LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > LinuxQuestions.org > Linux - News
User Name
Password
Linux - News This forum is for original Linux News. If you'd like to write content for LQ, feel free to contact us.
All threads in the forum need to be approved before they will appear.

Notices

Reply
 
LinkBack Search this Thread
Old 01-11-2013, 10:01 AM   #1
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 2,863

Rep: Reputation: 698Reputation: 698Reputation: 698Reputation: 698Reputation: 698Reputation: 698
Oracle Java 7 Security Manager Bypass Vulnerability


US-CERT Alert TA13-010A (10 Jan 2013, 18:07) (http://www.kb.cert.org/vuls/id/625617):
Quote:
Systems Affected

Any system using Oracle Java 7 (1.7, 1.7.0) including

* Java Platform Standard Edition 7 (Java SE 7)
* Java SE Development Kit (JDK 7)
* Java SE Runtime Environment (JRE 7)

All versions of Java 7 through update 10 are affected. Web
browsers using the Java 7 plug-in are at high risk.


Overview

A vulnerability in the way Java 7 restricts the permissions of Java
applets could allow an attacker to execute arbitrary commands on a
vulnerable system.


Description

A vulnerability in the Java Security Manager allows a Java applet
to grant itself permission to execute arbitrary code. An attacker
could use social engineering techniques to entice a user to visit a
link to a website hosting a malicious Java applet. An attacker
could also compromise a legitimate web site and upload a malicious
Java applet (a "drive-by download" attack).

Any web browser using the Java 7 plug-in is affected. The Java
Deployment Toolkit plug-in and Java Web Start can also be used as
attack vectors.

Reports indicate this vulnerability is being actively exploited,
and exploit code is publicly available.

Further technical details are available in Vulnerability Note
VU#625617.


Impact

By convincing a user to load a malicious Java applet or Java
Network Launching Protocol (JNLP) file, an attacker could execute
arbitrary code on a vulnerable system with the privileges of the
Java plug-in process.


Solution

Disable Java in web browsers

This and previous Java vulnerabilities have been widely targeted by
attackers, and new Java vulnerabilities are likely to be
discovered. To defend against this and future Java vulnerabilities,
disable Java in web browsers.

Starting with Java 7 Update 10, it is possible to disable Java
content in web browsers through the Java control panel applet. From
Setting the Security Level of the Java Client:

For installations where the highest level of security is required,
it is possible to entirely prevent any Java apps (signed or
unsigned) from running in a browser by de-selecting Enable Java
content in the browser in the Java Control Panel under the Security
tab.

If you are unable to update to Java 7 Update 10 please see the
solution section of Vulnerability Note VU#636312 for instructions
on how to disable Java on a per browser basis.
Oracle's web site, http://www.oracle.com/technetwork/java/index.html, has JDK and JRE 7 update 10 available for those interested.

Hope this helps some.

Last edited by tronayne; 01-11-2013 at 10:09 AM. Reason: Sorry, forgot the US-CERT link.
 
Old 01-11-2013, 10:20 AM   #2
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,314

Rep: Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816
u10 is vulnerable too, there are no official safe releases from Oracle ATM.
the only solution for now is to disable it in the browser/uninstall it.
 
Old 01-11-2013, 10:46 AM   #3
GazL
Senior Member
 
Registered: May 2008
Posts: 3,231

Rep: Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828Reputation: 828
Quote:
Originally Posted by ponce View Post
u10 is vulnerable too, there are no official safe releases from Oracle ATM.
"ATM"? Judging by its history I don't think it would be unreasonable to say that java lives in a perpetual state of vulnerability.

I'm just glad I have no need of it.
 
Old 01-11-2013, 05:57 PM   #4
angryfirelord
Member
 
Registered: Dec 2005
Posts: 491

Rep: Reputation: 57
Quote:
Originally Posted by GazL View Post
"ATM"? Judging by its history I don't think it would be unreasonable to say that java lives in a perpetual state of vulnerability.

I'm just glad I have no need of it.
On one hand, I don't it's fair to single out Java for every vulnerability since pretty much every piece of software suffers from 0-day exploits. The Ruby on Rails vulnerability that happened last week is a good example. Whereas with Java, the vulnerability is on the applet, not the application part of Java (server-side development).

On the other hand, Oracle seems to be rather slow in addressing these issues. Their obtuseness doesn't give me much comfort either.
 
Old 01-12-2013, 06:58 AM   #5
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,111

Rep: Reputation: Disabled
FYI.

I observe that there are no vulnerability statements from the OPENJDK developers. The reason being, that OpenJDK does not inherit the browser plugin from Oracle's JDK... it was Oracle's decision not to open-source that plugin.
Therefore OpenJDK can use a separate browser plugin (if you compile it using the icedtea framework) called icedtea-web which has been developed independently from JDK and apparently there is no vulnerability in there.

Slackware packages for OpenJDK: http://slackware.com/~alien/slackbuilds/openjdk/


Eric
 
Old 01-13-2013, 09:18 PM   #6
rastiazul
Member
 
Registered: Feb 2006
Location: Costa Rica
Distribution: PCLinuxOS, Mint, Eeebuntu
Posts: 67

Rep: Reputation: 15
fix is out
u11
 
Old 01-15-2013, 06:15 AM   #7
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 2,863

Original Poster
Rep: Reputation: 698Reputation: 698Reputation: 698Reputation: 698Reputation: 698Reputation: 698
Java SE 7u11 JDK and JRE are available at http://www.oracle.com/technetwork/ja...ads/index.html. I've upgraded using jdk-7u11-linux-x64.tar.gz with no discernible problems with Java applications or with the browser plug-in but, for now, I'm keeping the plug-in disabled in Firefox and Seamonkey (although the problems seems to have been fixed, I'll give it a week or two and see what might turn up -- YMMV).

Hope this helps some.
 
Old 01-15-2013, 12:14 PM   #8
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,314

Rep: Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816
also CERT is suggesting to keep the browser plugin still disabled, even after updating to u11:

http://www.kb.cert.org/vuls/id/625617

in that advisory it says that also openjdk is affected.
 
Old 01-15-2013, 12:36 PM   #9
dugan
Senior Member
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 4,238

Rep: Reputation: 1299Reputation: 1299Reputation: 1299Reputation: 1299Reputation: 1299Reputation: 1299Reputation: 1299Reputation: 1299Reputation: 1299
Quote:
Unless it is absolutely necessary to run Java in web browsers, disable it as described below, even after updating to 7u11. This will help mitigate other Java vulnerabilities that may be discovered in the future.
Heh.
 
Old 01-18-2013, 12:07 AM   #10
ponce
Senior Member
 
Registered: Aug 2004
Location: Pisa, Italy
Distribution: Slackware
Posts: 2,314

Rep: Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816Reputation: 816
another exploit being sold for $5000 (considering what you can do with it, it's pretty cheap!).

That put me in discomfort also because it makes me recall that Limahl guy ( http://www.youtube.com/watch?v=3khTntOxX-k ).

Last edited by ponce; 01-18-2013 at 12:17 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Yet another Java flaw allows “complete” bypass of security sandbox LXer Syndicated Linux News 0 09-26-2012 12:01 PM
Oracle Java Floating-Point Value Denial of Service Vulnerability bathory Linux - Security 0 02-09-2011 02:47 AM
Linux Kernel 'proc' World Writeable File Security Bypass Vulnerability win32sux Linux - Security 7 11-24-2009 04:02 PM
KDE Security Advisory: Konqueror Java Vulnerability C0NIk Linux - Security 0 12-21-2004 02:39 PM
Security: Java plugin vulnerability!! peacebwitchu Linux - Security 0 11-25-2004 05:48 PM


All times are GMT -5. The time now is 01:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration