jdk 6 update 26 Release (긴급 패치)

jdk 6 update 26 이 critical patch 로 6월에 나왔네요.

java.lang.ClassCircularityError 관련 에러 패치와 보안 패치가 이루어진 긴급 패치 버전입니다.

 

[결론 : Red hat 계열의 java에서는 영향이 없고, window 플랫폼에서 사용하는 java만 upgrade하면 됩니다.]

 

다음 버전에 대해서는 패치하라고 권고하있습니다.

- JDK & JRE 6 Update 25 버전 및 하위 버전
- JDK 5.0 Update 29 버전 및 하위 버전
- SDK 1.4.2_31 버전 및 하위 버전

 

패치에 대한 내용은 다음과 같습니다.

http://www.oracle.com/technetwork/java/javase/6u26releasenotes-401875.html

 

내용 중에 critical한 요소를 쫓아 들어가보겠습니다.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, please see Oracle Java SE Critical Patch Update advisory.

 

 

어떤 보안 요소가 패치되었나 들어가보니.아래 링크가 뜹니다.

http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html

 

Oracle Java SE Risk Matrix

CVE#	Component	Protocol	Sub- component	Remote Exploit without Auth.?	CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)							Supported Versions Affected	Notes
					Base Score	Access Vector	Access Complexity	Authen- tication	Confiden- tiality	Integrity	Avail- ability
CVE-2011-0862	Java Runtime Environment	Multiple	2D	Yes	10.0	Network	Low	None	Complete	Complete	Complete	6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before	See Note 1
CVE-2011-0873	Java Runtime Environment	Multiple	2D	Yes	10.0	Network	Low	None	Complete	Complete	Complete	6 Update 25 and before, and 5.0 Update 29 and before	See Note 2
CVE-2011-0815	Java Runtime Environment	Multiple	AWT	Yes	10.0	Network	Low	None	Complete	Complete	Complete	6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before	See Note 3
CVE-2011-0817	Java Runtime Environment	Multiple	Deployment	Yes	10.0	Network	Low	None	Complete	Complete	Complete	6 Update 25 and before on Windows	See Note 3
CVE-2011-0863	Java Runtime Environment	Multiple	Deployment	Yes	10.0	Network	Low	None	Complete	Complete	Complete	6 Update 25 and before	See Note 3
CVE-2011-0864	Java Runtime Environment	Multiple	HotSpot	Yes	10.0	Network	Low	None	Complete	Complete	Complete	6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before	See Note 3
CVE-2011-0802	Java Runtime Environment	Multiple	Sound	Yes	10.0	Network	Low	None	Complete	Complete	Complete	6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before	See Note 2
CVE-2011-0814	Java Runtime Environment	Multiple	Sound	Yes	10.0	Network	Low	None	Complete	Complete	Complete	6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before	See Note 2
CVE-2011-0871	Java Runtime Environment	Multiple	Swing	Yes	10.0	Network	Low	None	Complete	Complete	Complete	6 Update 25 and before, 5.0 Update 29 and before, and 1.4.2_31 and before	See Note 3
CVE-2011-0786	Java Runtime Environment	Multiple	Deployment	Yes	7.6	Network	High	None	Complete	Complete	Complete	6 Update 25 and before on Windows	See Note 3
CVE-2011-0788	Java Runtime Environment	Multiple	Deployment	Yes	7.6	Network	High	None	Complete	Complete	Complete	6 Update 25 and before on Windows	See Note 3
CVE-2011-0866	Java Runtime Environment	Multiple	Java Runtime Environment	Yes	7.6	Network	High	None	Complete	Complete	Complete	6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before on Windows	See Note 3
CVE-2011-0868	Java Runtime Environment	Multiple	2D	Yes	5.0	Network	Low	None	Partial	None	None	6 Update 25 and before	See Note 2
CVE-2011-0872	Java Runtime Environment	Multiple	NIO	Yes	5.0	Network	Low	None	None	None	Partial+	6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before for Windows	See Note 4
CVE-2011-0867	Java Runtime Environment	Multiple	Networking	Yes	5.0	Network	Low	None	Partial	None	None	6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before	See Note 3
CVE-2011-0869	Java Runtime Environment	Multiple	SAAJ	Yes	5.0	Network	Low	None	Partial	None	None	6 Update 25 and before	See Note 3
CVE-2011-0865	Java Runtime Environment	Multiple	Deserialization	Yes	2.6	Network	High	None	None	Partial	None	6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before	See Note 3

 

 

Notes:

1. Fix addresses multiple instances of this vulnerability.
   Applies to client and server deployments of Java. This vulnerability can be exploited through Untrusted Java Web Start applications and Untrusted Java applets. It can also be exploited by supplying data to APIs in the specified Component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service.
2. Applies to client and server deployments of Java. This vulnerability can be exploited through Untrusted Java Web Start applications and Untrusted Java applets. It can also be exploited by supplying data to APIs in the specified Component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service.
3. Applies to client deployments of Java only. This vulnerability can be exploited only through Untrusted Java Web Start applications and Untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.)
4. Applies to server deployments of Java. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

 

대부분이 webstart와 관련된 것이라 큰 이슈가 없지만, 이 중에 NIO 컴포넌트쪽이 이슈가 있군요.

 

CVE-2011-0872

Java Runtime Environment

Multiple

NIO

Yes

5.0

Network

Low

None

None

None

Partial+

6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before for Windows

See Note 4

 

 

원래 이름은 이거입니다.

CVE-2011-0872 OpenJDK: non-blocking sockets incorrectly selected for reading (NIO, 6213702)

 

정확한 내용을 확인해보니, Red hat 계열의 java에서는 영향이 없고, window 플랫폼에서 사용하는 java에 영향이 있다고 합니다.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0872 

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0872