Vulnerabilities > CVE-2019-10185

047910
CVSS 8.6 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
icedtea-web-project
debian
opensuse
nessus

Summary

It was found that icedtea-web up to and including 1.7.2 and 1.8.2 was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2003.NASL
    descriptionAn update for icedtea-web is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Security Fix(es) : * icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182) * icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185) * icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127645
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127645
    titleRHEL 7 : icedtea-web (RHSA-2019:2003)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:2003. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127645);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/06");
    
      script_cve_id("CVE-2019-10181", "CVE-2019-10182", "CVE-2019-10185");
      script_xref(name:"RHSA", value:"2019:2003");
    
      script_name(english:"RHEL 7 : icedtea-web (RHSA-2019:2003)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for icedtea-web is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    The IcedTea-Web project provides a Java web browser plug-in and an
    implementation of Java Web Start, which is based on the Netx project.
    It also contains a configuration tool for managing deployment settings
    for the plug-in and Web Start implementations. IcedTea-Web now also
    contains PolicyEditor - a simple tool to configure Java policies.
    
    Security Fix(es) :
    
    * icedtea-web: path traversal while processing elements of JNLP files
    results in arbitrary file overwrite (CVE-2019-10182)
    
    * icedtea-web: directory traversal in the nested jar auto-extraction
    leading to arbitrary file overwrite (CVE-2019-10185)
    
    * icedtea-web: unsigned code injection in a signed JAR file
    (CVE-2019-10181)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:2003"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10181"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10182"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-10185"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-10181");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:icedtea-web");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:icedtea-web-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:icedtea-web-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:icedtea-web-javadoc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/31");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:2003";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"icedtea-web-1.7.1-2.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"icedtea-web-debuginfo-1.7.1-2.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"icedtea-web-devel-1.7.1-2.el7_6")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"icedtea-web-javadoc-1.7.1-2.el7_6")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "icedtea-web / icedtea-web-debuginfo / icedtea-web-devel / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1914.NASL
    descriptionSeveral security vulnerabilities were found in icedtea-web, an implementation of the Java Network Launching Protocol (JNLP). CVE-2019-10181 It was found that in icedtea-web executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox. CVE-2019-10182 It was found that icedtea-web did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user. CVE-2019-10185 It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id128618
    published2019-09-10
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128618
    titleDebian DLA-1914-1 : icedtea-web security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2003.NASL
    descriptionFrom Red Hat Security Advisory 2019:2003 : An update for icedtea-web is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Security Fix(es) : * icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182) * icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185) * icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127611
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127611
    titleOracle Linux 7 : icedtea-web (ELSA-2019-2003)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1911.NASL
    descriptionThis update for icedtea-web to version 1.7.2 fixes the following issues : Security issues fixed : - CVE-2019-10181: Fixed an unsigned code injection in a signed JAR file (bsc#1142835) - CVE-2019-10182: Fixed a path traversal while processing <jar/> elements of JNLP files results in arbitrary file overwrite (bsc#1142825). - CVE-2019-10185: Fixed a directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (bsc#1142832). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id128003
    published2019-08-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128003
    titleopenSUSE Security Update : icedtea-web (openSUSE-2019-1911)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1905.NASL
    descriptionAccording to the versions of the icedtea-web package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that executable code could be injected in a JAR file without compromising the signature verification. An attacker could use this flaw to inject code in a trusted JAR. The code would be executed inside the sandbox.(CVE-2019-10181) - It was found that icedtea-web did not properly sanitize paths from i1/4oejar/i1/4z elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.(CVE-2019-10182) - It was found that icedtea-web was vulnerable to a zip-slip attack during auto-extraction of a JAR file. An attacker could use this flaw to write files to arbitrary locations. This could also be used to replace the main running application and, possibly, break out of the sandbox.(CVE-2019-10185) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-09-16
    plugin id128828
    published2019-09-16
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128828
    titleEulerOS 2.0 SP5 : icedtea-web (EulerOS-SA-2019-1905)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2004.NASL
    descriptionAn update for icedtea-web is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Security Fix(es) : * icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182) * icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185) * icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127646
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127646
    titleRHEL 8 : icedtea-web (RHSA-2019:2004)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2003.NASL
    descriptionAn update for icedtea-web is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Security Fix(es) : * icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182) * icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185) * icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-04-16
    modified2020-04-10
    plugin id135312
    published2020-04-10
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135312
    titleCentOS 7 : icedtea-web (CESA-2019:2003)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2004.NASL
    descriptionFrom Red Hat Security Advisory 2019:2004 : An update for icedtea-web is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The IcedTea-Web project provides a Java web browser plug-in and an implementation of Java Web Start, which is based on the Netx project. It also contains a configuration tool for managing deployment settings for the plug-in and Web Start implementations. IcedTea-Web now also contains PolicyEditor - a simple tool to configure Java policies. Security Fix(es) : * icedtea-web: path traversal while processing elements of JNLP files results in arbitrary file overwrite (CVE-2019-10182) * icedtea-web: directory traversal in the nested jar auto-extraction leading to arbitrary file overwrite (CVE-2019-10185) * icedtea-web: unsigned code injection in a signed JAR file (CVE-2019-10181) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127612
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127612
    titleOracle Linux 8 : icedtea-web (ELSA-2019-2004)

Redhat

advisories
  • bugzilla
    id1725928
    titleCVE-2019-10181 icedtea-web: unsigned code injection in a signed JAR file
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commenticedtea-web-devel is earlier than 0:1.7.1-2.el7_6
            ovaloval:com.redhat.rhsa:tst:20192003001
          • commenticedtea-web-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20192003002
        • AND
          • commenticedtea-web-javadoc is earlier than 0:1.7.1-2.el7_6
            ovaloval:com.redhat.rhsa:tst:20192003003
          • commenticedtea-web-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20141417004
        • AND
          • commenticedtea-web is earlier than 0:1.7.1-2.el7_6
            ovaloval:com.redhat.rhsa:tst:20192003005
          • commenticedtea-web is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20141417002
    rhsa
    idRHSA-2019:2003
    released2019-07-31
    severityImportant
    titleRHSA-2019:2003: icedtea-web security update (Important)
  • bugzilla
    id1725928
    titleCVE-2019-10181 icedtea-web: unsigned code injection in a signed JAR file
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • OR
        • AND
          • commenticedtea-web is earlier than 0:1.7.1-17.el8_0
            ovaloval:com.redhat.rhsa:tst:20192004001
          • commenticedtea-web is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20141417002
        • AND
          • commenticedtea-web-javadoc is earlier than 0:1.7.1-17.el8_0
            ovaloval:com.redhat.rhsa:tst:20192004003
          • commenticedtea-web-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhba:tst:20141417004
    rhsa
    idRHSA-2019:2004
    released2019-07-31
    severityImportant
    titleRHSA-2019:2004: icedtea-web security update (Important)
rpms
  • icedtea-web-0:1.7.1-2.el7_6
  • icedtea-web-debuginfo-0:1.7.1-2.el7_6
  • icedtea-web-devel-0:1.7.1-2.el7_6
  • icedtea-web-javadoc-0:1.7.1-2.el7_6
  • icedtea-web-0:1.7.1-17.el8_0
  • icedtea-web-javadoc-0:1.7.1-17.el8_0