jdk 6 update 26 이 critical patch 로 6월에 나왔네요.

java.lang.ClassCircularityError 관련 에러 패치와 보안 패치가 이루어진 긴급 패치 버전입니다.

 

[결론 : Red hat 계열의 java에서는 영향이 없고, window 플랫폼에서 사용하는 java만 upgrade하면 됩니다.]

 

다음 버전에 대해서는 패치하라고 권고하있습니다.

- JDK & JRE 6 Update 25 버전 및 하위 버전
- JDK 5.0 Update 29 버전 및 하위 버전
- SDK 1.4.2_31 버전 및 하위 버전

 

패치에 대한 내용은 다음과 같습니다.

http://www.oracle.com/technetwork/java/javase/6u26releasenotes-401875.html

 

내용 중에 critical한 요소를 쫓아 들어가보겠습니다.

Bug Fixes

This release contains fixes for security vulnerabilities. For more information, please see Oracle Java SE Critical Patch Update advisory.

 

 

어떤 보안 요소가 패치되었나 들어가보니.아래 링크가 뜹니다.

http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html

 

Oracle Java SE Risk Matrix


CVE# Component Protocol Sub-
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2011-0862 Java Runtime Environment Multiple 2D Yes 10.0 Network Low None Complete Complete Complete 6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before See Note 1
CVE-2011-0873 Java Runtime Environment Multiple 2D Yes 10.0 Network Low None Complete Complete Complete 6 Update 25 and before, and 5.0 Update 29 and before See Note 2
CVE-2011-0815 Java Runtime Environment Multiple AWT Yes 10.0 Network Low None Complete Complete Complete 6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before See Note 3
CVE-2011-0817 Java Runtime Environment Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete 6 Update 25 and before on Windows See Note 3
CVE-2011-0863 Java Runtime Environment Multiple Deployment Yes 10.0 Network Low None Complete Complete Complete 6 Update 25 and before See Note 3
CVE-2011-0864 Java Runtime Environment Multiple HotSpot Yes 10.0 Network Low None Complete Complete Complete 6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before See Note 3
CVE-2011-0802 Java Runtime Environment Multiple Sound Yes 10.0 Network Low None Complete Complete Complete 6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before See Note 2
CVE-2011-0814 Java Runtime Environment Multiple Sound Yes 10.0 Network Low None Complete Complete Complete 6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before See Note 2
CVE-2011-0871 Java Runtime Environment Multiple Swing Yes 10.0 Network Low None Complete Complete Complete 6 Update 25 and before, 5.0 Update 29 and before, and 1.4.2_31 and before See Note 3
CVE-2011-0786 Java Runtime Environment Multiple Deployment Yes 7.6 Network High None Complete Complete Complete 6 Update 25 and before on Windows See Note 3
CVE-2011-0788 Java Runtime Environment Multiple Deployment Yes 7.6 Network High None Complete Complete Complete 6 Update 25 and before on Windows See Note 3
CVE-2011-0866 Java Runtime Environment Multiple Java Runtime Environment Yes 7.6 Network High None Complete Complete Complete 6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before on Windows See Note 3
CVE-2011-0868 Java Runtime Environment Multiple 2D Yes 5.0 Network Low None Partial None None 6 Update 25 and before See Note 2
CVE-2011-0872 Java Runtime Environment Multiple NIO Yes 5.0 Network Low None None None Partial+ 6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before for Windows See Note 4
CVE-2011-0867 Java Runtime Environment Multiple Networking Yes 5.0 Network Low None Partial None None 6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before See Note 3
CVE-2011-0869 Java Runtime Environment Multiple SAAJ Yes 5.0 Network Low None Partial None None 6 Update 25 and before See Note 3
CVE-2011-0865 Java Runtime Environment Multiple Deserialization Yes 2.6 Network High None None Partial None 6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before See Note 3
 

 

Notes:

  1. Fix addresses multiple instances of this vulnerability.
    Applies to client and server deployments of Java. This vulnerability can be exploited through Untrusted Java Web Start applications and Untrusted Java applets. It can also be exploited by supplying data to APIs in the specified Component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service.
  2. Applies to client and server deployments of Java. This vulnerability can be exploited through Untrusted Java Web Start applications and Untrusted Java applets. It can also be exploited by supplying data to APIs in the specified Component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service.
  3. Applies to client deployments of Java only. This vulnerability can be exploited only through Untrusted Java Web Start applications and Untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.)
  4. Applies to server deployments of Java. This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service.

 

대부분이 webstart와 관련된 것이라 큰 이슈가 없지만, 이 중에 NIO 컴포넌트쪽이 이슈가 있군요.

 

CVE-2011-0872 Java Runtime Environment Multiple NIO Yes 5.0 Network Low None None None Partial+ 6 Update 25 and before, 5.0 Update 29 and before, 1.4.2_31 and before for Windows See Note 4

 

 

원래 이름은 이거입니다.

CVE-2011-0872 OpenJDK: non-blocking sockets incorrectly selected for reading (NIO, 6213702)

 

정확한 내용을 확인해보니, Red hat 계열의 java에서는 영향이 없고, window 플랫폼에서 사용하는 java에 영향이 있다고 합니다.

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0872 

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0872

Posted by 김용환 '김용환'
TAG

댓글을 달아 주세요