Bug 1189145 (CVE-2014-8892)

Summary: CVE-2014-8892 IBM JDK: unspecified partial Java sandbox bypass fixed in Feb 2015 update
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dbhole, jvanek
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-04 12:46:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1179762    

Description Tomas Hoger 2015-02-04 14:52:17 UTC 
IBM JDK updates 7R1 SR2-FP10, 7 SR8-FP10, 6R1 SR8-FP3, 6 SR16-FP3 and 5.0 SR16-FP9 correct an unspecified vulnerability identified using CVE-2014-8892.  Upstream has rated this issue with CVSSv2 score of 4.3 (no vector provided).

http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_February_2015

Further details of the issue should be made available via the following link:

http://www.ibm.com/support/docview.wss?uid=swg21695747
Comment 1 Tomas Hoger 2015-02-05 10:24:23 UTC 
The above URL still does not work, but the security bulletin is now available via the following URL:

https://www-304.ibm.com/support/docview.wss?uid=swg21695474

It provides the following information for this issue:

  A vulnerability in the IBM implementation of the Java Virtual Machine may,
  under very limited circumstances, allow untrusted code running under a
  security manager to bypass permission checks and view sensitive information.

  http://xforce.iss.net/xforce/xfdb/99011

There's currently only a blank page served on the xforce URL.
Comment 2 errata-xmlrpc 2015-02-05 19:30:51 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:0136 https://rhn.redhat.com/errata/RHSA-2015-0136.html
Comment 3 errata-xmlrpc 2015-02-05 19:36:34 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:0135 https://rhn.redhat.com/errata/RHSA-2015-0135.html
Comment 4 errata-xmlrpc 2015-02-05 19:37:12 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:0134 https://rhn.redhat.com/errata/RHSA-2015-0134.html
Comment 5 errata-xmlrpc 2015-02-05 19:37:27 UTC 
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 7
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:0133 https://rhn.redhat.com/errata/RHSA-2015-0133.html
Comment 6 errata-xmlrpc 2015-02-24 13:21:19 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.7

Via RHSA-2015:0263 https://rhn.redhat.com/errata/RHSA-2015-0263.html
Comment 7 errata-xmlrpc 2015-02-24 13:46:23 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.6

Via RHSA-2015:0264 https://rhn.redhat.com/errata/RHSA-2015-0264.html