Bug 853228 (CVE-2012-0547)

Summary: CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: ahughes, dbhole, jon.vanalten, jvanek, lkundrak, lwhatley, mark, mmatejov, omajid
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20120830,reported=20120830,source=oracle,cvss2=0/AV:N/AC:M/Au:N/C:N/I:N/A:N,rhel-5/java-1.6.0-openjdk=affected,rhel-6/java-1.6.0-openjdk=affected,rhel-5/java-1.7.0-openjdk=affected,rhel-6/java-1.7.0-openjdk=affected,rhel-5/java-1.6.0-sun=affected,rhel-6/java-1.6.0-sun=affected,rhel-5/java-1.7.0-oracle=affected,rhel-6/java-1.7.0-oracle=affected,rhel-5/java-1.5.0-ibm=notaffected,rhel-6/java-1.5.0-ibm=notaffected,rhel-5/java-1.6.0-ibm=affected,rhel-6/java-1.6.0-ibm=affected,rhel-5/java-1.7.0-ibm=affected,rhel-6/java-1.7.0-ibm=affected,fedora-all/java-1.6.0-openjdk=affected,fedora-all/java-1.7.0-openjdk=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-24 04:43:43 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 852299, 852300, 852301, 852302, 852303, 852304, 853114, 853116, 853345, 853346, 854890, 854891, 856471    
Bug Blocks: 852098    

Description Tomas Hoger 2012-08-30 15:37:45 EDT
Oracle Java SE 7 Update 7 and 6 Update 35 include a "security-in-depth" fix for the AWT component.  This fix changes the component to remove functionality that can be used in exploits trying to bypass Java sandbox restrictions, such as the 0day exploit published in August 2012 (see bug 852051), which took advantage of SunToolkit.getField method to modify object's private field.

References:
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121
http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html
http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html

External Reference:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Comment 1 Tomas Hoger 2012-08-31 02:51:17 EDT
Mitre description, pointing out that hardening fixes are not expected to have CVE assigned:

  Unspecified vulnerability in the Java Runtime Environment (JRE)
  component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34
  and earlier, has no impact and remote attack vectors involving AWT and
  "a security-in-depth issue that is not directly exploitable but which
  can be used to aggravate security vulnerabilities that can be directly
  exploited." NOTE: this identifier was assigned by the Oracle CNA, but
  CVE is not intended to cover defense-in-depth issues that are only
  exposed by the presence of other vulnerabilities.
Comment 3 Tomas Hoger 2012-08-31 03:34:21 EDT
Upstream fix, as applied in IcedTea 7 2.3 repositories:

http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/6df0f825c24e
Comment 4 Tomas Hoger 2012-08-31 05:55:28 EDT
OpenJDK7 repositories commit:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/0c5704b02468
Comment 5 errata-xmlrpc 2012-09-03 08:41:15 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1221 https://rhn.redhat.com/errata/RHSA-2012-1221.html
Comment 6 errata-xmlrpc 2012-09-03 08:51:35 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1222 https://rhn.redhat.com/errata/RHSA-2012-1222.html
Comment 7 errata-xmlrpc 2012-09-03 09:01:59 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1223 https://rhn.redhat.com/errata/RHSA-2012-1223.html
Comment 9 errata-xmlrpc 2012-09-04 03:05:58 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1225 https://rhn.redhat.com/errata/RHSA-2012-1225.html
Comment 10 Lee Whatley 2012-09-14 11:27:04 EDT
I see that java-1.6.0-openjdk was updated for RHEL5 to address this.  Any plans to also update java-1.6.0-sun?
Comment 11 Tomas Hoger 2012-09-18 08:56:33 EDT
The primary reason to update java-1.6.0-openjdk packages was the CVE-2012-1682 (bug #853097) issues.  That issue did not affect Oracle Java SE 6, but it did affect OpenJDK 6.

As explained in the following Oracle blog post (also linked from comment #0):
  https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

the CVE-2012-0547 was used to refer to a security-in-depth, or hardening, fix, that has no security impact by itself (it was rated as having CVSSv2 score of 0 by Oracle).  Hence we do not plan to release a security update with only this hardening fix as the next scheduled update fixing security issues is planned to be released in 4 weeks (Oct 16).
Comment 12 errata-xmlrpc 2012-09-18 18:53:24 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1289 https://rhn.redhat.com/errata/RHSA-2012-1289.html
Comment 13 Lee Whatley 2012-09-19 16:56:10 EDT
Thanks for the explanation!  I was unaware that there was a second CVE that affected only java-1.6.0-openjdk, and thought that the openjdk update was just for CVE-2012-0547.  Waiting for the October 16 update for java-1.6.0-sun seems reasonable.
Comment 14 errata-xmlrpc 2012-10-18 12:56:35 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1392 https://rhn.redhat.com/errata/RHSA-2012-1392.html
Comment 15 errata-xmlrpc 2012-11-15 16:17:27 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2012:1466 https://rhn.redhat.com/errata/RHSA-2012-1466.html
Comment 16 errata-xmlrpc 2013-10-23 12:32:11 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.5

Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html
Comment 17 errata-xmlrpc 2013-10-23 13:06:12 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html