java-1.7.0-openjdk-1.7.0.25-2.3.10.3.AXS4

エラータID: AXSA:2013-486:05

リリース日:

2013/06/21 Friday - 14:42

題名:

影響のあるチャネル:

Asianux Server 4 for x86_64

Asianux Server 4 for x86

Severity:

High

Description:

以下項目について対処しました。

[Security Fix]
- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには 2D に関連する要因によって，ローカルのユーザが機密性と整合性に影響を与える詳細不明な脆弱性があります。
(CVE-2013-1500)

- Oracle Java SE の Javadoc コンポーネントには，Javadoc に関連する要因によって，リモートの攻撃者が整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-1571)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，ライブラリに関連する要因によって，リモートの攻撃者が機密性と可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2407)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，Serviceability に関連する要因によって，リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2412)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，ライブラリに関連する要因によって，リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。
なお，これらの脆弱性はそれぞれ異なる脆弱性です。(CVE-2013-2443, CVE-2013-2452, CVE-2013-2455)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，AWT に関連する要因によって，リモートの攻撃者が可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2444)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，Hotspot に関連する要因によって，リモートの攻撃者が可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2445)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，CORBA に関連する要因によって，リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2446)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，ネットワーキングに関連する要因によって，リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2447)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，サウンドに関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2448)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，ライブラリに関連する要因によって，リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2449)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，Serialization に関連する要因によって，リモートの攻撃者が可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2450)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，JMX に関連する要因によって，リモートの攻撃者が整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2453)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，JDBC に関連する要因によって，リモートの攻撃者が機密性と整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2454)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，Serialization に関連する要因によって，リモートの攻撃者が機密性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2456)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，JMX に関連する要因によって，リモートの攻撃者が整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2457)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，ライブラリに関連する要因によって，リモートの攻撃者が機密性と整合性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2458)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，AWT に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2459)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，Serviceability に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2460)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，ライブラリに関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える詳細不明な脆弱性があります。(CVE-2013-2461)

- Oracle Java SE の Java Runtime Environment (JRE) コンポーネントには，2D に関連する要因によって，リモートの攻撃者が機密性，整合性，可用性に影響を与える詳細不明な脆弱性があります。
なお，これらの脆弱性はそれぞれ異なる脆弱性です。 (CVE-2013-2463 , CVE-2013-2465, CVE-2013-2469, CVE-2013-2470, CVE-2013-2471, CVE-2013-2472, CVE-2013-2473)

一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/

解決策:

パッケージをアップデートしてください。

CVE:

CVE-2013-1500
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows local users to affect confidentiality and integrity via unknown vectors related to 2D. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to weak permissions for shared memory.

CVE-2013-1571
Unspecified vulnerability in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to frame injection in HTML that is generated by Javadoc.

CVE-2013-2407
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and availability via unknown vectors related to Libraries. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "XML security and the class loader."

CVE-2013-2412
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Serviceability. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to insufficient indication of an SSL connection failure by JConsole, related to RMI connection dialog box.

CVE-2013-2443
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2452 and CVE-2013-2455. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is due to an incorrect "checking order" within the AccessControlContext class.

CVE-2013-2444
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect availability via vectors related to AWT. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue does not "properly manage and restrict certain resources related to the processing of fonts," possibly involving temporary files.

CVE-2013-2445
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect availability via unknown vectors related to Hotspot. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "handling of memory allocation errors."

CVE-2013-2446
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via vectors related to CORBA. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue does not properly enforce access restrictions for CORBA output streams.

CVE-2013-2447
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Networking. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to obtain a socket's local address via vectors involving inconsistencies between Socket.getLocalAddress and InetAddress.getLocalHost.

CVE-2013-2448
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to insufficient "access restrictions" and "robustness of sound classes."

CVE-2013-2449
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to GnomeFileTypeDetector and a missing check for read permissions for a path.

CVE-2013-2450
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect availability via unknown vectors related to Serialization. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper handling of circular references in ObjectStreamClass.

CVE-2013-2452
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2455. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to "network address handling in virtual machine identifiers" and the lack of "unique and unpredictable IDs" in the java.rmi.dgc.VMID class.

CVE-2013-2453
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier and 6 Update 45 and earlier allows remote attackers to affect integrity via vectors related to JMX. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is due to a missing check for "package access" by the MBeanServer Introspector.

CVE-2013-2454
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via vectors related to JDBC. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue does not properly restrict access to certain class packages in the SerialJavaObject class, which allows remote attackers to bypass the Java sandbox.

CVE-2013-2455
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Libraries, a different vulnerability than CVE-2013-2443 and CVE-2013-2452. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to incorrect access checks by the (1) getEnclosingClass, (2) getEnclosingMethod, and (3) getEnclosingConstructor methods.

CVE-2013-2456
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality via unknown vectors related to Serialization. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to improper access checks for subclasses in the ObjectOutputStream class.

CVE-2013-2457
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect integrity via vectors related to JMX. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is due to an incorrect implementation of "certain class checks" that allows remote attackers to bypass intended class restrictions.

CVE-2013-2458
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via "an error related to method handles."

CVE-2013-2459
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier, and OpenJDK 7, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to AWT. NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue allows remote attackers to bypass the Java sandbox via vectors related to "integer overflow checks."

追加情報:

ダウンロード:

SRPMS

java-1.7.0-openjdk-1.7.0.25-2.3.10.3.AXS4.src.rpm
MD5: e20d12a5e574686bdb5d8c362bef3524
SHA-256: 88e4c5feeee2a5fc0736a09fc27b8da049332188715812e5dfc7b2ddaf98a1d8
Size: 65.13 MB

Asianux Server 4 for x86

java-1.7.0-openjdk-1.7.0.25-2.3.10.3.AXS4.i686.rpm
MD5: 4c7480db651d753c795ff61e502b2aa6
SHA-256: 57645ae0dcf1c9e6b9acac7a0e1c9b385b39e6af5d07816d2c72a9bd657f80df
Size: 26.76 MB
java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.AXS4.i686.rpm
MD5: 0b37f2c0846d0f137f9654f1103f1cc2
SHA-256: edbecbc0c1dd06ce9554a95db5924c20fe59f586f534ae137c5c7cfe5017fbf8
Size: 9.38 MB

Asianux Server 4 for x86_64

java-1.7.0-openjdk-1.7.0.25-2.3.10.3.AXS4.x86_64.rpm
MD5: 71962ff9da45a7b9e596547a4c680d79
SHA-256: 4480deab8a0670011515fca8532499431db3570d5a81b75552d87b4424635290
Size: 25.58 MB
java-1.7.0-openjdk-devel-1.7.0.25-2.3.10.3.AXS4.x86_64.rpm
MD5: 604c8f3a4e8c0f90e86ae7dcdb16b6d8
SHA-256: 3b8493c356444262e2511927c6b7698ef4b531f52724bc9d94c43f19e5657ade
Size: 9.38 MB

Main menu

You are here

java-1.7.0-openjdk-1.7.0.25-2.3.10.3.AXS4