Debian DSA-2420-1 : openjdk-6 - several vulnerabilities - Nessus

Critical   Plugin ID: 58148

This page contains detailed information about the Debian DSA-2420-1 : openjdk-6 - several vulnerabilities Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 58148
Name: Debian DSA-2420-1 : openjdk-6 - several vulnerabilities
Filename: debian_DSA-2420.nasl
Vulnerability Published: N/A
This Plugin Published: 2012-02-29
Last Modification Time: 2022-03-08
Plugin Version: 1.27
Plugin Type: local
Plugin Family: Debian Local Security Checks
Dependencies: ssh_get_info.nasl
Required KB Items [?]: Host/Debian/dpkg-l, Host/Debian/release, Host/local_checks_enabled

Vulnerability Information

Severity: Critical
Vulnerability Published: N/A
Patch Published: 2012-02-28
CVE [?]: CVE-2011-3377, CVE-2011-3563, CVE-2011-5035, CVE-2012-0497, CVE-2012-0501, CVE-2012-0502, CVE-2012-0503, CVE-2012-0505, CVE-2012-0506, CVE-2012-0507
CPE [?]: cpe:/o:debian:debian_linux:6.0, p-cpe:/a:debian:debian_linux:openjdk-6
Exploited by Malware: True

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform.

- CVE-2011-3377 The IcedTea browser plugin included in the openjdk-6 package does not properly enforce the Same Origin Policy on web content served under a domain name which has a common suffix with the required domain name.

- CVE-2011-3563 The Java Sound component did not properly check for array boundaries. A malicious input or an untrusted Java application or applet could use this flaw to cause Java Virtual Machine to crash or disclose portion of its memory.

- CVE-2011-5035 The OpenJDK embedded web server did not guard against an excessive number of a request parameters, leading to a denial of service vulnerability involving hash collisions.

- CVE-2012-0497 It was discovered that Java2D did not properly check graphics rendering objects before passing them to the native renderer. This could lead to JVM crash or Java sandbox bypass.

- CVE-2012-0501 The ZIP central directory parser used by java.util.zip.ZipFile entered an infinite recursion in native code when processing a crafted ZIP file, leading to a denial of service.

- CVE-2012-0502 A flaw was found in the AWT KeyboardFocusManager class that could allow untrusted Java applets to acquire keyboard focus and possibly steal sensitive information.

- CVE-2012-0503 The java.util.TimeZone.setDefault() method lacked a security manager invocation, allowing an untrusted Java application or applet to set a new default time zone.

- CVE-2012-0505 The Java serialization code leaked references to serialization exceptions, possibly leaking critical objects to untrusted code in Java applets and applications.

- CVE-2012-0506 It was discovered that CORBA implementation in Java did not properly protect repository identifiers (that can be obtained using _ids() method) on certain Corba objects. This could have been used to perform modification of the data that should have been immutable.

- CVE-2012-0507 The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine to crash or bypass Java sandbox restrictions.

Solution

Upgrade the openjdk-6 packages.

For the stable distribution (squeeze), these problems have been fixed in version 6b18-1.8.13-0+squeeze1.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Debian DSA-2420-1 : openjdk-6 - several vulnerabilities vulnerability:

  1. Metasploit: exploit/multi/browser/java_atomicreferencearray
    [Java AtomicReferenceArray Type Violation Vulnerability]
  2. Metasploit: auxiliary/dos/http/hashcollision_dos
    [Hashtable Collisions]
  3. Exploit-DB: exploits/php/dos/18305.py
    [EDB-18305: PHP Hash Table Collision - Denial of Service (PoC)]
  4. Exploit-DB: exploits/multiple/remote/18679.rb
    [EDB-18679: Java - AtomicReferenceArray Type Violation (Metasploit)]
  5. GitHub: https://github.com/frg316/cve2012-0507
    [CVE-2012-0507: AtomicReferenceArray Hack]
  6. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:8.7 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.7 (High)

Go back to menu.

Plugin Source

This is the debian_DSA-2420.nasl nessus plugin source code. This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-2420. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(58148);
  script_version("1.27");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/08");

  script_cve_id(
    "CVE-2011-3377",
    "CVE-2011-3563",
    "CVE-2011-5035",
    "CVE-2012-0497",
    "CVE-2012-0501",
    "CVE-2012-0502",
    "CVE-2012-0503",
    "CVE-2012-0505",
    "CVE-2012-0506",
    "CVE-2012-0507"
  );
  script_bugtraq_id(
    50610,
    51194,
    52009,
    52011,
    52012,
    52013,
    52014,
    52017,
    52018,
    52161
  );
  script_xref(name:"DSA", value:"2420");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/24");

  script_name(english:"Debian DSA-2420-1 : openjdk-6 - several vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
  script_set_attribute(attribute:"description", value:
"Several vulnerabilities have been discovered in OpenJDK, an
implementation of the Oracle Java platform.

  - CVE-2011-3377
    The IcedTea browser plugin included in the openjdk-6
    package does not properly enforce the Same Origin Policy
    on web content served under a domain name which has a
    common suffix with the required domain name.

  - CVE-2011-3563
    The Java Sound component did not properly check for
    array boundaries. A malicious input or an untrusted Java
    application or applet could use this flaw to cause Java
    Virtual Machine to crash or disclose portion of its
    memory.

  - CVE-2011-5035
    The OpenJDK embedded web server did not guard against an
    excessive number of a request parameters, leading to a
    denial of service vulnerability involving hash
    collisions.

  - CVE-2012-0497
    It was discovered that Java2D did not properly check
    graphics rendering objects before passing them to the
    native renderer. This could lead to JVM crash or Java
    sandbox bypass.

  - CVE-2012-0501
    The ZIP central directory parser used by
    java.util.zip.ZipFile entered an infinite recursion in
    native code when processing a crafted ZIP file, leading
    to a denial of service.

  - CVE-2012-0502
    A flaw was found in the AWT KeyboardFocusManager class
    that could allow untrusted Java applets to acquire
    keyboard focus and possibly steal sensitive information.

  - CVE-2012-0503
    The java.util.TimeZone.setDefault() method lacked a
    security manager invocation, allowing an untrusted Java
    application or applet to set a new default time zone.

  - CVE-2012-0505
    The Java serialization code leaked references to
    serialization exceptions, possibly leaking critical
    objects to untrusted code in Java applets and
    applications.

  - CVE-2012-0506
    It was discovered that CORBA implementation in Java did
    not properly protect repository identifiers (that can be
    obtained using _ids() method) on certain Corba objects.
    This could have been used to perform modification of the
    data that should have been immutable.

  - CVE-2012-0507
    The AtomicReferenceArray class implementation did not
    properly check if the array is of an expected Object[]
    type. A malicious Java application or applet could use
    this flaw to cause Java Virtual Machine to crash or
    bypass Java sandbox restrictions.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-3377");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-3563");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-5035");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0497");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0501");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0502");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0503");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0505");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0506");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2012-0507");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/squeeze/openjdk-6");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2012/dsa-2420");
  script_set_attribute(attribute:"solution", value:
"Upgrade the openjdk-6 packages.

For the stable distribution (squeeze), these problems have been fixed
in version 6b18-1.8.13-0+squeeze1.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Java AtomicReferenceArray Type Violation Vulnerability');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"patch_publication_date", value:"2012/02/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/02/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:openjdk-6");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"6.0", prefix:"icedtea-6-jre-cacao", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-dbg", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-demo", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-doc", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-jdk", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-jre", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-jre-headless", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-jre-lib", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-jre-zero", reference:"6b18-1.8.13-0+squeeze1")) flag++;
if (deb_check(release:"6.0", prefix:"openjdk-6-source", reference:"6b18-1.8.13-0+squeeze1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/debian_DSA-2420.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\debian_DSA-2420.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/debian_DSA-2420.nasl

Go back to menu.

How to Run

Here is how to run the Debian DSA-2420-1 : openjdk-6 - several vulnerabilities as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Debian Local Security Checks plugin family.
  6. On the right side table select Debian DSA-2420-1 : openjdk-6 - several vulnerabilities plugin ID 58148.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl debian_DSA-2420.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a debian_DSA-2420.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - debian_DSA-2420.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state debian_DSA-2420.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: DSA | Debian Security Advisory: See also: Similar and related Nessus plugins:
  • 57961 - CentOS 6 : java-1.6.0-openjdk (CESA-2012:0135)
  • 72139 - GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT)
  • 76303 - GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT)
  • 58090 - Oracle GlassFish Server 2.1.1 < 2.1.1.15 / 3.0.1 < 3.0.1.5 / 3.1.1 < 3.1.1.2 Hash Collision DoS
  • 58605 - Mac OS X : Java for Mac OS X 10.6 Update 7
  • 58606 - Mac OS X : Java for OS X Lion 2012-001
  • 56809 - Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2011:170)
  • 58026 - Mandriva Linux Security Advisory : java-1.6.0-openjdk (MDVSA-2012:021)
  • 57959 - Oracle Java SE Multiple Vulnerabilities (February 2012 CPU)
  • 64847 - Oracle Java SE Multiple Vulnerabilities (February 2012 CPU) (Unix)
  • 76683 - Oracle JRockit R27 < R27.7.2.5 / R28 < R28.2.3.13 Multiple Vulnerabilities (April 2012 CPU)
  • 68459 - Oracle Linux 6 : java-1.6.0-openjdk (ELSA-2012-0135)
  • 68487 - Oracle Linux 5 : java-1.6.0-openjdk (ELSA-2012-0322)
  • 57956 - RHEL 6 : java-1.6.0-openjdk (RHSA-2012:0135)
  • 57991 - RHEL 4 / 5 / 6 : java-1.6.0-sun (RHSA-2012:0139)
  • 58084 - RHEL 5 : java-1.6.0-openjdk (RHSA-2012:0322)
  • 58840 - RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2012:0508) (BEAST)
  • 58866 - RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2012:0514)
  • 56860 - Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : icedtea-web, openjdk-6, openjdk-6b18 vulnerabilities (USN-1263-1) (BEAST)
  • 57685 - Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : openjdk-6, openjdk-6b18 regression (USN-1263-2) (BEAST)
  • 58179 - Ubuntu 10.04 LTS / 10.10 / 11.04 : openjdk-6b18 vulnerabilities (USN-1373-2)
  • 66806 - VMware vCenter Multiple Vulnerabilities (VMSA-2012-0013)
  • 61747 - VMSA-2012-0013 : VMware vSphere and vCOps updates to third-party libraries
  • 89038 - VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0013) (remote check)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file debian_DSA-2420.nasl version 1.27. For more plugins, visit the Nessus Plugin Library.

Go back to menu.