要因によって，リモートの攻撃者が機密性に影響を与える脆弱性があります。(CVE-2013-0434)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，JAX-WS に関連する要因によって，リモートの攻撃者が機密性に影響を与える脆弱性があります。(CVE-2013-0435)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，JSSE に関連する要因によって，リモートの攻撃者が可用性に影響を与える脆弱性があります。(CVE-2013-0440)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，CORBA に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。
なおこの脆弱性は CVE-2013-1476，CVE-2013-1475 とは異なる脆弱性です。(CVE-2013-0441)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し， AWT に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。(CVE-2013-0442)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，JSSE に関連する要因によって，リモートの攻撃者が機密性，整合性に影響を与える脆弱性があります。(CVE-2013-0443)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，Beans に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。(CVE-2013-0444)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，JMX に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。(CVE-2013-0450)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，CORBA に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。(CVE-2013-1475)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，CORBA に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。
なおこの脆弱性は CVE-2013-0441，CVE-2013-1475 とは異なる脆弱性となります。
(CVE-2013-1476)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，2D に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。
(CVE-2013-1478)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，AWT に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。(CVE-2013-1480)

- OpenSSL, OpenJDK, PolarSSL や他の製品で使用されている TLS プロトコル，DTLS プロトコルは不正な CBC パディングの処理の間，MAC チェック要求でのサイドチャネル攻撃のタイミングを適切に考慮しておらず，巧妙に細工されたパケットのタイミングデータの統計的分析によって，リモートの攻撃者が distinguishing 攻撃と平文回復攻撃 (plaintext-recovery attack) を行う脆弱性があります。
(CVE-2013-0169)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，ライブラリに関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。(CVE-2013-1484)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，ライブラリに関連する要因によって，リモートの攻撃者が整合性に影響を与える脆弱性があります。(CVE-2013-1485)

- Oracle の Java Runtime Environment (JRE) コンポーネントには詳細不明の脆弱性が存在し，JMX に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える脆弱性があります。(CVE-2013-1486)

一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/

解決策:

パッケージをアップデートしてください。

CVE:

CVE-2013-0424
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via vectors related to RMI. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to cross-site scripting (XSS) in the sun.rmi.transport.proxy CGIHandler class that does not properly handle error messages in a (1) command or (2) port number.

CVE-2013-0425
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0428 and CVE-2013-0426. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect "access control checks" in the logging API that allow remote attackers to bypass Java sandbox restrictions.

CVE-2013-0426
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0428. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect "access control checks" in the logging API that allow remote attackers to bypass Java sandbox restrictions.

CVE-2013-0427
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect integrity via unknown vectors related to Libraries. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to interrupt certain threads that should not be interrupted.

CVE-2013-0428
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries, a different vulnerability than CVE-2013-0425 and CVE-2013-0426. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "incorrect checks for proxy classes" in the Reflection API.

CVE-2013-0429
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue involves the creation of a single PresentationManager that is shared across multiple thread groups, which allows remote attackers to bypass Java sandbox restrictions.

CVE-2013-0431
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.

CVE-2013-0432
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality and integrity via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient clipboard access premission checks."

CVE-2013-0433
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect integrity via unknown vectors related to Networking. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to avoid triggering an exception during the deserialization of invalid InetSocketAddress data.

CVE-2013-0434
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality via vectors related to JAXP. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to the public declaration of the loadPropertyFile method in the JAXP FuncSystemProperty class, which allows remote attackers to obtain sensitive information.

CVE-2013-0435
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 and 6 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality via vectors related to JAX-WS. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper restriction of com.sun.xml.internal packages and "Better handling of UI elements."

CVE-2013-0440
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 7, allows remote attackers to affect availability via vectors related to JSSE. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to CPU consumption in the SSL/TLS implementation via a large number of ClientHello packets that are not properly handled by (1) ClientHandshaker.java and (2) ServerHandshaker.java.

CVE-2013-0441
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2013-1476 and CVE-2013-1475. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass Java sandbox restrictions via certain methods that should not be serialized, aka "missing serialization restriction."

CVE-2013-0442
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to an improper check of "privileges of the code" that bypasses the sandbox.

CVE-2013-0443
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect validation of Diffie-Hellman keys, which allows remote attackers to conduct a "small subgroup attack" to force the use of weak session keys or obtain sensitive information about the private key.

CVE-2013-0444
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "insufficient checks for cached results" by the Java Beans MethodFinder, which might allow attackers to access methods that should only be accessible to privileged code.

CVE-2013-0445
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to an improper check of "privileges of the code" that bypasses the sandbox.

CVE-2013-0450
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, and 5.0 through Update 38, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper checks of "access control context" in the JMX RequiredModelMBean class.

CVE-2013-1475
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "IIOP type reuse management" in ObjectStreamClass.java.

CVE-2013-1476
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11, 6 through Update 38, 5.0 through Update 38, and 1.4.2_40 and earlier, and OpenJDK 6 and 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2013-0441 and CVE-2013-1475. NOTE: the previous information is from the February 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass Java sandbox restrictions via "certain value handler constructors."

追加情報:

ダウンロード:

SRPMS

java-1.7.0-openjdk-1.7.0.9-2.3.7.1.AXS4.src.rpm
MD5: 0dfda5d0ac2edcb63655787b835103a8
SHA-256: 9fa93b271486b00f9a3a45e5bb842f1fedc6b7f03706ddcdf5f63a44ea49cc22
Size: 65.02 MB

Asianux Server 4 for x86

java-1.7.0-openjdk-1.7.0.9-2.3.7.1.AXS4.i686.rpm
MD5: ab6efd4f64aa5dd8a72ae09dc10c40e5
SHA-256: 68d1d07e71554605180671d414b04717f6aceff3c67f7bc527fba1ed29a7b98f
Size: 26.72 MB

Asianux Server 4 for x86_64

java-1.7.0-openjdk-1.7.0.9-2.3.7.1.AXS4.x86_64.rpm
MD5: 6a0b8459d465dce8861cb843eeff2a98
SHA-256: 8fe686f291d9edf4bb08a7d77ffcbb9bec35ec9d12e43306d77eb89969f77f6a
Size: 25.53 MB

Main menu

You are here

java-1.7.0-openjdk-1.7.0.9-2.3.7.1.AXS4