[go: up one dir, main page]
Bug 977646 (CVE-2016-0376) - VUL-0: CVE-2016-0376: java-1_6_0-ibm,java-1_7_0-ibm,java-1_7_1-ibm: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix
Summary: VUL-0: CVE-2016-0376: java-1_6_0-ibm,java-1_7_0-ibm,java-1_7_1-ibm: insecure ...
Status: RESOLVED FIXED
: 981057 (view as bug list)
Alias: CVE-2016-0376
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2016-05-25
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/168386/
Whiteboard: CVSSv2:SUSE:CVE-2016-0376:7.6:(AV:N/A...
Keywords:
Depends on:
Blocks: 981057 981087
  Show dependency treegraph
 
Reported: 2016-04-28 13:09 UTC by Andreas Stieger
Modified: 2016-11-29 16:02 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-04-28 13:09:22 UTC 
http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_April_2016
http://www-01.ibm.com/support/docview.wss?uid=swg21980826

CVEID: CVE-2016-0376
DESCRIPTION: A vulnerability in IBM Java SDK could allow a remote attacker to execute arbitrary code on the system. This vulnerability allows code running under a security manager to escalate its privileges by modifying or removing the security manager. This vulnerability was originally reported as CVE-2013-5456.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112152 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) 

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1330986
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0376
Comment 2 Swamp Workflow Management 2016-04-28 13:38:20 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-05-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62677
Comment 3 Forgotten User l5HDYKT_qR 2016-04-28 15:49:50 UTC 
I am unable to download ibm-java-sdk-6.0-16.25-linux-s390x.bin since it's not even present on the Downloads page. All the other binaries seem to be present.
Comment 4 Swamp Workflow Management 2016-04-28 22:01:15 UTC 
bugbot adjusting priority
Comment 5 Hanns-Joachim Uhl 2016-04-29 08:50:20 UTC 
(In reply to Přemysl Janouch from comment #3)
> I am unable to download ibm-java-sdk-6.0-16.25-linux-s390x.bin since it's
> not even present on the Downloads page. All the other binaries seem to be
> present.
.
Hello SUSE / Přemysl,
... it should be available now .... please give it a try again ...
Fyi ... I just downloaded the following files myself:
ibm-java-s390x-sdk-6.0-16.25.bin
ibm-java-sdk-6.0-16.25-linux-s390x.bin
ibm-java-s390x-jre-6.0-16.25.bin
ibm-java-jre-6.0-16.25-linux-s390x.bin
Please keep me informed in case of any further questions. 
Thanks for your support.
Comment 11 Swamp Workflow Management 2016-05-11 17:10:14 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-05-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62717
Comment 14 Swamp Workflow Management 2016-05-13 14:08:24 UTC 
SUSE-SU-2016:1299-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    java-1_7_1-ibm-1.7.1_sr3.40-25.1
SUSE Linux Enterprise Software Development Kit 12 (src):    java-1_7_1-ibm-1.7.1_sr3.40-25.1
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_7_1-ibm-1.7.1_sr3.40-25.1
SUSE Linux Enterprise Server 12 (src):    java-1_7_1-ibm-1.7.1_sr3.40-25.1
Comment 15 Swamp Workflow Management 2016-05-13 14:09:11 UTC 
SUSE-SU-2016:1300-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    java-1_7_1-ibm-1.7.1_sr3.40-13.1
SUSE Linux Enterprise Server 11-SP4 (src):    java-1_7_1-ibm-1.7.1_sr3.40-13.1
Comment 16 Swamp Workflow Management 2016-05-13 19:08:03 UTC 
SUSE-SU-2016:1303-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    java-1_6_0-ibm-1.6.0_sr16.25-34.1
Comment 17 Forgotten User l5HDYKT_qR 2016-05-19 16:23:01 UTC 
Updates released, closing.
Comment 18 Swamp Workflow Management 2016-05-21 00:07:57 UTC 
SUSE-SU-2016:1378-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE OpenStack Cloud 5 (src):    java-1_7_0-ibm-1.7.0_sr9.40-52.1
SUSE Manager Proxy 2.1 (src):    java-1_7_0-ibm-1.7.0_sr9.40-52.1
SUSE Manager 2.1 (src):    java-1_7_0-ibm-1.7.0_sr9.40-52.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    java-1_7_0-ibm-1.7.0_sr9.40-52.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    java-1_7_0-ibm-1.7.0_sr9.40-52.1
Comment 19 Swamp Workflow Management 2016-05-21 00:08:39 UTC 
SUSE-SU-2016:1379-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE OpenStack Cloud 5 (src):    java-1_6_0-ibm-1.6.0_sr16.25-69.1
SUSE Manager Proxy 2.1 (src):    java-1_6_0-ibm-1.6.0_sr16.25-69.1
SUSE Manager 2.1 (src):    java-1_6_0-ibm-1.6.0_sr16.25-69.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.25-69.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.25-69.1
Comment 20 Alexander Bergmann 2016-05-23 10:09:43 UTC 
*** Bug 981057 has been marked as a duplicate of this bug. ***
Comment 21 Alexander Bergmann 2016-05-23 10:10:01 UTC 
We also need a submission for IBM Java 8. (SUSE:SLE-12-SP1:Update/java-1_8_0-ibm)

I just opened this bug for reference during the update procedure as mentioned inside bsc#981057.
Comment 23 LTC BugProxy 2016-05-23 10:18:09 UTC 
looks like a double entry...

*** This bug has been marked as a duplicate of bug 981057 ***
== Comment: #0 - Thomas Staudt <tstaudt@de.ibm.com> - 2016-05-23 04:14:32 ==
The latest CVEs have been addressed for several SLES Releases via e.g.

LTC 140954 - SUSE977646- (CVE-2016-0376) VUL-0: CVE-2016-0376: java-1_6_0-ibm,java-1_7_0-ibm,java-1_7_1-ibm: insecure deserialization in CORBA, incorrect CVE-2013-5456 fix

except for IBM Java 8.

Please do the same for IBM Java 8 for SLES 12 SP1 (and then also for SLES 12 SP2 Beta)
and update to IBM Java 8 SR3.

The CVEs fixed are listed at
http://www.ibm.com/developerworks/java/jdk/alerts/

Thanks.

We will handle this update inside the original bug report bsc#977646.

*** This bug has been marked as a duplicate of bug 977646 ***

*** Bug 981060 has been marked as a duplicate of this bug. ***
Comment 26 Swamp Workflow Management 2016-05-24 12:08:10 UTC 
SUSE-SU-2016:1388-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.25-0.11.1
Comment 27 Swamp Workflow Management 2016-05-31 20:08:34 UTC 
SUSE-SU-2016:1458-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252,981087
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    java-1_6_0-ibm-1.6.0_sr16.26-37.1
Comment 28 Marcus Meissner 2016-06-01 20:27:52 UTC 
released
Comment 29 Hanns-Joachim Uhl 2016-06-02 07:18:27 UTC 
(In reply to Alexander Bergmann from comment #21)
> We also need a submission for IBM Java 8.
> (SUSE:SLE-12-SP1:Update/java-1_8_0-ibm)
> 
> I just opened this bug for reference during the update procedure as
> mentioned inside bsc#981057.
.
... 'released' ...? I cannot find the above mentioned IBM Java 8 update on the maintweb yet .. .
Comment 30 Swamp Workflow Management 2016-06-02 09:08:33 UTC 
SUSE-SU-2016:1475-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 965665,977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    java-1_8_0-ibm-1.8.0_sr3.0-10.1
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_8_0-ibm-1.8.0_sr3.0-10.1