Date: 16 May 2012
References: ASB-2011.0013 ASB-2011.0016 ESB-2011.0195 ESB-2011.0224 ESB-2011.0435 ASB-2011.0031 ASB-2011.0047 ASB-2011.0070 ESB-2011.1041 ASB-2011.0092
ESB-2011.1177 ASB-2012.0003 ESB-2012.0081 ESB-2012.0327 ESB-2012.0343 ASB-2012.0060 ESB-2012.0423
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0474
HP-UX Running Java JRE and JDK, Remote Denial of Service (DoS),
Unauthorized Modification and Disclosure of Information
16 May 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: HP-UX Running Java JRE and JDK
Publisher: Hewlett-Packard
Operating System: HP-UX
Impact/Access: Modify Arbitrary Files -- Unknown/Unspecified
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Unknown/Unspecified
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2012-0506 CVE-2012-0505 CVE-2012-0503
CVE-2012-0502 CVE-2012-0499 CVE-2011-3563
CVE-2011-3560 CVE-2011-3557 CVE-2011-3556
CVE-2011-3552 CVE-2011-3549 CVE-2011-3548
CVE-2011-3547 CVE-2011-3545 CVE-2011-3389
CVE-2011-0871 CVE-2011-0867 CVE-2011-0865
CVE-2011-0864 CVE-2011-0862 CVE-2011-0815
CVE-2011-0814 CVE-2011-0802 CVE-2010-4476
CVE-2010-4475 CVE-2010-4473 CVE-2010-4469
CVE-2010-4465 CVE-2010-4462 CVE-2010-4454
CVE-2010-4448 CVE-2010-4447
Reference: ASB-2012.0060
ASB-2012.0003
ESB-2012.0423
ESB-2012.0343
ESB-2012.0327
ESB-2012.0081
ASB-2011.0092
ASB-2011.0070
ASB-2011.0047
ASB-2011.0031
ASB-2011.0016
ASB-2011.0013
ESB-2011.1177
ESB-2011.1041
ESB-2011.0435
ESB-2011.0224
ESB-2011.0195
ESB-2011.0177
ASB-2012.0024.2
ASB-2011.0071.2
ESB-2011.0370.2
Original Bulletin:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03316985&ac.admitted=1337146920553.876444892.199480143
- --------------------------BEGIN INCLUDED TEXT--------------------
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c03316985
Version: 1
HPSBUX02777 SSRT100854 rev.1 - HP-UX Running Java JRE and JDK, Remote Denial of
Service (DoS), Unauthorized Modification and Disclosure of Information
NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.
Release Date: 2012-05-15
Last Updated: 2012-05-15
Potential Security Impact: Remote Denial of service, unauthorized modification
and disclosure of information
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in Java Runtime
Environment (JRE) and Java Developer Kit (JDK) running on HP-UX. These
vulnerabilities may allow remote Denial of Service (DoS), unauthorized
modification and disclosure of information.
References: CVE-2010-4447, CVE-2010-4448, CVE-2010-4454, CVE-2010-4462,
CVE-2010-4465, CVE-2010-4469, CVE-2010-4473, CVE-2010-4475, CVE-2010-4476,
CVE-2011-0802, CVE-2011-0814, CVE-2011-0815, CVE-2011-0862, CVE-2011-0864,
CVE-2011-0865, CVE-2011-0867, CVE-2011-0871, CVE-2011-3389, CVE-2011-3545,
CVE-2011-3547, CVE-2011-3548, CVE-2011-3549, CVE-2011-3552, CVE-2011-3556,
CVE-2011-3557, CVE-2011-3560, CVE-2011-3563, CVE-2012-0499, CVE-2012-0502,
CVE-2012-0503, CVE-2012-0505, CVE-2012-0506
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11, B.11.23, and B.11.31 running Java Runtime Environment (JRE) and
Java Developer Kit (JDK), v1.4.2.28 and earlier.
BACKGROUND
For a PGP signed version of this security bulletin please write to:
security-alert@hp.com
CVSS 2.0 Base Metrics
Reference
Base Vector
Base Score
CVE-2010-4447
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2010-4448
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.6
CVE-2010-4454
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4462
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4465
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4469
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4473
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2010-4475
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2010-4476
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
5.0
CVE-2011-0802
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-0814
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-0815
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-0862
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-0864
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-0865
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.6
CVE-2011-0867
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2011-0871
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3389
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
4.3
CVE-2011-3545
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3547
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
5.0
CVE-2011-3548
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3549
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2011-3552
(AV:N/AC:H/Au:N/C:N/I:P/A:N)
2.6
CVE-2011-3556
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2011-3557
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
6.8
CVE-2011-3560
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
6.4
CVE-2011-3563
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
6.4
CVE-2012-0499
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
10.0
CVE-2012-0502
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
6.4
CVE-2012-0503
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2012-0505
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
7.5
CVE-2012-0506
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
4.3
Information on CVSS is documented in HP Customer Notice: HPSN-2008-002
RESOLUTION
HP is providing the following Java updates to resolve the vulnerabilities.
The updates are available from: http://www.hp.com/go/java
These issues are addressed in the following versions of the HP Java:
HP-UX B.11.11
SDK and JRE v1.4.2.28 or subsequent
HP-UX B.11.23
SDK and JRE v1.4.2.28 or subsequent
HP-UX B.11.31
SDK and JRE v1.4.2.28 or subsequent
MANUAL ACTIONS: Yes - Update
For Java v1.4.2.27 and earlier, update to Java v1.4.2.28 or subsequent.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant:
HP-UX Software Assistant is an enhanced application that replaces HP-UX Security
Patch Check. It analyzes all HP-issued Security Bulletins and lists recommended
actions that may apply to a specific HP-UX system. It can also download patches
and create a depot automatically. For more information see:
https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
HP-UX B.11.23
HP-UX B.11.31
===========
Jpi14.JPI14-COM
Jpi14.JPI14-COM-DOC
Jpi14.JPI14-IPF32
Jpi14.JPI14-PA11
Jdk14.JDK14-COM
Jdk14.JDK14-DEMO
Jdk14.JDK14-IPF32
Jdk14.JDK14-IPF64
Jdk14.JDK14-PA11
Jdk14.JDK14-PA20
Jdk14.JDK14-PA20W
Jdk14.JDK14-PNV2
Jdk14.JDK14-PWV2
Jre14.JRE14-COM
Jre14.JRE14-COM-DOC
Jre14.JRE14-IPF32
Jre14.JRE14-IPF32-HS
Jre14.JRE14-IPF64
Jre14.JRE14-IPF64-HS
Jre14.JRE14-PA11
Jre14.JRE14-PA11-HS
Jre14.JRE14-PA20
Jre14.JRE14-PA20-HS
Jre14.JRE14-PA20W
Jre14.JRE14-PA20W-HS
Jre14.JRE14-PNV2
Jre14.JRE14-PNV2-H
Jre14.JRE14-PWV2
Jre14.JRE14-PWV2-H
action: install revision 1.4.2.28.00 or subsequent
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) - 15 May 2012 Initial release
Third Party Security Patches:
Third party security patches which are to be installed on systems running HP
software products should be applied in accordance with the customer's patch
management policy. Support: For further information, contact normal HP Services
support channel.
System management and security procedures must be reviewed frequently to
maintain system integrity. HP is continually reviewing and enhancing the
security features of software products to provide customers with current secure
solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users determine
the applicability of this information to their individual situations and take
appropriate action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP will not be
responsible for any damages resulting from user's use or disregard of the
information provided in this Bulletin. To the extent permitted by law, HP
disclaims all warranties, either express or implied, including the warranties
of merchantability and fitness for a particular purpose, title and
non-infringement."
Copyright 2012 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or
omissions contained herein. The information provided is provided "as is" without
warranty of any kind. To the extent permitted by law, neither HP or its
affiliates, subcontractors or suppliers will be liable for incidental,special
or consequential damages including downtime cost; lost profits;damages relating
to the procurement of substitute products or services; or damages for loss of
data, or software restoration. The information in this document is subject to
change without notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard Company in the
United States and other countries. Other product and company names mentioned
herein may be trademarks of their respective owners.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT7NI7u4yVqjM2NGpAQL77Q//VxRHjcthQUbBkUln6xKIfxQSHbGCF0de
LtImOCVn1fNiDtomZ+krzEZyHGJCWm7WZ08JkPHXFAs5qNQktBxFtoifrwngL6xw
aDwVBzalynXYgs+vvZ8W9z6UHc47szQ/dCh9dD1NSEL8cua88JtHTpXmA9wpTEZ4
IWTN3NtWEtYO5GTMWaJTUjl5qvxVqpFPhq1q2BtwegCd7GdyWyC0WhiLhKQT5IUj
0kAvM1REZyNdtDnRWJJWnAObJ/UZQEopzHgksN27YyKxcKP/Y1uC68zojr3K3hWX
Yi9hn1d7CiDIEtOPsC6qvuOS3W16A79q2VfhP34Lf8QvVdwNwjqP4+M0vhhrLXHm
V3SDSET2aTiMnPXo9l4i2jmAV6vJVUx/zLFiunrHzpHiJGeMrNWBiFGpbNH1tOvl
SJAJfQT4vo6dhVYUtKHtr7uWuSIVcQXbE/E9GQJNknTlpliM/vnVB23K78gdCUEn
U8TXecaoDOHiypcNaB5x7chZWL9qqbMMKpM9RmOlLnI/1Ds5qeMF+cE6g++8rtZh
sM66W6Pawtjqm5XzPaQ4aPKnJxNkr3xd1ZEeW4rBx5dleV5tIoKuYshbQVUv2jUJ
FJQYv3vJ4e9L25CuTjp6oGFx+AriA/dFRcnXYi7lSojcPjaylaJCHdZf8485pw59
K+1wCSnteTU=
=BjPg
-----END PGP SIGNATURE-----
|