Bug 977650 (CVE-2016-0363) - VUL-0: CVE-2016-0363: java-1_6_0-ibm,java-1_7_0-ibm,java-1_7_1-ibm: insecure use of invoke method in CORBA component, incorrect CVE-2013-3009 fix
Summary: VUL-0: CVE-2016-0363: java-1_6_0-ibm,java-1_7_0-ibm,java-1_7_1-ibm: insecure ...
Status: RESOLVED FIXED
Alias: CVE-2016-0363
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Deadline: 2016-05-25
Assignee: Forgotten User l5HDYKT_qR
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/168385/
Whiteboard: CVSSv2:RedHat:CVE-2013-3009:6.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-28 13:14 UTC by Andreas Stieger
Modified: 2016-11-29 16:02 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2016-04-28 13:14:44 UTC 
http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_April_2016
http://www-01.ibm.com/support/docview.wss?uid=swg21980826
http://www-01.ibm.com/support/docview.wss?uid=swg1IX90172

CVEID: CVE-2016-0363
DESCRIPTION: IBM SDK, Java Technology Edition contains a vulnerability in the IBM ORB implementation that may allow untrusted code running under a security manager to elevate its privileges. This vulnerability was originally reported as CVE-2013-3009.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112016 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) 

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1324044
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0363
Comment 1 Swamp Workflow Management 2016-04-28 13:38:31 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-05-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62677
Comment 2 Swamp Workflow Management 2016-04-28 22:01:35 UTC 
bugbot adjusting priority
Comment 8 Swamp Workflow Management 2016-05-11 17:10:33 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-05-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62717
Comment 11 Swamp Workflow Management 2016-05-13 14:08:42 UTC 
SUSE-SU-2016:1299-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    java-1_7_1-ibm-1.7.1_sr3.40-25.1
SUSE Linux Enterprise Software Development Kit 12 (src):    java-1_7_1-ibm-1.7.1_sr3.40-25.1
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_7_1-ibm-1.7.1_sr3.40-25.1
SUSE Linux Enterprise Server 12 (src):    java-1_7_1-ibm-1.7.1_sr3.40-25.1
Comment 12 Swamp Workflow Management 2016-05-13 14:09:31 UTC 
SUSE-SU-2016:1300-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    java-1_7_1-ibm-1.7.1_sr3.40-13.1
SUSE Linux Enterprise Server 11-SP4 (src):    java-1_7_1-ibm-1.7.1_sr3.40-13.1
Comment 13 Swamp Workflow Management 2016-05-13 19:08:20 UTC 
SUSE-SU-2016:1303-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    java-1_6_0-ibm-1.6.0_sr16.25-34.1
Comment 14 Forgotten User l5HDYKT_qR 2016-05-19 16:22:26 UTC 
Updates released, closing.
Comment 15 Swamp Workflow Management 2016-05-21 00:08:14 UTC 
SUSE-SU-2016:1378-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE OpenStack Cloud 5 (src):    java-1_7_0-ibm-1.7.0_sr9.40-52.1
SUSE Manager Proxy 2.1 (src):    java-1_7_0-ibm-1.7.0_sr9.40-52.1
SUSE Manager 2.1 (src):    java-1_7_0-ibm-1.7.0_sr9.40-52.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    java-1_7_0-ibm-1.7.0_sr9.40-52.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    java-1_7_0-ibm-1.7.0_sr9.40-52.1
Comment 16 Swamp Workflow Management 2016-05-21 00:08:58 UTC 
SUSE-SU-2016:1379-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE OpenStack Cloud 5 (src):    java-1_6_0-ibm-1.6.0_sr16.25-69.1
SUSE Manager Proxy 2.1 (src):    java-1_6_0-ibm-1.6.0_sr16.25-69.1
SUSE Manager 2.1 (src):    java-1_6_0-ibm-1.6.0_sr16.25-69.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.25-69.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.25-69.1
Comment 19 Swamp Workflow Management 2016-05-24 12:08:29 UTC 
SUSE-SU-2016:1388-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    java-1_6_0-ibm-1.6.0_sr16.25-0.11.1
Comment 20 Swamp Workflow Management 2016-05-31 20:08:54 UTC 
SUSE-SU-2016:1458-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 977646,977648,977650,979252,981087
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Module for Legacy Software 12 (src):    java-1_6_0-ibm-1.6.0_sr16.26-37.1
Comment 21 Swamp Workflow Management 2016-06-02 09:08:51 UTC 
SUSE-SU-2016:1475-1: An update that fixes 10 vulnerabilities is now available.

Category: security (important)
Bug References: 965665,977646,977648,977650,979252
CVE References: CVE-2016-0264,CVE-2016-0363,CVE-2016-0376,CVE-2016-0686,CVE-2016-0687,CVE-2016-3422,CVE-2016-3426,CVE-2016-3427,CVE-2016-3443,CVE-2016-3449
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    java-1_8_0-ibm-1.8.0_sr3.0-10.1
SUSE Linux Enterprise Server 12-SP1 (src):    java-1_8_0-ibm-1.8.0_sr3.0-10.1