The IcedTea-Web plugin before 1.2.3 and 1.3.x before 1.3.2 uses the same class loader for applets with the same codebase path but from different domains, which allows remote attackers to obtain sensitive information or possibly alter other applets via a crafted applet.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Icedtea-web | Redhat | * | 1.2.2 (including) |
| Icedtea-web | Redhat | 1.0 (including) | 1.0 (including) |
| Icedtea-web | Redhat | 1.0.1 (including) | 1.0.1 (including) |
| Icedtea-web | Redhat | 1.0.2 (including) | 1.0.2 (including) |
| Icedtea-web | Redhat | 1.0.3 (including) | 1.0.3 (including) |
| Icedtea-web | Redhat | 1.0.4 (including) | 1.0.4 (including) |
| Icedtea-web | Redhat | 1.0.5 (including) | 1.0.5 (including) |
| Icedtea-web | Redhat | 1.0.6 (including) | 1.0.6 (including) |
| Icedtea-web | Redhat | 1.1 (including) | 1.1 (including) |
| Icedtea-web | Redhat | 1.1.1 (including) | 1.1.1 (including) |
| Icedtea-web | Redhat | 1.1.2 (including) | 1.1.2 (including) |
| Icedtea-web | Redhat | 1.1.3 (including) | 1.1.3 (including) |
| Icedtea-web | Redhat | 1.1.4 (including) | 1.1.4 (including) |
| Icedtea-web | Redhat | 1.1.5 (including) | 1.1.5 (including) |
| Icedtea-web | Redhat | 1.1.6 (including) | 1.1.6 (including) |
| Icedtea-web | Redhat | 1.1.7 (including) | 1.1.7 (including) |
| Icedtea-web | Redhat | 1.2 (including) | 1.2 (including) |
| Icedtea-web | Redhat | 1.2.1 (including) | 1.2.1 (including) |
| Icedtea-web | Redhat | 1.3 (including) | 1.3 (including) |
| Icedtea-web | Redhat | 1.3.1 (including) | 1.3.1 (including) |
| Red Hat Enterprise Linux 6 | RedHat | icedtea-web-0:1.2.3-2.el6_4 | * |
| Icedtea-web | Ubuntu | devel | * |
| Icedtea-web | Ubuntu | lucid | * |
| Icedtea-web | Ubuntu | oneiric | * |
| Icedtea-web | Ubuntu | precise | * |
| Icedtea-web | Ubuntu | quantal | * |
| Icedtea-web | Ubuntu | upstream | * |
References
- http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/icedtea-web-1.2.3/NEWS
- http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/34b6f60ae586
- http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/25dd7c7ac39c
- http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00013.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00106.html
- http://lists.opensuse.org/opensuse-updates/2013-05/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2013-05/msg00032.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00030.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00034.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00101.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022790.html
- http://osvdb.org/92543
- http://rhn.redhat.com/errata/RHSA-2013-0753.html
- http://secunia.com/advisories/53109
- http://secunia.com/advisories/53117
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:146
- http://www.securityfocus.com/bid/59281
- http://www.ubuntu.com/usn/USN-1804-1
- https://bugzilla.redhat.com/show_bug.cgi?id=916774
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83642
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0123
- http://icedtea.classpath.org/hg/release/icedtea-web-1.2/file/icedtea-web-1.2.3/NEWS
- http://icedtea.classpath.org/hg/release/icedtea-web-1.2/rev/34b6f60ae586
- http://icedtea.classpath.org/hg/release/icedtea-web-1.3/rev/25dd7c7ac39c
- http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00013.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00106.html
- http://lists.opensuse.org/opensuse-updates/2013-05/msg00003.html
- http://lists.opensuse.org/opensuse-updates/2013-05/msg00032.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00030.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00034.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00101.html
- http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2013-April/022790.html
- http://osvdb.org/92543
- http://rhn.redhat.com/errata/RHSA-2013-0753.html
- http://secunia.com/advisories/53109
- http://secunia.com/advisories/53117
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:146
- http://www.securityfocus.com/bid/59281
- http://www.ubuntu.com/usn/USN-1804-1
- https://bugzilla.redhat.com/show_bug.cgi?id=916774
- https://exchange.xforce.ibmcloud.com/vulnerabilities/83642
- https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0123