Bug 1324044 (CVE-2016-0363) - CVE-2016-0363 IBM JDK: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix
Summary: CVE-2016-0363 IBM JDK: insecure use of invoke method in CORBA component, inco...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-0363
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1324048 1324915
TreeView+ depends on / blocked
 
Reported: 2016-04-05 12:14 UTC by Andrej Nemec
Modified: 2021-02-17 04:06 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-11 15:54:15 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0701 0 normal SHIPPED_LIVE Critical: java-1.7.1-ibm security update 2016-04-29 21:50:18 UTC
Red Hat Product Errata RHSA-2016:0702 0 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2016-04-29 21:50:30 UTC
Red Hat Product Errata RHSA-2016:0708 0 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2016-05-02 17:11:55 UTC
Red Hat Product Errata RHSA-2016:0716 0 normal SHIPPED_LIVE Critical: java-1.8.0-ibm security update 2016-05-03 22:35:33 UTC
Red Hat Product Errata RHSA-2016:1039 0 normal SHIPPED_LIVE Critical: java-1.8.0-ibm security update 2016-05-11 18:09:07 UTC
Red Hat Product Errata RHSA-2016:1430 0 normal SHIPPED_LIVE Moderate: java-1.7.0-ibm and java-1.7.1-ibm security update 2016-07-18 17:51:35 UTC
Red Hat Product Errata RHSA-2017:1216 0 normal SHIPPED_LIVE Moderate: java-1.7.1-ibm security update 2017-05-09 20:41:26 UTC

Description Andrej Nemec 2016-04-05 12:14:15 UTC
It was reported that the IBM fix for the issue 67 from this document http://www.security-explorations.com/materials/SE-2012-01-IBM-2.pdf didn't address the problem properly.

References:

http://seclists.org/fulldisclosure/2016/Apr/3

Full report:

http://www.security-explorations.com/materials/SE-2012-01-IBM-4.pdf

Comment 1 Tomas Hoger 2016-04-06 12:36:21 UTC
Issue 67 was previously tracked via bug 985501.  However, as noted in bug 985501 comment 2, there is no public information allowing to map between Security Explorations' issue numbers and CVE ids mentioned in the bug report.

Comment 4 Tomas Hoger 2016-04-21 12:37:02 UTC
(In reply to Tomas Hoger from comment #1)
> Issue 67 was previously tracked via bug 985501.  However, as noted in bug
> 985501 comment 2, there is no public information allowing to map between
> Security Explorations' issue numbers and CVE ids mentioned in the bug report.

The original reporter indicated that the CVE-2013-3009 was assigned to the Issue 67:

http://seclists.org/fulldisclosure/2016/Apr/20

Comment 5 Tomas Hoger 2016-04-28 10:46:21 UTC
This issue is listed as fixed in IBM JDK 6 SR16-FP25, 7 SR9-FP40, 7R1 SR3-FP40, and 8 SR3:

http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_April_2016

IBM flaw description:

CVEID: CVE-2016-0363
DESCRIPTION: IBM SDK, Java Technology Edition contains a vulnerability in the IBM ORB implementation that may allow untrusted code running under a security manager to elevate its privileges. This vulnerability was originally reported as CVE-2013-3009.
CVSS Base Score: 8.1
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

http://www-01.ibm.com/support/docview.wss?uid=swg21980826

Comment 7 errata-xmlrpc 2016-04-29 17:50:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary
  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:0701 https://rhn.redhat.com/errata/RHSA-2016-0701.html

Comment 8 errata-xmlrpc 2016-04-29 17:52:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2016:0702 https://rhn.redhat.com/errata/RHSA-2016-0702.html

Comment 9 errata-xmlrpc 2016-05-02 13:12:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary
  Red Hat Enterprise Linux 5 Supplementary

Via RHSA-2016:0708 https://rhn.redhat.com/errata/RHSA-2016-0708.html

Comment 10 errata-xmlrpc 2016-05-03 18:35:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Supplementary

Via RHSA-2016:0716 https://rhn.redhat.com/errata/RHSA-2016-0716.html

Comment 11 errata-xmlrpc 2016-05-11 14:09:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Supplementary

Via RHSA-2016:1039 https://rhn.redhat.com/errata/RHSA-2016-1039.html

Comment 12 errata-xmlrpc 2016-07-18 13:57:03 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2016:1430 https://access.redhat.com/errata/RHSA-2016:1430

Comment 13 errata-xmlrpc 2017-05-09 16:44:00 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 5.6
  Red Hat Satellite 5.7

Via RHSA-2017:1216 https://access.redhat.com/errata/RHSA-2017:1216


Note You need to log in before you can comment on or make changes to this bug.