Potencijalni sigurnosni nedostaci otkriveni su u programskim paketima Sun Java JDK i JRE koji mogu udaljenim napadačima omogućiti izvršavanje proizvoljnog programskog koda i otkrivanje i/ili izmjenu osjetljivih podataka.
Paket: |
Sun Java JDK 1.x, Sun Java JRE 1.x |
Operacijski sustavi: |
HP-UX 11.x |
Kritičnost: |
10 |
Problem: |
nespecificirana pogreška |
Iskorištavanje: |
udaljeno |
Posljedica: |
lažiranje DNS zapisa, otkrivanje osjetljivih informacija, proizvoljno izvršavanje programskog koda |
Rješenje: |
programska zakrpa proizvođača |
CVE: |
CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473 |
Izvorni ID preporuke: |
HPSBUX02685 |
Izvor: |
Hewlett Packard |
|
Problem: |
Probleme u programskim paketima JRE (eng. Java Runtime Environment) i JDK (eng. Java Development Kit) uzrokuju nespecificirane pogreške.
|
Posljedica: |
Udaljeni napadač uočene ranjivosti može iskoristiti za proizvoljno izvršavanje programskog koda, lažiranje DNS zapisa te otkrivanje osjetljivih informacija.
|
Rješenje: |
Savjetuje se nadogradnja na najnovije inačice programskih paketa.
|
Izvorni tekst preporuke
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02775276
Version: 1
HPSBUX02685 SSRT100505 rev.1 - HP-UX Running Java, Remote Execution of Arbitrary Code, Disclosure of Information, and Other Vulnerabilities
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-06-01
Last Updated: 2011-06-01
Potential Security Impact: Remote execution of arbitrary code, disclosure of information and other vulnerabilities.
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These vulnerabilities could allow remote execution of arbitrary code, disclosure of information, and other vulnerabilities.
References: CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476.
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, B.11.31 running HP JDK and JRE 6.0.09 or earlier
HP-UX B.11.11, B.11.23, B.11.31 running HP JDK and JRE 5.0.21 or earlier
BACKGROUND
For a PGP signed version of this security bulletin please write to: Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2010-4422
(AV:N/AC:H/Au:N/C:C/I:C/A:C)
7.6
CVE-2010-4447
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2010-4448
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.6
CVE-2010-4450
(AV:L/AC:H/Au:N/C:P/I:P/A:P)
3.7
CVE-2010-4452
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4454
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4462
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4463
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4465
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4466
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2010-4467
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4468
(AV:N/AC:H/Au:N/C:P/I:P/A:N)
4.0
CVE-2010-4469
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4470
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2010-4471
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2010-4472
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2010-4473
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4475
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2010-4476
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
NOTE:
The following have been resolved in HP JDK and JRE 6.0.10 and subsequent: CVE-2010-4422, CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4466, CVE-2010-4467, CVE-2010-4468, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476.
The following have been resolved in HP JDK and JRE 5.0.22 and subsequent: CVE-2010-4447, CVE-2010-4448, CVE-2010-4450, CVE-2010-4454, CVE-2010-4462, CVE-2010-4465, CVE-2010-4466, CVE-2010-4468, CVE-2010-4469, CVE-2010-4471, CVE-2010-4473, CVE-2010-4475.
RESOLUTION
HP has provided the following upgrades to resolve these vulnerabilities
The upgrades are available from the following location
http://www.hp.com/go/java
HP-UX B.11.11, B.11.23, B.11.31
JDK and JRE v6.0.10 or subsequent
JDK and JRE v5.0.22 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v6.0.09 and earlier, update to Java v6.0.10 or subsequent
For Java v5.0.21 and earlier, update to Java v5.0.22 or subsequent
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
===========
Jre15.JRE15-COM
Jre15.JRE15-PA20
Jre15.JRE15-PA20-HS
Jre15.JRE15-PA20W
Jre15.JRE15-PA20W-HS
Jre15.JRE15-IPF32
Jre15.JRE15-IPF32-HS
Jre15.JRE15-IPF64
Jre15.JRE15-IPF64-HS
Jdk15.JDK15-PA20
Jdk15.JDK15-PA20W
Jdk15.JDK15-COM
Jdk15.JDK15-IPF32
Jdk15.JDK15-IPF64
action: install revision 1.5.0.22.00 or subsequent
Jre60.JRE60-COM
Jre60.JRE60-IPF32
Jre60.JRE60-IPF32-HS
Jre60.JRE60-IPF64
Jre60.JRE60-IPF64-HS
Jre60.JRE60-PA20
Jre60.JRE60-PA20-HS
Jre60.JRE60-PA20W
Jre60.JRE60-PA20W-HS
Jdk60.JDK60-COM
Jdk60.JDK60-IPF32
Jdk60.JDK60-IPF64
Jdk60.JDK60-PA20
Jdk60.JDK60-PA20W
action: install revision 1.6.0.10.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 1 June 2011 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Posljednje sigurnosne preporuke