LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - News (http://www.linuxquestions.org/questions/linux-news-59/)
-   -   Oracle Java 7 Security Manager Bypass Vulnerability (http://www.linuxquestions.org/questions/linux-news-59/oracle-java-7-security-manager-bypass-vulnerability-4175445148/)

tronayne 01-11-2013 10:01 AM

Oracle Java 7 Security Manager Bypass Vulnerability
 
US-CERT Alert TA13-010A (10 Jan 2013, 18:07) (http://www.kb.cert.org/vuls/id/625617):
Quote:

Systems Affected

Any system using Oracle Java 7 (1.7, 1.7.0) including

* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)

All versions of Java 7 through update 10 are affected. Web
browsers using the Java 7 plug-in are at high risk.


Overview

A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
vulnerable system.


Description

A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary code. An attacker
could use social engineering techniques to entice a user to visit a
link to a website hosting a malicious Java applet. An attacker
could also compromise a legitimate web site and upload a malicious
Java applet (a "drive-by download" attack).

Any web browser using the Java 7 plug-in is affected. The Java
Deployment Toolkit plug-in and Java Web Start can also be used as
attack vectors.

Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.

Further technical details are available in Vulnerability Note
VU#625617.


Impact

By convincing a user to load a malicious Java applet or Java
Network Launching Protocol (JNLP) file, an attacker could execute
arbitrary code on a vulnerable system with the privileges of the
Java plug-in process.


Solution

Disable Java in web browsers

This and previous Java vulnerabilities have been widely targeted by
attackers, and new Java vulnerabilities are likely to be
discovered. To defend against this and future Java vulnerabilities,
disable Java in web browsers.

Starting with Java 7 Update 10, it is possible to disable Java
content in web browsers through the Java control panel applet. From
Setting the Security Level of the Java Client:

For installations where the highest level of security is required,
it is possible to entirely prevent any Java apps (signed or
unsigned) from running in a browser by de-selecting Enable Java
content in the browser in the Java Control Panel under the Security
tab.

If you are unable to update to Java 7 Update 10 please see the
solution section of Vulnerability Note VU#636312 for instructions
on how to disable Java on a per browser basis.
Oracle's web site, http://www.oracle.com/technetwork/java/index.html, has JDK and JRE 7 update 10 available for those interested.

Hope this helps some.

ponce 01-11-2013 10:20 AM

u10 is vulnerable too, there are no official safe releases from Oracle ATM.
the only solution for now is to disable it in the browser/uninstall it.

GazL 01-11-2013 10:46 AM

Quote:

Originally Posted by ponce (Post 4867849)
u10 is vulnerable too, there are no official safe releases from Oracle ATM.

"ATM"? Judging by its history I don't think it would be unreasonable to say that java lives in a perpetual state of vulnerability.

I'm just glad I have no need of it.

angryfirelord 01-11-2013 05:57 PM

Quote:

Originally Posted by GazL (Post 4867868)
"ATM"? Judging by its history I don't think it would be unreasonable to say that java lives in a perpetual state of vulnerability.

I'm just glad I have no need of it.

On one hand, I don't it's fair to single out Java for every vulnerability since pretty much every piece of software suffers from 0-day exploits. The Ruby on Rails vulnerability that happened last week is a good example. Whereas with Java, the vulnerability is on the applet, not the application part of Java (server-side development).

On the other hand, Oracle seems to be rather slow in addressing these issues. Their obtuseness doesn't give me much comfort either.

Alien Bob 01-12-2013 06:58 AM

FYI.

I observe that there are no vulnerability statements from the OPENJDK developers. The reason being, that OpenJDK does not inherit the browser plugin from Oracle's JDK... it was Oracle's decision not to open-source that plugin.
Therefore OpenJDK can use a separate browser plugin (if you compile it using the icedtea framework) called icedtea-web which has been developed independently from JDK and apparently there is no vulnerability in there.

Slackware packages for OpenJDK: http://slackware.com/~alien/slackbuilds/openjdk/


Eric

rastiazul 01-13-2013 09:18 PM

fix is out
u11

tronayne 01-15-2013 06:15 AM

Java SE 7u11 JDK and JRE are available at http://www.oracle.com/technetwork/ja...ads/index.html. I've upgraded using jdk-7u11-linux-x64.tar.gz with no discernible problems with Java applications or with the browser plug-in but, for now, I'm keeping the plug-in disabled in Firefox and Seamonkey (although the problems seems to have been fixed, I'll give it a week or two and see what might turn up -- YMMV).

Hope this helps some.

ponce 01-15-2013 12:14 PM

also CERT is suggesting to keep the browser plugin still disabled, even after updating to u11:

http://www.kb.cert.org/vuls/id/625617

in that advisory it says that also openjdk is affected.

dugan 01-15-2013 12:36 PM

Quote:

Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.
Heh.

ponce 01-18-2013 12:07 AM

another exploit being sold for $5000 (considering what you can do with it, it's pretty cheap!).

That put me in discomfort also because it makes me recall that Limahl guy ( http://www.youtube.com/watch?v=3khTntOxX-k ).


All times are GMT -5. The time now is 07:09 PM.