Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20121017) (ROBOT) - Nessus

Critical   Plugin ID: 62653

This page contains detailed information about the Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20121017) (ROBOT) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 62653
Name: Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20121017) (ROBOT)
Filename: sl_20121017_java_1_7_0_openjdk_on_SL6_x.nasl
Vulnerability Published: 2012-10-16
This Plugin Published: 2012-10-22
Last Modification Time: 2022-03-29
Plugin Version: 1.19
Plugin Type: local
Plugin Family: Scientific Linux Local Security Checks
Dependencies: ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Vulnerability Information

Severity: Critical
Vulnerability Published: 2012-10-16
Patch Published: 2012-10-17
CVE [?]: CVE-2012-3216, CVE-2012-4416, CVE-2012-5068, CVE-2012-5069, CVE-2012-5070, CVE-2012-5071, CVE-2012-5072, CVE-2012-5073, CVE-2012-5074, CVE-2012-5075, CVE-2012-5076, CVE-2012-5077, CVE-2012-5079, CVE-2012-5081, CVE-2012-5084, CVE-2012-5085, CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5089
CPE [?]: p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk, p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo, p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel, p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc, p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src, x-cpe:/o:fermilab:scientific_linux
Exploited by Malware: True
In the News: True

Synopsis

The remote Scientific Linux host is missing one or more security updates.

Description

Multiple improper permission check issues were discovered in the Beans, Libraries, Swing, and JMX components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. (CVE-2012-5086, CVE-2012-5087, CVE-2012-5088, CVE-2012-5084, CVE-2012-5089)

The default Java security properties configuration did not restrict access to certain com.sun.org.glassfish packages. An untrusted Java application or applet could use these flaws to bypass Java sandbox restrictions. This update lists those packages as restricted. (CVE-2012-5076, CVE-2012-5074)

Multiple improper permission check issues were discovered in the Scripting, JMX, Concurrency, Libraries, and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2012-5068, CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072)

It was discovered that java.util.ServiceLoader could create an instance of an incompatible class while performing provider lookup. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2012-5079)

It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS implementation did not properly handle handshake records containing an overly large data length value. An unauthenticated, remote attacker could possibly use this flaw to cause an SSL/TLS server to terminate with an exception. (CVE-2012-5081)

It was discovered that the JMX component in OpenJDK could perform certain actions in an insecure manner. An untrusted Java application or applet could possibly use these flaws to disclose sensitive information. (CVE-2012-5070, CVE-2012-5075)

A bug in the Java HotSpot Virtual Machine optimization code could cause it to not perform array initialization in certain cases. An untrusted Java application or applet could use this flaw to disclose portions of the virtual machine's memory. (CVE-2012-4416)

It was discovered that the SecureRandom class did not properly protect against the creation of multiple seeders. An untrusted Java application or applet could possibly use this flaw to disclose sensitive information. (CVE-2012-5077)

It was discovered that the java.io.FilePermission class exposed the hash code of the canonicalized path name. An untrusted Java application or applet could possibly use this flaw to determine certain system paths, such as the current working directory. (CVE-2012-3216)

This update disables Gopher protocol support in the java.net package by default. Gopher support can be enabled by setting the newly introduced property, 'jdk.net.registerGopherProtocol', to true. (CVE-2012-5085)

This erratum also upgrades the OpenJDK package to IcedTea7 2.3.3.

All running instances of OpenJDK Java must be restarted for the update to take effect.

Solution

Update the affected packages.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20121017) (ROBOT) vulnerability:

  1. Metasploit: exploit/multi/browser/java_jre17_method_handle
    [Java Applet Method Handle Remote Code Execution]
  2. Metasploit: auxiliary/scanner/ssl/bleichenbacher_oracle
    [Scanner for Bleichenbacher Oracle in RSA PKCS #1 v1.5]
  3. Metasploit: exploit/multi/browser/java_jre17_glassfish_averagerangestatisticimpl
    [Java Applet AverageRangeStatisticImpl Remote Code Execution]
  4. Metasploit: exploit/multi/browser/java_jre17_jaxws
    [Java Applet JAX-WS Remote Code Execution]
  5. Exploit-DB: exploits/multiple/remote/22657.rb
    [EDB-22657: Java Applet - JAX-WS Remote Code Execution (Metasploit)]
  6. Exploit-DB: exploits/multiple/remote/24308.rb
    [EDB-24308: Java Applet - Method Handle Remote Code Execution (Metasploit)]
  7. Exploit-DB: exploits/java/remote/24309.rb
    [EDB-24309: Java Applet - AverageRangeStatisticImpl Remote Code Execution (Metasploit)]
  8. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Base Score:10.0 (High)
Impact Subscore:10.0
Exploitability Subscore:10.0
CVSS Temporal Score:NA (None)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:10.0 (High)

Go back to menu.

Plugin Source

This is the sl_20121017_java_1_7_0_openjdk_on_SL6_x.nasl nessus plugin source code. This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(62653);
  script_version("1.19");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/29");

  script_cve_id(
    "CVE-2012-3216",
    "CVE-2012-4416",
    "CVE-2012-5068",
    "CVE-2012-5069",
    "CVE-2012-5070",
    "CVE-2012-5071",
    "CVE-2012-5072",
    "CVE-2012-5073",
    "CVE-2012-5074",
    "CVE-2012-5075",
    "CVE-2012-5076",
    "CVE-2012-5077",
    "CVE-2012-5079",
    "CVE-2012-5081",
    "CVE-2012-5084",
    "CVE-2012-5085",
    "CVE-2012-5086",
    "CVE-2012-5087",
    "CVE-2012-5088",
    "CVE-2012-5089"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/18");

  script_name(english:"Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20121017) (ROBOT)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Scientific Linux host is missing one or more security
updates.");
  script_set_attribute(attribute:"description", value:
"Multiple improper permission check issues were discovered in the
Beans, Libraries, Swing, and JMX components in OpenJDK. An untrusted
Java application or applet could use these flaws to bypass Java
sandbox restrictions. (CVE-2012-5086, CVE-2012-5087, CVE-2012-5088,
CVE-2012-5084, CVE-2012-5089)

The default Java security properties configuration did not restrict
access to certain com.sun.org.glassfish packages. An untrusted Java
application or applet could use these flaws to bypass Java sandbox
restrictions. This update lists those packages as restricted.
(CVE-2012-5076, CVE-2012-5074)

Multiple improper permission check issues were discovered in the
Scripting, JMX, Concurrency, Libraries, and Security components in
OpenJDK. An untrusted Java application or applet could use these flaws
to bypass certain Java sandbox restrictions. (CVE-2012-5068,
CVE-2012-5071, CVE-2012-5069, CVE-2012-5073, CVE-2012-5072)

It was discovered that java.util.ServiceLoader could create an
instance of an incompatible class while performing provider lookup. An
untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions. (CVE-2012-5079)

It was discovered that the Java Secure Socket Extension (JSSE) SSL/TLS
implementation did not properly handle handshake records containing an
overly large data length value. An unauthenticated, remote attacker
could possibly use this flaw to cause an SSL/TLS server to terminate
with an exception. (CVE-2012-5081)

It was discovered that the JMX component in OpenJDK could perform
certain actions in an insecure manner. An untrusted Java application
or applet could possibly use these flaws to disclose sensitive
information. (CVE-2012-5070, CVE-2012-5075)

A bug in the Java HotSpot Virtual Machine optimization code could
cause it to not perform array initialization in certain cases. An
untrusted Java application or applet could use this flaw to disclose
portions of the virtual machine's memory. (CVE-2012-4416)

It was discovered that the SecureRandom class did not properly protect
against the creation of multiple seeders. An untrusted Java
application or applet could possibly use this flaw to disclose
sensitive information. (CVE-2012-5077)

It was discovered that the java.io.FilePermission class exposed the
hash code of the canonicalized path name. An untrusted Java
application or applet could possibly use this flaw to determine
certain system paths, such as the current working directory.
(CVE-2012-3216)

This update disables Gopher protocol support in the java.net package
by default. Gopher support can be enabled by setting the newly
introduced property, 'jdk.net.registerGopherProtocol', to true.
(CVE-2012-5085)

This erratum also upgrades the OpenJDK package to IcedTea7 2.3.3.

All running instances of OpenJDK Java must be restarted for the update
to take effect.");
  # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1210&L=scientific-linux-errata&T=0&P=2671
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?459326fe");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Java Applet Method Handle Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");
  script_set_attribute(attribute:"in_the_news", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/10/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/10/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/10/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-demo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-javadoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:java-1.7.0-openjdk-src");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Scientific Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL6", reference:"java-1.7.0-openjdk-1.7.0.9-2.3.3.el6_3.1")) flag++;
if (rpm_check(release:"SL6", reference:"java-1.7.0-openjdk-demo-1.7.0.9-2.3.3.el6_3.1")) flag++;
if (rpm_check(release:"SL6", reference:"java-1.7.0-openjdk-devel-1.7.0.9-2.3.3.el6_3.1")) flag++;
if (rpm_check(release:"SL6", reference:"java-1.7.0-openjdk-javadoc-1.7.0.9-2.3.3.el6_3.1")) flag++;
if (rpm_check(release:"SL6", reference:"java-1.7.0-openjdk-src-1.7.0.9-2.3.3.el6_3.1")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc");
}

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/sl_20121017_java_1_7_0_openjdk_on_SL6_x.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\sl_20121017_java_1_7_0_openjdk_on_SL6_x.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/sl_20121017_java_1_7_0_openjdk_on_SL6_x.nasl

Go back to menu.

How to Run

Here is how to run the Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20121017) (ROBOT) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Scientific Linux Local Security Checks plugin family.
  6. On the right side table select Scientific Linux Security Update : java-1.7.0-openjdk on SL6.x i386/x86_64 (20121017) (ROBOT) plugin ID 62653.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl sl_20121017_java_1_7_0_openjdk_on_SL6_x.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a sl_20121017_java_1_7_0_openjdk_on_SL6_x.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - sl_20121017_java_1_7_0_openjdk_on_SL6_x.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state sl_20121017_java_1_7_0_openjdk_on_SL6_x.nasl -t <IP/HOST>

Go back to menu.

References

See also: Similar and related Nessus plugins:
  • 62598 - CentOS 6 : java-1.7.0-openjdk (CESA-2012:1386) (ROBOT)
  • 72139 - GLSA-201401-30 : Oracle JRE/JDK: Multiple vulnerabilities (ROBOT)
  • 76303 - GLSA-201406-32 : IcedTea JDK: Multiple vulnerabilities (BEAST) (ROBOT)
  • 77326 - Juniper NSM < 2012.2R9 Multiple Java and Apache Vulnerabilities (JSA10642)
  • 62594 - Mac OS X : Java for Mac OS X 10.6 Update 11
  • 62595 - Mac OS X : Java for OS X 2012-006
  • 74793 - openSUSE Security Update : java-1_7_0-openjdk (openSUSE-SU-2012:1419-1) (ROBOT)
  • 62593 - Oracle Java SE Multiple Vulnerabilities (October 2012 CPU)
  • 64849 - Oracle Java SE Multiple Vulnerabilities (October 2012 CPU) (Unix)
  • 68646 - Oracle Linux 6 : java-1.7.0-openjdk (ELSA-2012-1386) (ROBOT)
  • 62615 - RHEL 6 : java-1.7.0-openjdk (RHSA-2012:1386) (ROBOT)
  • 62635 - RHEL 6 : java-1.7.0-oracle (RHSA-2012:1391)
  • 62636 - RHEL 5 / 6 : java-1.6.0-sun (RHSA-2012:1392)
  • 62930 - RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2012:1465) (ROBOT)
  • 62931 - RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2012:1466) (ROBOT)
  • 62932 - RHEL 6 : java-1.7.0-ibm (RHSA-2012:1467) (ROBOT)
  • 65202 - RHEL 5 / 6 : java-1.5.0-ibm (RHSA-2013:0624)
  • 65203 - RHEL 5 / 6 : java-1.6.0-ibm (RHSA-2013:0625)
  • 65204 - RHEL 5 / 6 : java-1.7.0-ibm (RHSA-2013:0626)
  • 78975 - RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1455) (BEAST) (ROBOT)
  • 78976 - RHEL 5 / 6 : IBM Java Runtime in Satellite Server (RHSA-2013:1456) (ROBOT)
  • 62773 - Scientific Linux Security Update : java-1.6.0-sun on SL5.x i386/x86_64 (20121018) (ROBOT)
  • 105415 - Return Of Bleichenbacher's Oracle Threat (ROBOT) Information Disclosure
  • 64166 - SuSE 11.2 Security Update : IBM Java 1.6.0 (SAT Patch Number 7095)
  • 64169 - SuSE 11.2 Security Update : OpenJDK (SAT Patch Number 6987)
  • 64171 - SuSE 11.2 Security Update : IBM Java 1.7.0 (SAT Patch Number 7046)
  • 63092 - SuSE 10 Security Update : IBM Java 1.6.0 (ZYPP Patch Number 8383) (ROBOT)
  • 83567 - SUSE SLES11 Security Update : IBM Java 1.7.0 (SUSE-SU-2012:1489-2)
  • 62709 - Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS / 12.10 : openjdk-6, openjdk-7 vulnerabilities (USN-1619-1) (ROBOT)
  • 89663 - VMware ESX / ESXi NFC and Third-Party Libraries Multiple Vulnerabilities (VMSA-2013-0003) (remote check)
  • 33284 - EMC AlphaStor Device Manager robotd RCE
  • 104687 - F5 Networks BIG-IP : BIG-IP SSL vulnerability (K21905460) (ROBOT)
  • 105502 - FreeBSD : The Bouncy Castle Crypto APIs: CVE-2017-13098 ('ROBOT') (6a131fbf-ec76-11e7-aa65-001b216d295b)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file sl_20121017_java_1_7_0_openjdk_on_SL6_x.nasl version 1.19. For more plugins, visit the Nessus Plugin Library.

Go back to menu.