Bug 853228 (CVE-2012-0547) - CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
Summary: CVE-2012-0547 OpenJDK: AWT hardening fixes (AWT, 7163201)
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-0547
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 852299 852300 852301 852302 852303 852304 853114 853116 853345 853346 854890 854891 856471
Blocks: 852098
TreeView+ depends on / blocked
 
Reported: 2012-08-30 19:37 UTC by Tomas Hoger
Modified: 2019-09-29 12:55 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-01-24 09:43:43 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2012:1221 0 normal SHIPPED_LIVE Critical: java-1.6.0-openjdk security update 2012-09-03 16:40:01 UTC
Red Hat Product Errata RHSA-2012:1222 0 normal SHIPPED_LIVE Important: java-1.6.0-openjdk security update 2012-09-03 16:50:15 UTC
Red Hat Product Errata RHSA-2012:1223 0 normal SHIPPED_LIVE Important: java-1.7.0-openjdk security update 2012-09-03 17:00:27 UTC
Red Hat Product Errata RHSA-2012:1225 0 normal SHIPPED_LIVE Critical: java-1.7.0-oracle security update 2012-09-04 11:04:31 UTC
Red Hat Product Errata RHSA-2012:1289 0 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2012-09-19 02:52:20 UTC
Red Hat Product Errata RHSA-2012:1392 0 normal SHIPPED_LIVE Critical: java-1.6.0-sun security update 2012-10-18 20:54:24 UTC
Red Hat Product Errata RHSA-2012:1466 0 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2012-11-16 02:16:50 UTC
Red Hat Product Errata RHSA-2013:1455 0 normal SHIPPED_LIVE Low: Red Hat Network Satellite server IBM Java Runtime security update 2013-10-23 20:30:21 UTC
Red Hat Product Errata RHSA-2013:1456 0 normal SHIPPED_LIVE Low: Red Hat Network Satellite server IBM Java Runtime security update 2013-10-23 20:29:56 UTC

Description Tomas Hoger 2012-08-30 19:37:45 UTC 
Oracle Java SE 7 Update 7 and 6 Update 35 include a "security-in-depth" fix for the AWT component.  This fix changes the component to remove functionality that can be used in exploits trying to bypass Java sandbox restrictions, such as the 0day exploit published in August 2012 (see bug 852051), which took advantage of SunToolkit.getField method to modify object's private field.

References:
https://blogs.oracle.com/security/entry/security_alert_for_cve_20121
http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html
http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html

External Reference:
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Comment 1 Tomas Hoger 2012-08-31 06:51:17 UTC 
Mitre description, pointing out that hardening fixes are not expected to have CVE assigned:

  Unspecified vulnerability in the Java Runtime Environment (JRE)
  component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34
  and earlier, has no impact and remote attack vectors involving AWT and
  "a security-in-depth issue that is not directly exploitable but which
  can be used to aggravate security vulnerabilities that can be directly
  exploited." NOTE: this identifier was assigned by the Oracle CNA, but
  CVE is not intended to cover defense-in-depth issues that are only
  exposed by the presence of other vulnerabilities.
Comment 3 Tomas Hoger 2012-08-31 07:34:21 UTC 
Upstream fix, as applied in IcedTea 7 2.3 repositories:

http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/6df0f825c24e
Comment 4 Tomas Hoger 2012-08-31 09:55:28 UTC 
OpenJDK7 repositories commit:

http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/0c5704b02468
Comment 5 errata-xmlrpc 2012-09-03 12:41:15 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1221 https://rhn.redhat.com/errata/RHSA-2012-1221.html
Comment 6 errata-xmlrpc 2012-09-03 12:51:35 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1222 https://rhn.redhat.com/errata/RHSA-2012-1222.html
Comment 7 errata-xmlrpc 2012-09-03 13:01:59 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1223 https://rhn.redhat.com/errata/RHSA-2012-1223.html
Comment 8 Tomas Hoger 2012-09-03 18:47:27 UTC 
Fixed in IcedTea versions: 2.1.2, 2.2.2 and 2.3.2

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020127.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020144.html
http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-September/020151.html
Comment 9 errata-xmlrpc 2012-09-04 07:05:58 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1225 https://rhn.redhat.com/errata/RHSA-2012-1225.html
Comment 10 Lee Whatley 2012-09-14 15:27:04 UTC 
I see that java-1.6.0-openjdk was updated for RHEL5 to address this.  Any plans to also update java-1.6.0-sun?
Comment 11 Tomas Hoger 2012-09-18 12:56:33 UTC 
The primary reason to update java-1.6.0-openjdk packages was the CVE-2012-1682 (bug #853097) issues.  That issue did not affect Oracle Java SE 6, but it did affect OpenJDK 6.

As explained in the following Oracle blog post (also linked from comment #0):
  https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

the CVE-2012-0547 was used to refer to a security-in-depth, or hardening, fix, that has no security impact by itself (it was rated as having CVSSv2 score of 0 by Oracle).  Hence we do not plan to release a security update with only this hardening fix as the next scheduled update fixing security issues is planned to be released in 4 weeks (Oct 16).
Comment 12 errata-xmlrpc 2012-09-18 22:53:24 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1289 https://rhn.redhat.com/errata/RHSA-2012-1289.html
Comment 13 Lee Whatley 2012-09-19 20:56:10 UTC 
Thanks for the explanation!  I was unaware that there was a second CVE that affected only java-1.6.0-openjdk, and thought that the openjdk update was just for CVE-2012-0547.  Waiting for the October 16 update for java-1.6.0-sun seems reasonable.
Comment 14 errata-xmlrpc 2012-10-18 16:56:35 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1392 https://rhn.redhat.com/errata/RHSA-2012-1392.html
Comment 15 errata-xmlrpc 2012-11-15 21:17:27 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2012:1466 https://rhn.redhat.com/errata/RHSA-2012-1466.html
Comment 16 errata-xmlrpc 2013-10-23 16:32:11 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.5

Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html
Comment 17 errata-xmlrpc 2013-10-23 17:06:12 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html
Note You need to log in before you can comment on or make changes to this bug.