Oracle Java SE 7 Update 7 and 6 Update 35 include a "security-in-depth" fix for the AWT component. This fix changes the component to remove functionality that can be used in exploits trying to bypass Java sandbox restrictions, such as the 0day exploit published in August 2012 (see bug 852051), which took advantage of SunToolkit.getField method to modify object's private field. References: https://blogs.oracle.com/security/entry/security_alert_for_cve_20121 http://www.oracle.com/technetwork/java/javase/6u35-relnotes-1835788.html http://www.oracle.com/technetwork/java/javase/7u7-relnotes-1835816.html External Reference: http://www.oracle.com/technetwork/topics/security/alert-cve-2012-4681-1835715.html
Mitre description, pointing out that hardening fixes are not expected to have CVE assigned: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 6 and earlier, and 6 Update 34 and earlier, has no impact and remote attack vectors involving AWT and "a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited." NOTE: this identifier was assigned by the Oracle CNA, but CVE is not intended to cover defense-in-depth issues that are only exposed by the presence of other vulnerabilities.
Upstream fix, as applied in IcedTea 7 2.3 repositories: http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/6df0f825c24e
OpenJDK7 repositories commit: http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/0c5704b02468
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1221 https://rhn.redhat.com/errata/RHSA-2012-1221.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1222 https://rhn.redhat.com/errata/RHSA-2012-1222.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1223 https://rhn.redhat.com/errata/RHSA-2012-1223.html
Fixed in IcedTea versions: 2.1.2, 2.2.2 and 2.3.2 http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020127.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-August/020144.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-September/020151.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1225 https://rhn.redhat.com/errata/RHSA-2012-1225.html
I see that java-1.6.0-openjdk was updated for RHEL5 to address this. Any plans to also update java-1.6.0-sun?
The primary reason to update java-1.6.0-openjdk packages was the CVE-2012-1682 (bug #853097) issues. That issue did not affect Oracle Java SE 6, but it did affect OpenJDK 6. As explained in the following Oracle blog post (also linked from comment #0): https://blogs.oracle.com/security/entry/security_alert_for_cve_20121 the CVE-2012-0547 was used to refer to a security-in-depth, or hardening, fix, that has no security impact by itself (it was rated as having CVSSv2 score of 0 by Oracle). Hence we do not plan to release a security update with only this hardening fix as the next scheduled update fixing security issues is planned to be released in 4 weeks (Oct 16).
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1289 https://rhn.redhat.com/errata/RHSA-2012-1289.html
Thanks for the explanation! I was unaware that there was a second CVE that affected only java-1.6.0-openjdk, and thought that the openjdk update was just for CVE-2012-0547. Waiting for the October 16 update for java-1.6.0-sun seems reasonable.
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:1392 https://rhn.redhat.com/errata/RHSA-2012-1392.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 6 Supplementary for Red Hat Enterprise Linux 5 Via RHSA-2012:1466 https://rhn.redhat.com/errata/RHSA-2012-1466.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.5 Via RHSA-2013:1456 https://rhn.redhat.com/errata/RHSA-2013-1456.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html