Vulnerability Description
The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6, 7, and 8; Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 does not securely create temporary files when a log file cannot be opened, which allows local users to overwrite arbitrary files via a symlink attack on /tmp/unpack.log.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Oracle | Openjdk | 1.6.0 |
Related Weaknesses (CWE)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737562
- http://marc.info/?l=bugtraq&m=140852886808946&w=2
- http://marc.info/?l=bugtraq&m=140852974709252&w=2
- http://osvdb.org/102808
- http://rhn.redhat.com/errata/RHSA-2014-0675.html
- http://rhn.redhat.com/errata/RHSA-2014-0685.html
- http://seclists.org/oss-sec/2014/q1/242
- http://seclists.org/oss-sec/2014/q1/285
- http://secunia.com/advisories/58415
- http://secunia.com/advisories/59058
- http://security.gentoo.org/glsa/glsa-201406-32.xml
- http://www-01.ibm.com/support/docview.wss?uid=swg21672080
- http://www-01.ibm.com/support/docview.wss?uid=swg21676746
- http://www-01.ibm.com/support/docview.wss?uid=swg21679713
- http://www.debian.org/security/2014/dsa-2912
FAQ
What is CVE-2014-1876?
CVE-2014-1876 is a vulnerability with a CVSS score of 4.4 (MEDIUM). The unpacker::redirect_stdio function in unpack.cpp in unpack200 in OpenJDK 6, 7, and 8; Oracle Java SE 5.0u61, 6u71, 7u51, and 8; JRockit R27.8.1 and R28.3.1; and Java SE Embedded 7u51 does not secur...
How severe is CVE-2014-1876?
CVE-2014-1876 has been rated MEDIUM with a CVSS base score of 4.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2014-1876?
Check the references section above for vendor advisories and patch information. Affected products include: Oracle Openjdk.