Bug 859155

Summary: JDK: browser plugin allows changing SecurityManager for all applets
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dbhole, jvanek, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-28 21:02:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 856136    

Description Tomas Hoger 2012-09-20 16:39:14 UTC 
The Oracle and IBM Java SE browser plugin allows signed applets running with full privileges to replace SecurityManager.  This change, however, is not limited to the current applet that performed the change, but also affects other applets.  An attacker able to make a victim to run a signed applet that changes SecurityManager (the attacker does not need to have control over what this applet does, they only need to find one that the victim is likely to run and that installs more permissive SecurityManager) and later navigate the victim to a page that contains unsigned attacker-controlled applet could possibly use this flaw to have their unsigned applet code run with additional privileges.

This issue did not affect IcedTea-Web browser plugin, which does not allow applets to replace SecurityManager:
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1094
Comment 3 Tomas Hoger 2013-04-17 10:46:40 UTC 
Oracle has classified this as security-in-depth fix.  Java SE CPU April 2013 addresses this issue:

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Comment 4 Tomas Hoger 2014-02-28 21:02:38 UTC 
IBM JDKs plugin was also fixed in updates for Java SE CPU April 2013.  Therefore, Oracle/Sun JDKs were fixed in 7u21 and 6u45, and IBM JDKs were fixed in 7 SR4-FP2 and 6 SR13-FP2.

Matching Red Hat Enterprise Linux errata are:

https://rhn.redhat.com/errata/RHSA-2013-0757.html
https://rhn.redhat.com/errata/RHSA-2013-0758.html
https://rhn.redhat.com/errata/RHSA-2013-0822.html
https://rhn.redhat.com/errata/RHSA-2013-0823.html