Bug 1324044 (CVE-2016-0363)
| Summary: | CVE-2016-0363 IBM JDK: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | unspecified | CC: | dbhole, jvanek |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-05-11 15:54:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1324048, 1324915 | ||
|
Description
Andrej Nemec
2016-04-05 12:14:15 UTC
Issue 67 was previously tracked via bug 985501. However, as noted in bug 985501 comment 2, there is no public information allowing to map between Security Explorations' issue numbers and CVE ids mentioned in the bug report. (In reply to Tomas Hoger from comment #1) > Issue 67 was previously tracked via bug 985501. However, as noted in bug > 985501 comment 2, there is no public information allowing to map between > Security Explorations' issue numbers and CVE ids mentioned in the bug report. The original reporter indicated that the CVE-2013-3009 was assigned to the Issue 67: http://seclists.org/fulldisclosure/2016/Apr/20 This issue is listed as fixed in IBM JDK 6 SR16-FP25, 7 SR9-FP40, 7R1 SR3-FP40, and 8 SR3: http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_April_2016 IBM flaw description: CVEID: CVE-2016-0363 DESCRIPTION: IBM SDK, Java Technology Edition contains a vulnerability in the IBM ORB implementation that may allow untrusted code running under a security manager to elevate its privileges. This vulnerability was originally reported as CVE-2013-3009. CVSS Base Score: 8.1 CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) http://www-01.ibm.com/support/docview.wss?uid=swg21980826 External Reference: http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_April_2016 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Red Hat Enterprise Linux 6 Supplementary Via RHSA-2016:0701 https://rhn.redhat.com/errata/RHSA-2016-0701.html This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Supplementary Via RHSA-2016:0702 https://rhn.redhat.com/errata/RHSA-2016-0702.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Red Hat Enterprise Linux 5 Supplementary Via RHSA-2016:0708 https://rhn.redhat.com/errata/RHSA-2016-0708.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Supplementary Via RHSA-2016:0716 https://rhn.redhat.com/errata/RHSA-2016-0716.html This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Supplementary Via RHSA-2016:1039 https://rhn.redhat.com/errata/RHSA-2016-1039.html This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430 This issue has been addressed in the following products: Red Hat Satellite 5.6 Red Hat Satellite 5.7 Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216 |