Bug 853228 - (CVE-2012-0547) CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20120830,reported=2...
: Security
Depends On: 852299 852300 852301 852302 852303 852304 853114 853116 853345 853346 854890 854891 856471
Blocks: 852098
  Show dependency treegraph
 
Reported: 2012-08-30 15:37 EDT by Tomas Hoger
Modified: 2015-11-25 04:59 EST (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-24 04:43:43 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2012-08-30 15:37:45 EDT
Oracle Java SE 7 Update 7 and 6 Update 35 include a "security-in-depth" fix for the AWT component.  This fix changes the component to remove functionality that can be used in exploits trying to bypass Java sandbox restrictions, such as the 0day exploit published in August 2012 (see bug 852051), which took advantage of SunToolkit.getField method to modify object's private field.

References:
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121
http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html
http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html

External Reference:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Comment 1 Tomas Hoger 2012-08-31 02:51:17 EDT
Mitre description, pointing out that hardening fixes are not expected to have CVE assigned:

  Unspecified vulnerability in the Java Runtime Environment (JRE)
  component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34
  and earlier, has no impact and remote attack vectors involving AWT and
  "a security-in-depth issue that is not directly exploitable but which
  can be used to aggravate security vulnerabilities that can be directly
  exploited." NOTE: this identifier was assigned by the Oracle CNA, but
  CVE is not intended to cover defense-in-depth issues that are only
  exposed by the presence of other vulnerabilities.
Comment 3 Tomas Hoger 2012-08-31 03:34:21 EDT
Upstream fix, as applied in IcedTea 7 2.3 repositories:

http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/6df0f825c24e
Comment 4 Tomas Hoger 2012-08-31 05:55:28 EDT
OpenJDK7 repositories commit:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/0c5704b02468
Comment 5 errata-xmlrpc 2012-09-03 08:41:15 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1221 https://rhn.redhat.com/errata/RHSA-2012-1221.html
Comment 6 errata-xmlrpc 2012-09-03 08:51:35 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1222 https://rhn.redhat.com/errata/RHSA-2012-1222.html
Comment 7 errata-xmlrpc 2012-09-03 09:01:59 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1223 https://rhn.redhat.com/errata/RHSA-2012-1223.html
Comment 9 errata-xmlrpc 2012-09-04 03:05:58 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1225 https://rhn.redhat.com/errata/RHSA-2012-1225.html
Comment 10 Lee Whatley 2012-09-14 11:27:04 EDT
I see that java-1.6.0-openjdk was updated for RHEL5 to address this.  Any plans to also update java-1.6.0-sun?
Comment 11 Tomas Hoger 2012-09-18 08:56:33 EDT
The primary reason to update java-1.6.0-openjdk packages was the CVE-2012-1682 (bug #853097) issues.  That issue did not affect Oracle Java SE 6, but it did affect OpenJDK 6.

As explained in the following Oracle blog post (also linked from comment #0):
  https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

the CVE-2012-0547 was used to refer to a security-in-depth, or hardening, fix, that has no security impact by itself (it was rated as having CVSSv2 score of 0 by Oracle).  Hence we do not plan to release a security update with only this hardening fix as the next scheduled update fixing security issues is planned to be released in 4 weeks (Oct 16).
Comment 12 errata-xmlrpc 2012-09-18 18:53:24 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1289 https://rhn.redhat.com/errata/RHSA-2012-1289.html
Comment 13 Lee Whatley 2012-09-19 16:56:10 EDT
Thanks for the explanation!  I was unaware that there was a second CVE that affected only java-1.6.0-openjdk, and thought that the openjdk update was just for CVE-2012-0547.  Waiting for the October 16 update for java-1.6.0-sun seems reasonable.
Comment 14 errata-xmlrpc 2012-10-18 12:56:35 EDT
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1392 https://rhn.redhat.com/errata/RHSA-2012-1392.html
Comment 15 errata-xmlrpc 2012-11-15 16:17:27 EST
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2012:1466 https://rhn.redhat.com/errata/RHSA-2012-1466.html
Comment 16 errata-xmlrpc 2013-10-23 12:32:11 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.5

Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html
Comment 17 errata-xmlrpc 2013-10-23 13:06:12 EDT
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html

Note You need to log in before you can comment on or make changes to this bug.