Ubuntu
clamav package

Clamscan finds CVE-2013-2465 in openjdk-6-jre-headless

Bug #1224723 reported by Todd Taft
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
clamav (Ubuntu)
Invalid
Undecided
Unassigned
openjdk-6 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Running a clamscan on a Ubuntu 12.04.3 system reports that vunlerability CVE-2013-2465 was detected in version 6b27-1.12.6-1ubuntu0.12.04.2 of openjdk-6-jre-headless:

Run this:
#/usr/bin/clamscan -ri --max-filesize=100M /usr/lib/jvm/java-6-openjdk-amd64/jre/lib/

Get this:
/usr/lib/jvm/java-6-openjdk-amd64/jre/lib/rt.jar: Java.Exploit.CVE_2013_2465 FOUND

CVE References

Todd Taft (taft)
information type: Private Security → Public Security
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for reporting this.

It looks like a false positive. None of the files are detected as being a virus once the archive is extracted, and online scanner don't detect the file as a virus.

I've updated the list of known false positives here:

http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README.virus

Thanks!

Changed in openjdk-6 (Ubuntu):
status: New → Invalid
Revision history for this message
Todd Taft (taft) wrote :

CVE-2013-2465 is a CVE against Java, although it is against Oracle Java. It's not immediately clear to me whether or not this vulnerability is also applicable to openJDK. Can you confirm that this vulnerability does not apply to openJDK (or that it is already patched in this version)?

Labeling the file as a "virus" is probably incorrect, but my concern was that it represented an unpatched security vulnerability.

Most of the other files in http://bazaar.launchpad.net/~ubuntu-security/ubuntu-cve-tracker/master/view/head:/README.virus have obvious reasons that they would constitute false positives (e.g. they are samples of exploits/viruses), but I don't see an obvious reason why this particular file would be a false positive. If this really is a false positive, then I would suggest that it's a bug in the clam database, since that means that it is detecting a Java security problem where none exists.

Changed in openjdk-6 (Ubuntu):
status: Invalid → New
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

The "Java.Exploit.CVE_2013_2465" virus takes advantage of unpatched versions of Java and OpenJDK which are vulnerable to CVE-2013-2465. The signature isn't meant to detect the vulnerability itself, but a specific piece of malware that targets it.

OpenJDK got updated for this CVE in July:
http://www.ubuntu.com/usn/usn-1908-1/

It is likely that the ClamAV signature simply includes the API that is being used by the malware, and that API happens to also be used by code in the rt.jar file.

I agree, this is likely a bug in the clamav signature database, which we do not ship in Ubuntu.

I am closing this bug since there is no actionable item. If you want this to be corrected in the ClamAV database, I suggest filing a bug with the ClamAV project here:

http://www.clamav.net/lang/en/sendvirus/submit-fp/

Thanks.

Changed in clamav (Ubuntu):
status: New → Won't Fix
status: Won't Fix → Invalid
Changed in openjdk-6 (Ubuntu):
status: New → Invalid
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I've submitted the false positive to ClamAV.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.