Debian DSA-2420-1 : openjdk-6 - several vulnerabilities - Nessus
Critical Plugin ID: 58148This page contains detailed information about the Debian DSA-2420-1 : openjdk-6 - several vulnerabilities Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 58148
Name: Debian DSA-2420-1 : openjdk-6 - several vulnerabilities
Filename: debian_DSA-2420.nasl
Vulnerability Published: N/A
This Plugin Published: 2012-02-29
Last Modification Time: 2022-03-08
Plugin Version: 1.27
Plugin Type: local
Plugin Family: Debian Local Security Checks
Dependencies:
ssh_get_info.nasl
Required KB Items [?]: Host/Debian/dpkg-l, Host/Debian/release, Host/local_checks_enabled
Vulnerability Information
Severity: Critical
Vulnerability Published: N/A
Patch Published: 2012-02-28
CVE [?]: CVE-2011-3377, CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507
CPE [?]: cpe:/o:debian:debian_linux:6.0, p-cpe:/a:debian:debian_linux:openjdk-6
Exploited by Malware: True
Synopsis
The remote Debian host is missing a security-related update.
Description
Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform.
- CVE-2011-3377 The IcedTea browser plugin included in the openjdk-6 package does not properly enforce the Same Origin Policy on web content served under a domain name which has a common suffix with the required domain name.
- CVE-2011-3563 The Java Sound component did not properly check for array boundaries. A malicious input or an untrusted Java application or applet could use this flaw to cause Java Virtual Machine to crash or disclose portion of its memory.
- CVE-2011-5035 The OpenJDK embedded web server did not guard against an excessive number of a request parameters, leading to a denial of service vulnerability involving hash collisions.
- CVE-2012-0497 It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. This could lead to JVM crash or Java sandbox bypass.
- CVE-2012-0501 The ZIP central directory parser used by java.util.zip.ZipFile entered an infinite recursion in native code when processing a crafted ZIP file, leading to a denial of service.
- CVE-2012-0502 A flaw was found in the AWT KeyboardFocusManager class that could allow untrusted Java applets to acquire keyboard focus and possibly steal sensitive information.
- CVE-2012-0503 The java.util.TimeZone.setDefault() method lacked a security manager invocation, allowing an untrusted Java application or applet to set a new default time zone.
- CVE-2012-0505 The Java serialization code leaked references to serialization exceptions, possibly leaking critical objects to untrusted code in Java applets and applications.
- CVE-2012-0506 It was discovered that CORBA implementation in Java did not properly protect repository identifiers (that can be obtained using _ids() method) on certain Corba objects. This could have been used to perform modification of the data that should have been immutable.
- CVE-2012-0507 The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine to crash or bypass Java sandbox restrictions.
Solution
Upgrade the openjdk-6 packages.
For the stable distribution (squeeze), these problems have been fixed in version 6b18-1.8.13-0+squeeze1.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the Debian DSA-2420-1 : openjdk-6 - several vulnerabilities vulnerability:
- Metasploit: exploit/multi/browser/java_atomicreferencearray
[Java AtomicReferenceArray Type Violation Vulnerability] - Metasploit: auxiliary/dos/http/hashcollision_dos
[Hashtable Collisions] - Exploit-DB: exploits/php/dos/18305.py
[EDB-18305: PHP Hash Table Collision - Denial of Service (PoC)] - Exploit-DB: exploits/multiple/remote/18679.rb
[EDB-18679: Java - AtomicReferenceArray Type Violation (Metasploit)] - GitHub: https://github.com/frg316/cve2012-0507
[CVE-2012-0507: AtomicReferenceArray Hack] - Immunity Canvas: CANVAS
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
CVSS Base Score: | 10.0 (High) |
Impact Subscore: | 10.0 |
Exploitability Subscore: | 10.0 |
CVSS Temporal Score: | 8.7 (High) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 8.7 (High) |
Go back to menu.
Plugin Source
This is the debian_DSA-2420.nasl nessus plugin source code. This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DSA-2420. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(58148);
script_version("1.27");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/08");
script_cve_id(
"CVE-2011-3377",
"CVE-2011-3563",
"CVE-2011-5035",
"CVE-2012-0497",
"CVE-2012-0501",
"CVE-2012-0502",
"CVE-2012-0503",
"CVE-2012-0505",
"CVE-2012-0506",
"CVE-2012-0507"
);
script_bugtraq_id(
50610,
51194,
52009,
52011,
52012,
52013,
52014,
52017,
52018,
52161
);
script_xref(name:"DSA", value:"2420");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/24");
script_name(english:"Debian DSA-2420-1 : openjdk-6 - several vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
script_set_attribute(attribute:"description", value:
"Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform.
- CVE-2011-3377
The IcedTea browser plugin included in the openjdk-6
package does not properly enforce the Same Origin Policy
on web content served under a domain name which has a
common suffix with the required domain name.
- CVE-2011-3563
The Java Sound component did not properly check for
array boundaries. A malicious input or an untrusted Java
application or applet could use this flaw to cause Java
Virtual Machine to crash or disclose portion of its
memory.
- CVE-2011-5035
The OpenJDK embedded web server did not guard against an
excessive number of a request parameters, leading to a
denial of service vulnerability involving hash
collisions.
- CVE-2012-0497
It was discovered that Java2D did not properly check
graphics rendering objects before passing them to the
native renderer. This could lead to JVM crash or Java
sandbox bypass.
- CVE-2012-0501
The ZIP central directory parser used by
java.util.zip.ZipFile entered an infinite recursion in
native code when processing a crafted ZIP file, leading
to a denial of service.
- CVE-2012-0502
A flaw was found in the AWT KeyboardFocusManager class
that could allow untrusted Java applets to acquire
keyboard focus and possibly steal sensitive information.
- CVE-2012-0503
The java.util.TimeZone.setDefault() method lacked a
security manager invocation, allowing an untrusted Java
application or applet to set a new default time zone.
- CVE-2012-0505
The Java serialization code leaked references to
serialization exceptions, possibly leaking critical
objects to untrusted code in Java applets and
applications.
- CVE-2012-0506
It was discovered that CORBA implementation in Java did
not properly protect repository identifiers (that can be
obtained using _ids() method) on certain Corba objects.
This could have been used to perform modification of the
data that should have been immutable.
- CVE-2012-0507
The AtomicReferenceArray class implementation did not
properly check if the array is of an expected Object[]
type. A malicious Java application or applet could use
this flaw to cause Java Virtual Machine to crash or
bypass Java sandbox restrictions.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-3377");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-3563");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-5035");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0497");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0501");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0502");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0503");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0505");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0506");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0507");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/squeeze/openjdk-6");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2012/dsa-2420");
script_set_attribute(attribute:"solution", value:
"Upgrade the openjdk-6 packages.
For the stable distribution (squeeze), these problems have been fixed
in version 6b18-1.8.13-0+squeeze1.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Java AtomicReferenceArray Type Violation Vulnerability');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"patch_publication_date", value:"2012/02/28");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/02/29");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openjdk-6");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"6.0", prefix:"icedtea-6-jre-cacao", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-dbg", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-demo", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-doc", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-jdk", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-jre", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-jre-headless", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-jre-lib", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-jre-zero", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-source", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/debian_DSA-2420.nasl
- Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\debian_DSA-2420.nasl
- Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/debian_DSA-2420.nasl
Go back to menu.
How to Run
Here is how to run the Debian DSA-2420-1 : openjdk-6 - several vulnerabilities as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Debian Local Security Checks plugin family.
- On the right side table select Debian DSA-2420-1 : openjdk-6 - several vulnerabilities plugin ID 58148.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl debian_DSA-2420.nasl -t <IP/HOST>
Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a debian_DSA-2420.nasl -t <IP/HOST>
Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - debian_DSA-2420.nasl -t <IP/HOST>
Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state debian_DSA-2420.nasl -t <IP/HOST>
Go back to menu.
References
BID | SecurityFocus Bugtraq ID: DSA | Debian Security Advisory: See also:
- https://www.tenable.com/plugins/nessus/58148
- https://packages.debian.org/source/squeeze/openjdk-6
- https://security-tracker.debian.org/tracker/CVE-2011-3377
- https://security-tracker.debian.org/tracker/CVE-2011-3563
- https://security-tracker.debian.org/tracker/CVE-2011-5035
- https://security-tracker.debian.org/tracker/CVE-2012-0497
- https://security-tracker.debian.org/tracker/CVE-2012-0501
- https://security-tracker.debian.org/tracker/CVE-2012-0502
- https://security-tracker.debian.org/tracker/CVE-2012-0503
- https://security-tracker.debian.org/tracker/CVE-2012-0505
- https://security-tracker.debian.org/tracker/CVE-2012-0506
- https://security-tracker.debian.org/tracker/CVE-2012-0507
- https://www.debian.org/security/2012/dsa-2420
- https://vulners.com/nessus/DEBIAN_DSA-2420.NASL
- 57961 - CentOS 6 : java-1.6.0-openjdk (CESA-2012:0135)
- 72139 - GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT)
- 76303 - GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT)
- 58090 - Oracle GlassFish Server 2.1.1 < 2.1.1.15 / 3.0.1 < 3.0.1.5 / 3.1.1 < 3.1.1.2 Hash Collision DoS
- 58605 - Mac OS X : Java for Mac OS X 10.6 Update 7
- 58606 - Mac OS X : Java for OS X Lion 2012-001
- 56809 - Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2011:170)
- 58026 - Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2012:021)
- 57959 - Oracle Java SE Multiple Vulnerabilities (February 2012 CPU)
- 64847 - Oracle Java SE Multiple Vulnerabilities (February 2012 CPU) (Unix)
- 76683 - Oracle JRockit R27 < R27.7.2.5 / R28 < R28.2.3.13 Multiple Vulnerabilities (April 2012 CPU)
- 68459 - Oracle Linux 6 : java-1.6.0-openjdk (ELSA-2012-0135)
- 68487 - Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2012-0322)
- 57956 - RHEL 6 : java-1.6.0-openjdk (RHSA-2012:0135)
- 57991 - RHEL 4 / 5 / 6 : java-1.6.0-sun (RHSA-2012:0139)
- 58084 - RHEL 5 : java-1.6.0-openjdk (RHSA-2012:0322)
- 58840 - RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2012:0508) (BEAST)
- 58866 - RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2012:0514)
- 56860 - Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : icedtea-web, openjdk-6, openjdk-6b18 vulnerabilities (USN-1263-1) (BEAST)
- 57685 - Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : openjdk-6, openjdk-6b18 regression (USN-1263-2) (BEAST)
- 58179 - Ubuntu 10.04 LTS / 10.10 / 11.04 : openjdk-6b18 vulnerabilities (USN-1373-2)
- 66806 - VMware vCenter Multiple Vulnerabilities (VMSA-2012-0013)
- 61747 - VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries
- 89038 - VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0013) (remote check)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file debian_DSA-2420.nasl version 1.27. For more plugins, visit the Nessus Plugin Library.
Go back to menu.