Your submission was sent successfully! Close

CVE-2012-0507

Published: 24 February 2012

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, and 5.0 Update 33 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Concurrency. NOTE: the previous information was obtained from the February 2012 Oracle CPU. Oracle has not commented on claims from a downstream vendor and third party researchers that this issue occurs because the AtomicReferenceArray class implementation does not ensure that the array is of the Object[] type, which allows attackers to cause a denial of service (JVM crash) or bypass Java sandbox restrictions. NOTE: this issue was originally mapped to CVE-2011-3571, but that identifier was already assigned to a different issue.

Priority

Medium

Status

Package Release Status
icedtea-web
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Not vulnerable

maverick Does not exist

natty Not vulnerable

oneiric Not vulnerable

precise Not vulnerable

quantal Not vulnerable

upstream Needs triage

openjdk-6
Launchpad, Ubuntu, Debian
hardy
Released (6b27-1.12.3-0ubuntu1~08.04.1)
lucid
Released (6b20-1.9.13-0ubuntu1~10.04.1)
maverick
Released (6b20-1.9.13-0ubuntu1~10.10.1)
natty
Released (6b22-1.10.6-0ubuntu1)
oneiric
Released (6b23~pre11-0ubuntu1.11.10.2)
precise Not vulnerable
(6b24-1.11.1-0ubuntu1)
quantal Not vulnerable
(6b24-1.11.1-0ubuntu1)
upstream Needs triage

openjdk-6b18
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid
Released (6b18-1.8.13-0ubuntu1~10.04.1)
maverick
Released (6b18-1.8.13-0ubuntu1~10.10.1)
natty
Released (6b18-1.8.13-0ubuntu1~11.04.1)
oneiric Ignored
(superceded by openjdk-6)
precise Does not exist

quantal Does not exist

upstream Needs triage

openjdk-7
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric
Released (7u9-2.3.3-0ubuntu1~11.10.1)
precise Not vulnerable
(7~u3-2.1-1ubuntu1)
quantal Not vulnerable
(7~u3-2.1-1ubuntu1)
upstream Needs triage

sun-java5
Launchpad, Ubuntu, Debian
hardy Ignored
(upstream sun-java5 is EoL)
lucid Does not exist

maverick Does not exist

natty Does not exist

oneiric Does not exist

precise Does not exist

quantal Does not exist

upstream Needs triage

sun-java6
Launchpad, Ubuntu, Debian
hardy Ignored
(upstream version is not redistributable)
lucid Does not exist
(removed from archive)
maverick Does not exist
(removed from archive)
natty Does not exist
(removed from archive)
oneiric Does not exist

precise Does not exist

quantal Does not exist

upstream Needs triage

Notes

AuthorNote
mdeslaur
in natty+, NetX and the plugin moved to the icedtea-web package
sbeattie
initially, oracle misidentified this as CVE-2011-3571;
changelogs refer to that CVE instead of this one.

References