PublicDateAtUSN: 2010-10-19 Candidate: CVE-2010-3574 PublicDate: 2010-10-19 22:00:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3574 https://ubuntu.com/security/notices/USN-1010-1 Description: Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that HttpURLConnection does not properly check for the allowHttpTrace permission, which allows untrusted code to perform HTTP TRACE requests. Ubuntu-Description: It was discovered that the HttpURLConnection class improperly checked whether the calling code was granted the "allowHttpTrace" permission, allowing an attacker to create HTTP TRACE requests. Notes: sbeattie> red hat description: HttpURLConnection improperly checked whether the calling code was granted the "allowHttpTrace" permission, allowing untrusted code to create HTTP TRACE requests. Bugs: Priority: low Discovered-by: Assigned-to: CVSS: Patches_openjdk-6: upstream_openjdk-6: needs-triage dapper_openjdk-6: DNE hardy_openjdk-6: released (1.8.2-4ubuntu1~8.04.1) jaunty_openjdk-6: released (1.8.2-4ubuntu1~9.04.1) karmic_openjdk-6: released (1.8.2-4ubuntu1~9.10.1) lucid_openjdk-6: released (1.8.2-4ubuntu2) maverick_openjdk-6: released (6b20-1.9.1-1ubuntu3) devel_openjdk-6: not-affected (6b20-1.10~pre2-0ubuntu5) Patches_sun-java6: upstream_sun-java6: needs-triage dapper_sun-java6: DNE hardy_sun-java6: released (6.22-0ubuntu1~8.04.1) jaunty_sun-java6: released (6.22-0ubuntu1~9.04.1) karmic_sun-java6: released (6.22-0ubuntu1~9.10.1) lucid_sun-java6: released (6.22-0ubuntu1~10.04) maverick_sun-java6: released (6.22-0ubuntu1~10.10) devel_sun-java6: DNE Patches_openjdk-6b18: upstream_openjdk-6b18: released (6b22) dapper_openjdk-6b18: DNE hardy_openjdk-6b18: DNE intrepid_openjdk-6b18: DNE karmic_openjdk-6b18: not-affected (6b18-1.8.4-0ubuntu1~9.10.1) lucid_openjdk-6b18: not-affected (6b18-1.8.3-0ubuntu1~10.04.1) maverick_openjdk-6b18: released (6b18-1.8.2-4ubuntu1) devel_openjdk-6b18: not-affected (6b18-1.8.3-1ubuntu3)