Oval Definition:oval:org.mitre.oval:def:25358
Revision Date:2014-09-08Version:10
Title:RHSA-2014:0907: java-1.6.0-openjdk security and bug fix update (Important)
Description:The java-1.6.0-openjdk packages provide the OpenJDK 6 Java RuntimeEnvironment and the OpenJDK 6 Java Software Development Kit.It was discovered that the Hotspot component in OpenJDK did not properlyverify bytecode from the class files. An untrusted Java application orapplet could possibly use these flaws to bypass Java sandbox restrictions.(CVE-2014-4216, CVE-2014-4219)A format string flaw was discovered in the Hotspot component event loggerin OpenJDK. An untrusted Java application or applet could use this flaw tocrash the Java Virtual Machine or, potentially, execute arbitrary code withthe privileges of the Java Virtual Machine. (CVE-2014-2490)An improper permission check issue was discovered in the Librariescomponent in OpenJDK. An untrusted Java application or applet could usethis flaw to bypass Java sandbox restrictions. (CVE-2014-4262)Multiple flaws were discovered in the JMX, Libraries, Security, andServiceability components in OpenJDK. An untrusted Java application orapplet could use these flaws to bypass certain Java sandbox restrictions.(CVE-2014-4209, CVE-2014-4218, CVE-2014-4252, CVE-2014-4266)It was discovered that the RSA algorithm in the Security component inOpenJDK did not sufficiently perform blinding while performing operationsthat were using private keys. An attacker able to measure timingdifferences of those operations could possibly leak information about theused keys. (CVE-2014-4244)The Diffie-Hellman (DH) key exchange algorithm implementation in theSecurity component in OpenJDK failed to validate public DH parametersproperly. This could cause OpenJDK to accept and use weak parameters,allowing an attacker to recover the negotiated key. (CVE-2014-4263)The CVE-2014-4262 issue was discovered by Florian Weimer of Red HatProduct Security.This update also fixes the following bug:* Prior to this update, an application accessing an unsynchronized HashMapcould potentially enter an infinite loop and consume an excessive amount ofCPU resources. This update resolves this issue. (BZ#1115580)All users of java-1.6.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.
Family:unixClass:patch
Status:ACCEPTEDReference(s):CESA-2014:0907
CVE-2014-2490
CVE-2014-4209
CVE-2014-4216
CVE-2014-4218
CVE-2014-4219
CVE-2014-4244
CVE-2014-4252
CVE-2014-4262
CVE-2014-4263
CVE-2014-4266
RHSA-2014:0907-00
Platform(s):CentOS Linux 5
CentOS Linux 6
CentOS Linux 7
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Product(s):java-1.6.0-openjdk
Definition Synopsis
  • Operation system section
  • Redhat 5 or Centos 5 release
  • The operating system installed on the system is Red Hat Enterprise Linux 5
  • OR The operating system installed on the system is CentOS Linux 5.x
  • AND Packages section
  • java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.4.el5_10
  • OR java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.4.el5_10
  • OR java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.4.el5_10
  • OR java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.4.el5_10
  • OR java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.4.el5_10
  • Operation system section
  • Redhat 6 or Centos 6 release
  • The operating system installed on the system is Red Hat Enterprise Linux 6
  • OR The operating system installed on the system is CentOS Linux 6.x
  • AND Packages section
  • java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.4.el6_5
  • OR java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.4.el6_5
  • OR java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.4.el6_5
  • OR java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.4.el6_5
  • OR java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.4.el6_5
  • Operation system section
  • Redhat 7 or Centos 7 release
  • The operating system installed on the system is Red Hat Enterprise Linux 7
  • OR The operating system installed on the system is CentOS Linux 7.x
  • AND Packages section
  • java-1.6.0-openjdk is earlier than 1:1.6.0.0-6.1.13.4.el7_0
  • OR java-1.6.0-openjdk-demo is earlier than 1:1.6.0.0-6.1.13.4.el7_0
  • OR java-1.6.0-openjdk-devel is earlier than 1:1.6.0.0-6.1.13.4.el7_0
  • OR java-1.6.0-openjdk-javadoc is earlier than 1:1.6.0.0-6.1.13.4.el7_0
  • OR java-1.6.0-openjdk-src is earlier than 1:1.6.0.0-6.1.13.4.el7_0
    • BACK