Bug 581237 (CVE-2010-0886, CVE-2010-0887, CVE-2010-1423)

Summary: CVE-2010-0886 CVE-2010-0887 Sun Java: Java Web Start arbitrary command line injection
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: ahughes, aph, dbhole, jpechane, mjc, mschoene, ptisnovs, tao, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://seclists.org/fulldisclosure/2010/Apr/119
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-11 21:37:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 616361, 616362, 616394    
Bug Blocks:    

Description Jan Lieskovsky 2010-04-11 10:22:07 UTC 
Tavis Ormandy reported:
  [1] http://seclists.org/fulldisclosure/2010/Apr/119

a deficiency in the way Java Deployment Toolkit's 
Java Web Start sanitized URL of the applications, intended
to be launched and installed via the Java Networking
Launching Protocol. Remote attacker could trick a local
victim into visiting a specially-crafted web page, potentially
leading to execution of arbitrary Java code with the
privileges of the user opening the page.

References:
  [2] http://www.reversemode.com/index.php?option=com_content&task=view&id=67&Itemid=1
  [3] http://bugs.gentoo.org/show_bug.cgi?id=314531

CVE Request:
  [4] http://www.openwall.com/lists/oss-security/2010/04/10/2
Comment 1 Andrew John Hughes 2010-04-11 22:47:09 UTC 
Sun never open sourced their plugin or Web Start code so it is not part of OpenJDK/IcedTea packages.
Comment 3 Tomas Hoger 2010-04-16 07:06:39 UTC 
This was assigned CVE-2010-1423:
http://thread.gmane.org/gmane.comp.security.oss.general/2801/focus=2820

This should be addressed in Sun/Oracle Java 6 U20:
http://java.sun.com/javase/6/webnotes/6u20.html

Oracle security alert mentions different CVEs - CVE-2010-0886 and CVE-2010-0887:
http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0886.html

Metasploit module:
http://www.metasploit.com/redmine/projects/framework/repository/changes/modules/exploits/windows/browser/java_ws_arginject_altvm.rb
Comment 4 Marc Schoenefeld 2010-04-16 08:39:52 UTC 
Metasploit module name change: 

http://www.metasploit.com/redmine/projects/framework/repository/changes/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb
Comment 6 errata-xmlrpc 2010-04-19 21:20:28 UTC 
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2010:0356 https://rhn.redhat.com/errata/RHSA-2010-0356.html
Comment 12 errata-xmlrpc 2010-07-21 14:25:03 UTC 
This issue has been addressed in following products:

  Extras for RHEL 4
  Extras for Red Hat Enterprise Linux 5

Via RHSA-2010:0549 https://rhn.redhat.com/errata/RHSA-2010-0549.html