865359 – (CVE-2012-5074) CVE-2012-5074 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7169887)

Bug 865359 (CVE-2012-5074) - CVE-2012-5074 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-WS, 7169887)

Summary: CVE-2012-5074 OpenJDK: com.sun.org.glassfish.* not restricted packages (JAX-W...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2012-5074
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	862579
TreeView+	depends on / blocked

Reported:	2012-10-11 09:45 UTC by Stefan Cornelius
Modified:	2021-02-23 13:38 UTC (History)
CC List:	7 users (show)
Fixed In Version:	icedtea7 2.1.3, icedtea7 2.2.3, icedtea7 2.3.3
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-11-16 08:42:54 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:1386	normal	SHIPPED_LIVE	Important: java-1.7.0-openjdk security update	2012-11-14 00:28:44 UTC
Red Hat Product Errata	RHSA-2012:1391	normal	SHIPPED_LIVE	Critical: java-1.7.0-oracle security update	2012-10-18 20:44:09 UTC
Red Hat Product Errata	RHSA-2012:1467	normal	SHIPPED_LIVE	Critical: java-1.7.0-ibm security update	2012-11-16 02:06:24 UTC

Description Stefan Cornelius 2012-10-11 09:45:48 UTC

The default Java security properties configuration did not restrict access to the com.sun.org.glassfish.external and com.sun.org.glassfish.gmbal packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. This update lists those packages as restricted in the java.security file.

Note that the addition of the mentioned packages to the package.access properly list is tracked under CVE-2012-5076 and CVE-2012-5074 (see also bug 865352).

Comment 1 Stefan Cornelius 2012-10-17 10:19:49 UTC

Fixed now in Oracle JDK 7u9.

External Reference:

http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html

Comment 2 errata-xmlrpc 2012-10-17 16:09:49 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1386 https://rhn.redhat.com/errata/RHSA-2012-1386.html

Comment 3 Tomas Hoger 2012-10-17 16:58:03 UTC

Fix included in IcedTea7 versions 2.1.3, 2.2.3 and 2.3.3:

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-October/020571.html
http://icedtea.classpath.org/hg/release/icedtea7-forest-2.3/jdk/rev/f2bae6dacc05

Comment 4 errata-xmlrpc 2012-10-18 16:46:04 UTC

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1391 https://rhn.redhat.com/errata/RHSA-2012-1391.html

Comment 5 errata-xmlrpc 2012-11-15 21:08:40 UTC

This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2012:1467 https://rhn.redhat.com/errata/RHSA-2012-1467.html

Note You need to log in before you can comment on or make changes to this bug.