Bug 1189145 (CVE-2014-8892) - CVE-2014-8892 IBM JDK: unspecified partial Java sandbox bypass fixed in Feb 2015 update
Summary: CVE-2014-8892 IBM JDK: unspecified partial Java sandbox bypass fixed in Feb 2...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8892
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1179762
TreeView+ depends on / blocked
 
Reported: 2015-02-04 14:52 UTC by Tomas Hoger
Modified: 2019-09-29 13:27 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-06-04 12:46:23 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0133 0 normal SHIPPED_LIVE Critical: java-1.7.1-ibm security update 2015-02-06 00:35:28 UTC
Red Hat Product Errata RHSA-2015:0134 0 normal SHIPPED_LIVE Critical: java-1.7.0-ibm security update 2015-02-06 00:34:56 UTC
Red Hat Product Errata RHSA-2015:0135 0 normal SHIPPED_LIVE Critical: java-1.6.0-ibm security update 2015-02-06 00:34:28 UTC
Red Hat Product Errata RHSA-2015:0136 0 normal SHIPPED_LIVE Important: java-1.5.0-ibm security update 2015-02-06 00:29:26 UTC
Red Hat Product Errata RHSA-2015:0263 0 normal SHIPPED_LIVE Low: Red Hat Satellite IBM Java Runtime security update 2015-02-24 18:20:04 UTC
Red Hat Product Errata RHSA-2015:0264 0 normal SHIPPED_LIVE Low: Red Hat Satellite IBM Java Runtime security update 2015-02-24 18:44:15 UTC

Description Tomas Hoger 2015-02-04 14:52:17 UTC
IBM JDK updates 7R1 SR2-FP10, 7 SR8-FP10, 6R1 SR8-FP3, 6 SR16-FP3 and 5.0 SR16-FP9 correct an unspecified vulnerability identified using CVE-2014-8892.  Upstream has rated this issue with CVSSv2 score of 4.3 (no vector provided).

http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_February_2015

Further details of the issue should be made available via the following link:

http://www.ibm.com/support/docview.wss?uid=swg21695747

Comment 1 Tomas Hoger 2015-02-05 10:24:23 UTC
The above URL still does not work, but the security bulletin is now available via the following URL:

https://www-304.ibm.com/support/docview.wss?uid=swg21695474

It provides the following information for this issue:

  A vulnerability in the IBM implementation of the Java Virtual Machine may,
  under very limited circumstances, allow untrusted code running under a
  security manager to bypass permission checks and view sensitive information.

  http://xforce.iss.net/xforce/xfdb/99011

There's currently only a blank page served on the xforce URL.

Comment 2 errata-xmlrpc 2015-02-05 19:30:51 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:0136 https://rhn.redhat.com/errata/RHSA-2015-0136.html

Comment 3 errata-xmlrpc 2015-02-05 19:36:34 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:0135 https://rhn.redhat.com/errata/RHSA-2015-0135.html

Comment 4 errata-xmlrpc 2015-02-05 19:37:12 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 5

Via RHSA-2015:0134 https://rhn.redhat.com/errata/RHSA-2015-0134.html

Comment 5 errata-xmlrpc 2015-02-05 19:37:27 UTC
This issue has been addressed in the following products:

  Supplementary for Red Hat Enterprise Linux 7
  Supplementary for Red Hat Enterprise Linux 6

Via RHSA-2015:0133 https://rhn.redhat.com/errata/RHSA-2015-0133.html

Comment 6 errata-xmlrpc 2015-02-24 13:21:19 UTC
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.7

Via RHSA-2015:0263 https://rhn.redhat.com/errata/RHSA-2015-0263.html

Comment 7 errata-xmlrpc 2015-02-24 13:46:23 UTC
This issue has been addressed in the following products:

  Red Hat Satellite Server v 5.6

Via RHSA-2015:0264 https://rhn.redhat.com/errata/RHSA-2015-0264.html


Note You need to log in before you can comment on or make changes to this bug.