Bug 1051528 - (CVE-2014-0422) CVE-2014-0422 OpenJDK: insufficient package access checks in the Naming component (JNDI, 8025758)
CVE-2014-0422 OpenJDK: insufficient package access checks in the Naming compo...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20140114,repor...
: Security
Depends On:
Blocks: 1049945
  Show dependency treegraph
 
Reported: 2014-01-10 09:23 EST by Tomas Hoger
Modified: 2014-07-29 11:41 EDT (History)
6 users (show)

See Also:
Fixed In Version: icedtea 2.4.4, icedtea 2.3.13, icedtea 1.12.8, icedtea 1.13.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-06 10:40:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2014-01-10 09:23:52 EST
It was discovered that the Naming / JNDI component of OpenJDK failed to implement required package access checks.  An untrusted Java application or applet could possibly use this flaw to bypass Java sandbox restrictions.
Comment 1 Tomas Hoger 2014-01-14 16:11:56 EST
Public now via Oracle CPU January 2014.  Fixed in Oracle JDK 7u51, 6u71 and 5.0u61.

External References:

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
Comment 2 errata-xmlrpc 2014-01-14 20:02:09 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2014:0027 https://rhn.redhat.com/errata/RHSA-2014-0027.html
Comment 3 errata-xmlrpc 2014-01-14 20:04:03 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0026 https://rhn.redhat.com/errata/RHSA-2014-0026.html
Comment 4 errata-xmlrpc 2014-01-15 14:17:55 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0030 https://rhn.redhat.com/errata/RHSA-2014-0030.html
Comment 5 Tomas Hoger 2014-01-16 03:40:20 EST
OpenJDK7 upstream commit:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/5c20ac773584

Related follow-up commit:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/8ee582bb96a6
Comment 6 errata-xmlrpc 2014-01-27 14:56:09 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2014:0097 https://rhn.redhat.com/errata/RHSA-2014-0097.html
Comment 8 errata-xmlrpc 2014-02-04 14:36:54 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0136 https://rhn.redhat.com/errata/RHSA-2014-0136.html
Comment 9 errata-xmlrpc 2014-02-04 14:37:53 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0135 https://rhn.redhat.com/errata/RHSA-2014-0135.html
Comment 10 errata-xmlrpc 2014-02-04 14:41:57 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2014:0134 https://rhn.redhat.com/errata/RHSA-2014-0134.html
Comment 11 errata-xmlrpc 2014-04-17 07:42:14 EDT
This issue has been addressed in following products:

  Oracle Java for Red Hat Enterprise Linux 6
  Oracle Java for Red Hat Enterprise Linux 5

Via RHSA-2014:0414 https://rhn.redhat.com/errata/RHSA-2014-0414.html
Comment 12 errata-xmlrpc 2014-06-10 09:12:45 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 7

Via RHSA-2014:0705 https://rhn.redhat.com/errata/RHSA-2014-0705.html
Comment 13 errata-xmlrpc 2014-07-29 11:41:19 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html

Note You need to log in before you can comment on or make changes to this bug.