OpenJDK vulnerabilities

2009-08-1100:00:00

ubuntu.com

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

8.4 High

AI Score

Confidence

High

0.973 High

EPSS

Percentile

99.9%

JSON

Releases

Ubuntu 9.04
Ubuntu 8.10

Packages

openjdk-6 -

Details

It was discovered that the XML HMAC signature system did not
correctly check certain lengths. If an attacker sent a truncated
HMAC, it could bypass authentication, leading to potential privilege
escalation. (CVE-2009-0217)

It was discovered that JAR bundles would appear signed if only one element
was signed. If a user were tricked into running a malicious Java applet, a
remote attacker could exploit this to gain access to private information and
potentially run untrusted code. (CVE-2009-1896)

It was discovered that certain variables could leak information. If a
user were tricked into running a malicious Java applet, a remote attacker
could exploit this to gain access to private information and potentially
run untrusted code. (CVE-2009-2475, CVE-2009-2690)

A flaw was discovered the OpenType checking. If a user were tricked
into running a malicious Java applet, a remote attacker could bypass
access restrictions. (CVE-2009-2476)

It was discovered that the XML processor did not correctly check
recursion. If a user or automated system were tricked into processing
a specially crafted XML, the system could crash, leading to a denial of
service. (CVE-2009-2625)

It was discovered that the Java audio subsystem did not correctly validate
certain parameters. If a user were tricked into running an untrusted
applet, a remote attacker could read system properties. (CVE-2009-2670)

Multiple flaws were discovered in the proxy subsystem. If a user
were tricked into running an untrusted applet, a remote attacker could
discover local user names, obtain access to sensitive information, or
bypass socket restrictions, leading to a loss of privacy. (CVE-2009-2671,
CVE-2009-2672, CVE-2009-2673)

Flaws were discovered in the handling of JPEG images, Unpack200 archives,
and JDK13Services. If a user were tricked into running an untrusted
applet, a remote attacker could load a specially crafted file that would
bypass local file access protections and run arbitrary code with user
privileges. (CVE-2009-2674, CVE-2009-2675, CVE-2009-2676, CVE-2009-2689)

OSVersionArchitecturePackageVersionFilename
Ubuntu9.04noarchopenjdk-6-jre-lib< 6b14-1.4.1-0ubuntu11UNKNOWN
Ubuntu9.04noarchicedtea-6-jre-cacao< 6b14-1.4.1-0ubuntu11UNKNOWN
Ubuntu9.04noarchicedtea6-plugin< 6b14-1.4.1-0ubuntu11UNKNOWN
Ubuntu9.04noarchopenjdk-6-dbg< 6b14-1.4.1-0ubuntu11UNKNOWN
Ubuntu9.04noarchopenjdk-6-demo< 6b14-1.4.1-0ubuntu11UNKNOWN
Ubuntu9.04noarchopenjdk-6-jdk< 6b14-1.4.1-0ubuntu11UNKNOWN
Ubuntu9.04noarchopenjdk-6-jre< 6b14-1.4.1-0ubuntu11UNKNOWN
Ubuntu9.04noarchopenjdk-6-jre< headless-6b14-1.4.1-0ubuntu11UNKNOWN
Ubuntu9.04noarchopenjdk-6-jre< zero-6b14-1.4.1-0ubuntu11UNKNOWN
Ubuntu8.10noarchopenjdk-6-jre-lib< 6b12-0ubuntu6.5UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Ubuntu	9.04	noarch	openjdk-6-jre-lib	< 6b14-1.4.1-0ubuntu11	UNKNOWN
Ubuntu	9.04	noarch	icedtea-6-jre-cacao	< 6b14-1.4.1-0ubuntu11	UNKNOWN
Ubuntu	9.04	noarch	icedtea6-plugin	< 6b14-1.4.1-0ubuntu11	UNKNOWN
Ubuntu	9.04	noarch	openjdk-6-dbg	< 6b14-1.4.1-0ubuntu11	UNKNOWN
Ubuntu	9.04	noarch	openjdk-6-demo	< 6b14-1.4.1-0ubuntu11	UNKNOWN
Ubuntu	9.04	noarch	openjdk-6-jdk	< 6b14-1.4.1-0ubuntu11	UNKNOWN
Ubuntu	9.04	noarch	openjdk-6-jre	< 6b14-1.4.1-0ubuntu11	UNKNOWN
Ubuntu	9.04	noarch	openjdk-6-jre	< headless-6b14-1.4.1-0ubuntu11	UNKNOWN
Ubuntu	9.04	noarch	openjdk-6-jre	< zero-6b14-1.4.1-0ubuntu11	UNKNOWN
Ubuntu	8.10	noarch	openjdk-6-jre-lib	< 6b12-0ubuntu6.5	UNKNOWN