copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2012.0474 - [HP-UX] HP-UX Running Java JRE and JDK: Multiple vulnerabilities

Date: 16 May 2012
References: ASB-2011.0013  ASB-2011.0016  ESB-2011.0195  ESB-2011.0224  ESB-2011.0435  ASB-2011.0031  ASB-2011.0047  ASB-2011.0070  ESB-2011.1041  ASB-2011.0092  
ESB-2011.1177  ASB-2012.0003  ESB-2012.0081  ESB-2012.0327  ESB-2012.0343  ASB-2012.0060  ESB-2012.0423  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0474
	HP-UX Running Java JRE and JDK, Remote Denial of Service (DoS), 
	   Unauthorized Modification and Disclosure of Information
                                16 May 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           HP-UX Running Java JRE and JDK
Publisher:         Hewlett-Packard
Operating System:  HP-UX
Impact/Access:     Modify Arbitrary Files   -- Unknown/Unspecified   
                   Denial of Service        -- Remote/Unauthenticated
                   Access Confidential Data -- Unknown/Unspecified   
                   Reduced Security         -- Unknown/Unspecified   
Resolution:        Patch/Upgrade
CVE Names:         CVE-2012-0506 CVE-2012-0505 CVE-2012-0503
                   CVE-2012-0502 CVE-2012-0499 CVE-2011-3563
                   CVE-2011-3560 CVE-2011-3557 CVE-2011-3556
                   CVE-2011-3552 CVE-2011-3549 CVE-2011-3548
                   CVE-2011-3547 CVE-2011-3545 CVE-2011-3389
                   CVE-2011-0871 CVE-2011-0867 CVE-2011-0865
                   CVE-2011-0864 CVE-2011-0862 CVE-2011-0815
                   CVE-2011-0814 CVE-2011-0802 CVE-2010-4476
                   CVE-2010-4475 CVE-2010-4473 CVE-2010-4469
                   CVE-2010-4465 CVE-2010-4462 CVE-2010-4454
                   CVE-2010-4448 CVE-2010-4447 

Reference:         ASB-2012.0060
                   ASB-2012.0003
                   ESB-2012.0423
                   ESB-2012.0343
                   ESB-2012.0327
                   ESB-2012.0081
                   ASB-2011.0092
                   ASB-2011.0070
                   ASB-2011.0047
                   ASB-2011.0031
                   ASB-2011.0016
                   ASB-2011.0013
                   ESB-2011.1177
                   ESB-2011.1041
                   ESB-2011.0435
                   ESB-2011.0224
                   ESB-2011.0195
                   ESB-2011.0177
                   ASB-2012.0024.2
                   ASB-2011.0071.2
                   ESB-2011.0370.2

Original Bulletin: 
   http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03316985&ac.admitted=1337146920553.876444892.199480143

- --------------------------BEGIN INCLUDED TEXT--------------------

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c03316985

Version: 1

HPSBUX02777 SSRT100854 rev.1 - HP-UX Running Java JRE and JDK, Remote Denial of
Service (DoS), Unauthorized Modification and Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2012-05-15

Last Updated: 2012-05-15

Potential Security Impact: Remote Denial of service, unauthorized modification
and disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY

Potential security vulnerabilities have been identified in Java Runtime
Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These
vulnerabilities may allow remote Denial of Service (DoS), unauthorized
modification and disclosure of information.

References: CVE-2010-4447, CVE-2010-4448, CVE-2010-4454, CVE-2010-4462,
CVE-2010-4465, CVE-2010-4469, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476,
CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0862, CVE-2011-0864,
CVE-2011-0865, CVE-2011-0867, CVE-2011-0871, CVE-2011-3389, CVE-2011-3545,
CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3556,
CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0499, CVE-2012-0502,
CVE-2012-0503, CVE-2012-0505, CVE-2012-0506

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP-UX B.11.11, B.11.23, and B.11.31 running Java Runtime Environment (JRE) and
Java Developer Kit (JDK), v1.4.2.28 and earlier.

BACKGROUND
For a PGP signed version of this security bulletin please write to:
security-alert@hp.com

CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2010-4447
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2010-4448
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.6
CVE-2010-4454
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4462
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4465
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4469
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4473
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4475
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2010-4476
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2011-0802
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-0814
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-0815
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-0862
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-0864
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-0865
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.6
CVE-2011-0867
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2011-0871
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3389
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2011-3545
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3547
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2011-3548
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3549
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3552
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.6
CVE-2011-3556
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2011-3557
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
6.8
CVE-2011-3560
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
6.4
CVE-2011-3563
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
6.4
CVE-2012-0499
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2012-0502
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
6.4
CVE-2012-0503
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2012-0505
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2012-0506
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP is providing the following Java updates to resolve the vulnerabilities. 
The updates are available from: http://www.hp.com/go/java 

These issues are addressed in the following versions of the HP Java: 

HP-UX B.11.11
SDK and JRE v1.4.2.28 or subsequent
HP-UX B.11.23
SDK and JRE v1.4.2.28 or subsequent
HP-UX B.11.31
SDK and JRE v1.4.2.28 or subsequent


MANUAL ACTIONS: Yes - Update 

For Java v1.4.2.27 and earlier, update to Java v1.4.2.28 or subsequent. 

PRODUCT SPECIFIC INFORMATION 

HP-UX Software Assistant: 
HP-UX Software Assistant is an enhanced application that replaces HP-UX Security
Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended
actions that may apply to a specific HP-UX system. It can also download patches
and create a depot automatically. For more information see:
https://www.hp.com/go/swa 

The following text is for use by the HP-UX Software Assistant. 

AFFECTED VERSIONS 

HP-UX B.11.11 
HP-UX B.11.23 
HP-UX B.11.31 
=========== 
Jpi14.JPI14-COM 
Jpi14.JPI14-COM-DOC 
Jpi14.JPI14-IPF32 
Jpi14.JPI14-PA11 
Jdk14.JDK14-COM 
Jdk14.JDK14-DEMO 
Jdk14.JDK14-IPF32 
Jdk14.JDK14-IPF64 
Jdk14.JDK14-PA11 
Jdk14.JDK14-PA20 
Jdk14.JDK14-PA20W 
Jdk14.JDK14-PNV2 
Jdk14.JDK14-PWV2 
Jre14.JRE14-COM 
Jre14.JRE14-COM-DOC 
Jre14.JRE14-IPF32 
Jre14.JRE14-IPF32-HS 
Jre14.JRE14-IPF64 
Jre14.JRE14-IPF64-HS 
Jre14.JRE14-PA11 
Jre14.JRE14-PA11-HS 
Jre14.JRE14-PA20 
Jre14.JRE14-PA20-HS 
Jre14.JRE14-PA20W 
Jre14.JRE14-PA20W-HS 
Jre14.JRE14-PNV2 
Jre14.JRE14-PNV2-H 
Jre14.JRE14-PWV2 
Jre14.JRE14-PWV2-H 
action: install revision 1.4.2.28.00 or subsequent 

END AFFECTED VERSIONS 

HISTORY 
Version:1 (rev.1) - 15 May 2012 Initial release 

Third Party Security Patches: 
Third party security patches which are to be installed on systems running HP
software products should be applied in accordance with the customer's patch
management policy. Support: For further information, contact normal HP Services
support channel.

System management and security procedures must be reviewed frequently to
maintain system integrity. HP is continually reviewing and enhancing the
security features of software products to provide customers with current secure
solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users determine
the applicability of this information to their individual situations and take
appropriate action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP will not be
responsible for any damages resulting from user's use or disregard of the
information provided in this Bulletin. To the extent permitted by law, HP
disclaims all warranties, either express or implied, including the warranties
of merchantability and fitness for a particular purpose, title and
non-infringement."

Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or
omissions contained herein. The information provided is provided "as is" without
warranty of any kind. To the extent permitted by law, neither HP or its
affiliates, subcontractors or suppliers will be liable for incidental,special
or consequential damages including downtime cost; lost profits;damages relating
to the procurement of substitute products or services; or damages for loss of
data, or software restoration. The information in this document is subject to
change without notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard Company in the
United States and other countries. Other product and company names mentioned
herein may be trademarks of their respective owners.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBT7NI7u4yVqjM2NGpAQL77Q//VxRHjcthQUbBkUln6xKIfxQSHbGCF0de
LtImOCVn1fNiDtomZ+krzEZyHGJCWm7WZ08JkPHXFAs5qNQktBxFtoifrwngL6xw
aDwVBzalynXYgs+vvZ8W9z6UHc47szQ/dCh9dD1NSEL8cua88JtHTpXmA9wpTEZ4
IWTN3NtWEtYO5GTMWaJTUjl5qvxVqpFPhq1q2BtwegCd7GdyWyC0WhiLhKQT5IUj
0kAvM1REZyNdtDnRWJJWnAObJ/UZQEopzHgksN27YyKxcKP/Y1uC68zojr3K3hWX
Yi9hn1d7CiDIEtOPsC6qvuOS3W16A79q2VfhP34Lf8QvVdwNwjqP4+M0vhhrLXHm
V3SDSET2aTiMnPXo9l4i2jmAV6vJVUx/zLFiunrHzpHiJGeMrNWBiFGpbNH1tOvl
SJAJfQT4vo6dhVYUtKHtr7uWuSIVcQXbE/E9GQJNknTlpliM/vnVB23K78gdCUEn
U8TXecaoDOHiypcNaB5x7chZWL9qqbMMKpM9RmOlLnI/1Ds5qeMF+cE6g++8rtZh
sM66W6Pawtjqm5XzPaQ4aPKnJxNkr3xd1ZEeW4rBx5dleV5tIoKuYshbQVUv2jUJ
FJQYv3vJ4e9L25CuTjp6oGFx+AriA/dFRcnXYi7lSojcPjaylaJCHdZf8485pw59
K+1wCSnteTU=
=BjPg
-----END PGP SIGNATURE-----