Vulnerabilities > CVE-2013-1926 - Security Bypass vulnerability in IcedTea-Web
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same class loader for applets with the same codebase path but from different domains, which allows remote attackers to obtain sensitive information or possibly alter other applets via a crafted applet. Per http://www.ubuntu.com/usn/USN-1804-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 Ubuntu 10.04 LTS" Per http://lists.opensuse.org/opensuse-updates/2013-04/msg00106.html "Affected Products: openSUSE 12.2"
Vulnerable Configurations
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2013-5962.NASL description New in release 1.3.2 (2013-04-17) : - Security Updates - CVE-2013-1927, RH884705: fixed gifar vulnerability - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path. - Common - Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized. - NetX - PR580: http://www.horaoficial.cl/ loads improperly - Plugin PR1260: IcedTea-Web should not rely on GTK PR1157: Applets can hang browser after fatal exception Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-18 plugin id 66011 published 2013-04-18 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66011 title Fedora 18 : icedtea-web-1.3.2-0.fc18 (2013-5962) NASL family SuSE Local Security Checks NASL id SUSE_11_ICEDTEA-WEB-130419.NASL description This update to version 1.3.2 fixes several security updates and common fixes. (bnc#815596) Security Updates - fixed gifar vulnerability. (CVE-2013-1927) - Class-loader incorrectly shared for applets with same relative-path. Common. (CVE-2013-1926) - Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized. NetX - PR580: http://www.horaoficial.cl/ loads improperly Plugin - PR1260: IcedTea-Web should not rely on GTK obsoletes icedtea-web-remove-gtk-dep.patch - PR1157: Applets can hang browser after fatal exception last seen 2020-06-05 modified 2013-04-29 plugin id 66253 published 2013-04-29 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66253 title SuSE 11.2 Security Update : icedtea-web (SAT Patch Number 7642) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-373.NASL description - update to 1.3.2 (bnc#815596) - Security Updates - CVE-2013-1927, RH884705: fixed gifar vulnerability - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path. - Common - Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized. - NetX - PR580: http://www.horaoficial.cl/ loads improperly - Plugin - PR1260: IcedTea-Web should not rely on GTK obsoletes icedtea-web-remove-gtk-dep.patch - PR1157: Applets can hang browser after fatal exception last seen 2020-06-05 modified 2014-06-13 plugin id 74981 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74981 title openSUSE Security Update : icedtea-web (openSUSE-SU-2013:0897-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0753.NASL description Updated icedtea-web packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. It was discovered that the IcedTea-Web plug-in incorrectly used the same class loader instance for applets with the same value of the codebase attribute, even when they originated from different domains. A malicious applet could use this flaw to gain information about and possibly manipulate applets from different domains currently running in the browser. (CVE-2013-1926) The IcedTea-Web plug-in did not properly check the format of the downloaded Java Archive (JAR) files. This could cause the plug-in to execute code hidden in a file in a different format, possibly allowing attackers to execute code in the context of websites that allow uploads of specific file types, known as a GIFAR attack. (CVE-2013-1927) The CVE-2013-1926 issue was discovered by Jiri Vanek of the Red Hat OpenJDK Team, and CVE-2013-1927 was discovered by the Red Hat Security Response Team. This erratum also upgrades IcedTea-Web to version 1.2.3. Refer to the NEWS file, linked to in the References, for further information. All IcedTea-Web users should upgrade to these updated packages, which resolve these issues. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 66015 published 2013-04-18 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66015 title RHEL 6 : icedtea-web (RHSA-2013:0753) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-371.NASL description - update to 1.3.2 (bnc#815596) - Security Updates - CVE-2013-1927, RH884705: fixed gifar vulnerability - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path. - Common - Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized. - NetX - PR580: http://www.horaoficial.cl/ loads improperly - Plugin - PR1260: IcedTea-Web should not rely on GTK obsoletes icedtea-web-remove-gtk-dep.patch - PR1157: Applets can hang browser after fatal exception - Add icedtea-web-remove-gtk-dep.patch, build icedtea-web without GTK. Plugin now works in both gtk2 and gtk3 based browsers. - limit the provides/obsoletes to architectures, where -plugin package existed and don last seen 2020-06-05 modified 2014-06-13 plugin id 74979 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74979 title openSUSE Security Update : icedtea-web (openSUSE-SU-2013:0715-1) NASL family SuSE Local Security Checks NASL id SUSE_11_ICEDTEA-WEB-130702.NASL description This update to IcedTea-Web 1.4 provides the following fixes and enhancements : - Security updates - RH916774: Class-loader incorrectly shared for applets with same relative-path. (CVE-2013-1926) - RH884705: fixed gifar vulnerabilit. (CVE-2013-1927) - RH840592: Potential read from an uninitialized memory location. (CVE-2012-3422) - RH841345: Incorrect handling of not 0-terminated strings. (CVE-2012-3423) - RH884705: fixed gifar vulnerability. (CVE-2013-1927) - RH916774: Class-loader incorrectly shared for applets with same relative-path. (CVE-2013-1926) - NetX - PR1027: DownloadService is not supported by IcedTea-Web - PR725: JNLP applications will prompt for creating desktop shortcuts every time they are run - PR1292: Javaws does not resolve versioned jar names with periods correctly - PR580: http://www.horaoficial.cl/ loads improperly. - Plugin - PR1106: Buffer overflow in plugin table- - PR1166: Embedded JNLP File is not supported in applet tag - PR1217: Add command line arguments for plugins - PR1189: Icedtea-plugin requires code attribute when using jnlp_href - PR1198: JSObject is not passed to JavaScript correctly - PR1260: IcedTea-Web should not rely on GTK - PR1157: Applets can hang browser after fatal exception - PR580: http://www.horaoficial.cl/ loads improperly - PR1260: IcedTea-Web should not rely on GTK - PR1157: Applets can hang browser after fatal exception. - Common - PR1049: Extension jnlp last seen 2020-06-05 modified 2013-07-18 plugin id 68953 published 2013-07-18 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/68953 title SuSE 11.3 Security Update : icedtea-web (SAT Patch Number 7981) NASL family Scientific Linux Local Security Checks NASL id SL_20130417_ICEDTEA_WEB_ON_SL6_X.NASL description It was discovered that the IcedTea-Web plug-in incorrectly used the same class loader instance for applets with the same value of the codebase attribute, even when they originated from different domains. A malicious applet could use this flaw to gain information about and possibly manipulate applets from different domains currently running in the browser. (CVE-2013-1926) The IcedTea-Web plug-in did not properly check the format of the downloaded Java Archive (JAR) files. This could cause the plug-in to execute code hidden in a file in a different format, possibly allowing attackers to execute code in the context of websites that allow uploads of specific file types, known as a GIFAR attack. (CVE-2013-1927) This erratum also upgrades IcedTea-Web to version 1.2.3. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect. last seen 2020-03-18 modified 2013-04-18 plugin id 66017 published 2013-04-18 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66017 title Scientific Linux Security Update : icedtea-web on SL6.x i386/x86_64 (20130417) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-372.NASL description - update to 1.3.2 (bnc#815596) - Security Updates - CVE-2013-1927, RH884705: fixed gifar vulnerability - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path. - Common - Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized. - NetX - PR580: http://www.horaoficial.cl/ loads improperly - Plugin - PR1260: IcedTea-Web should not rely on GTK obsoletes icedtea-web-remove-gtk-dep.patch - PR1157: Applets can hang browser after fatal exception last seen 2020-06-05 modified 2014-06-13 plugin id 74980 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74980 title openSUSE Security Update : icedtea-web (openSUSE-SU-2013:0735-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0753.NASL description Updated icedtea-web packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. It was discovered that the IcedTea-Web plug-in incorrectly used the same class loader instance for applets with the same value of the codebase attribute, even when they originated from different domains. A malicious applet could use this flaw to gain information about and possibly manipulate applets from different domains currently running in the browser. (CVE-2013-1926) The IcedTea-Web plug-in did not properly check the format of the downloaded Java Archive (JAR) files. This could cause the plug-in to execute code hidden in a file in a different format, possibly allowing attackers to execute code in the context of websites that allow uploads of specific file types, known as a GIFAR attack. (CVE-2013-1927) The CVE-2013-1926 issue was discovered by Jiri Vanek of the Red Hat OpenJDK Team, and CVE-2013-1927 was discovered by the Red Hat Security Response Team. This erratum also upgrades IcedTea-Web to version 1.2.3. Refer to the NEWS file, linked to in the References, for further information. All IcedTea-Web users should upgrade to these updated packages, which resolve these issues. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 66003 published 2013-04-18 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66003 title CentOS 6 : icedtea-web (CESA-2013:0753) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1804-2.NASL description USN-1804-1 fixed vulnerabilities in IcedTea-Web. This update introduced a regression with the Java Network Launching Protocol (JNLP) when fetching content over SSL under certain configurations, such as when using the community-supported IcedTead 7 browser plugin. This update fixes the problem. We apologize for the inconvenience. Jiri Vanek discovered that IcedTea-Web would use the same classloader for applets from different domains. A remote attacker could exploit this to expose sensitive information or potentially manipulate applets from other domains. (CVE-2013-1926) It was discovered that IcedTea-Web did not properly verify JAR files and was susceptible to the GIFAR attack. If a user were tricked into opening a malicious website, a remote attacker could potentially exploit this to execute code under certain circumstances. (CVE-2013-1927). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 66199 published 2013-04-24 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66199 title Ubuntu 11.10 / 12.04 LTS : icedtea-web regression (USN-1804-2) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1804-1.NASL description Jiri Vanek discovered that IcedTea-Web would use the same classloader for applets from different domains. A remote attacker could exploit this to expose sensitive information or potentially manipulate applets from other domains. (CVE-2013-1926) It was discovered that IcedTea-Web did not properly verify JAR files and was susceptible to the GIFAR attack. If a user were tricked into opening a malicious website, a remote attacker could potentially exploit this to execute code under certain circumstances. (CVE-2013-1927). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 66032 published 2013-04-19 reporter Ubuntu Security Notice (C) 2013-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66032 title Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : icedtea-web vulnerabilities (USN-1804-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0753.NASL description From Red Hat Security Advisory 2013:0753 : Updated icedtea-web packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. It was discovered that the IcedTea-Web plug-in incorrectly used the same class loader instance for applets with the same value of the codebase attribute, even when they originated from different domains. A malicious applet could use this flaw to gain information about and possibly manipulate applets from different domains currently running in the browser. (CVE-2013-1926) The IcedTea-Web plug-in did not properly check the format of the downloaded Java Archive (JAR) files. This could cause the plug-in to execute code hidden in a file in a different format, possibly allowing attackers to execute code in the context of websites that allow uploads of specific file types, known as a GIFAR attack. (CVE-2013-1927) The CVE-2013-1926 issue was discovered by Jiri Vanek of the Red Hat OpenJDK Team, and CVE-2013-1927 was discovered by the Red Hat Security Response Team. This erratum also upgrades IcedTea-Web to version 1.2.3. Refer to the NEWS file, linked to in the References, for further information. All IcedTea-Web users should upgrade to these updated packages, which resolve these issues. Web browsers using the IcedTea-Web browser plug-in must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 68813 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68813 title Oracle Linux 6 : icedtea-web (ELSA-2013-0753) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-439.NASL description Changes in icedtea-web with update to 1.4 (bnc#818768) : - Added cs, de, pl localization - Splash screen for javaws and plugin - Better error reporting for plugin via Error-splash-screen - All IcedTea-Web dialogues are centered to middle of active screen - Download indicator made compact for more then one jar - User can select its own JVM via itw-settings and deploy.properties. - Added extended applets security settings and dialogue - Security updates - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path. - CVE-2013-1927, RH884705: fixed gifar vulnerabilit - CVE-2012-3422, RH840592: Potential read from an uninitialized memory location - CVE-2012-3423, RH841345: Incorrect handling of not 0-terminated strings - NetX - PR1027: DownloadService is not supported by IcedTea-Web - PR725: JNLP applications will prompt for creating desktop shortcuts every time they are run - PR1292: Javaws does not resolve versioned jar names with periods correctly - Plugin - PR1106: Buffer overflow in plugin table- - PR1166: Embedded JNLP File is not supported in applet tag - PR1217: Add command line arguments for plugins - PR1189: Icedtea-plugin requires code attribute when using jnlp_href - PR1198: JSObject is not passed to JavaScript correctly - PR1260: IcedTea-Web should not rely on GTK - PR1157: Applets can hang browser after fatal exception - PR580: http://www.horaoficial.cl/ loads improperly - Common - PR1049: Extension jnlp last seen 2020-06-05 modified 2014-06-13 plugin id 75010 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75010 title openSUSE Security Update : icedtea-web (openSUSE-SU-2013:0893-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-5877.NASL description New in release 1.3.2 (2013-04-17) : - Security Updates - CVE-2013-1927, RH884705: fixed gifar vulnerability - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path. - Common - Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized. - NetX - PR580: http://www.horaoficial.cl/ loads improperly - Plugin PR1260: IcedTea-Web should not rely on GTK PR1157: Applets can hang browser after fatal exception Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-26 plugin id 66220 published 2013-04-26 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66220 title Fedora 19 : icedtea-web-1.3.2-0.fc19 (2013-5877) NASL family Fedora Local Security Checks NASL id FEDORA_2013-5925.NASL description - Security Updates - CVE-2013-1927, RH884705: fixed gifar vulnerability - CVE-2013-1926, RH916774: Class-loader incorrectly shared for applets with same relative-path. - Common - Added new option in itw-settings which allows users to set JVM arguments when plugin is initialized. - NetX - PR580: http://www.horaoficial.cl/ loads improperly - Plugin PR1260: IcedTea-Web should not rely on GTK PR1157: Applets can hang browser after fatal exceptio Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-20 plugin id 66039 published 2013-04-20 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66039 title Fedora 17 : icedtea-web-1.3.2-0.fc17 (2013-5925) NASL family SuSE Local Security Checks NASL id SUSE_11_ICEDTEA-WEB-130517.NASL description This update of icedtea-web fixes several bugs and security issues. last seen 2020-06-05 modified 2013-06-02 plugin id 66741 published 2013-06-02 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/66741 title SuSE 11.2 Security Update : icedtea-web (SAT Patch Number 7742)
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/icedtea-web-1.2.3/NEWS
- http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/34b6f60ae586
- http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/25dd7c7ac39c
- http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00013.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00106.html
- http://lists.opensuse.org/opensuse-updates/2013-05/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2013-05/msg00032.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00030.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00034.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00101.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022790.html
- http://osvdb.org/92543
- http://rhn.redhat.com/errata/RHSA-2013-0753.html
- http://secunia.com/advisories/53109
- http://secunia.com/advisories/53117
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:146
- http://www.securityfocus.com/bid/59281
- http://www.ubuntu.com/usn/USN-1804-1
- https://bugzilla.redhat.com/show_bug.cgi?id=916774
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83642
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0123