Bug 859155 - JDK: browser plugin allows changing SecurityManager for all applets
JDK: browser plugin allows changing SecurityManager for all applets
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130416,repor...
: Security
Depends On:
Blocks: 856136
  Show dependency treegraph
 
Reported: 2012-09-20 12:39 EDT by Tomas Hoger
Modified: 2014-02-28 16:02 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-28 16:02:38 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tomas Hoger 2012-09-20 12:39:14 EDT
The Oracle and IBM Java SE browser plugin allows signed applets running with full privileges to replace SecurityManager.  This change, however, is not limited to the current applet that performed the change, but also affects other applets.  An attacker able to make a victim to run a signed applet that changes SecurityManager (the attacker does not need to have control over what this applet does, they only need to find one that the victim is likely to run and that installs more permissive SecurityManager) and later navigate the victim to a page that contains unsigned attacker-controlled applet could possibly use this flaw to have their unsigned applet code run with additional privileges.

This issue did not affect IcedTea-Web browser plugin, which does not allow applets to replace SecurityManager:
http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1094
Comment 3 Tomas Hoger 2013-04-17 06:46:40 EDT
Oracle has classified this as security-in-depth fix.  Java SE CPU April 2013 addresses this issue:

http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
Comment 4 Tomas Hoger 2014-02-28 16:02:38 EST
IBM JDKs plugin was also fixed in updates for Java SE CPU April 2013.  Therefore, Oracle/Sun JDKs were fixed in 7u21 and 6u45, and IBM JDKs were fixed in 7 SR4-FP2 and 6 SR13-FP2.

Matching Red Hat Enterprise Linux errata are:

https://rhn.redhat.com/errata/RHSA-2013-0757.html
https://rhn.redhat.com/errata/RHSA-2013-0758.html
https://rhn.redhat.com/errata/RHSA-2013-0822.html
https://rhn.redhat.com/errata/RHSA-2013-0823.html

Note You need to log in before you can comment on or make changes to this bug.