Bug 983640 (CVE-2016-2833) - VUL-0: CVE-2016-2833: MozillaFirefox: Java applets bypass CSP protections (MFSA-2016-60)
Summary: VUL-0: CVE-2016-2833: MozillaFirefox: Java applets bypass CSP protections (MF...
Status: RESOLVED FIXED
Alias: CVE-2016-2833
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Petr Cerny
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 983549
  Show dependency treegraph
 
Reported: 2016-06-08 06:21 UTC by Marcus Meissner
Modified: 2020-04-05 18:22 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-08 06:21:24 UTC 
https://www.mozilla.org/en-US/security/advisories/mfsa2016-60/


Mozilla Foundation Security Advisory 2016-60
Java applets bypass CSP protections

Announced
    June 7, 2016
Reporter
    Matt Wobensmith
Impact
    Moderate
Products
    Firefox
Fixed in

        Firefox 47

Description

Mozilla engineer Matt Wobensmith reported that Content Security Policy (CSP) does not block the loading of cross-domain Java applets when specified by policy. This is because the Java applet is loaded by the Java plugin, which then mediates all network requests without checking against CSP. This could allow a malicious site to manipulate content through a Java applet to bypass CSP protections, allowing for possible cross-site scripting (XSS) attacks.
References

    CSP does not block cross-domain applets with object-src 'self' (CVE-2016-2833)
Comment 1 Swamp Workflow Management 2016-06-08 22:00:37 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2016-06-11 12:12:44 UTC 
openSUSE-SU-2016:1552-1: An update that solves 13 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 980384,981695,983549,983632,983638,983639,983640,983643,983644,983646,983649,983651,983652,983653,983655
CVE References: CVE-2016-2815,CVE-2016-2818,CVE-2016-2819,CVE-2016-2821,CVE-2016-2822,CVE-2016-2824,CVE-2016-2825,CVE-2016-2828,CVE-2016-2829,CVE-2016-2831,CVE-2016-2832,CVE-2016-2833,CVE-2016-2834
Sources used:
openSUSE Leap 42.1 (src):    MozillaFirefox-47.0-24.1, mozilla-nss-3.23-18.1
openSUSE 13.2 (src):    MozillaFirefox-47.0-71.1, mozilla-nss-3.23-34.1
Comment 3 Swamp Workflow Management 2016-06-11 20:08:57 UTC 
openSUSE-SU-2016:1557-1: An update that solves 14 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 980384,981695,983549,983632,983638,983639,983640,983643,983644,983646,983649,983651,983652,983653,983655
CVE References: CVE-2016-1950,CVE-2016-2815,CVE-2016-2818,CVE-2016-2819,CVE-2016-2821,CVE-2016-2822,CVE-2016-2824,CVE-2016-2825,CVE-2016-2828,CVE-2016-2829,CVE-2016-2831,CVE-2016-2832,CVE-2016-2833,CVE-2016-2834
Sources used:
openSUSE 13.1 (src):    MozillaFirefox-47.0-116.1, mozilla-nss-3.23-80.1
Comment 4 Marcus Meissner 2016-08-17 05:49:33 UTC 
re;eased