ID CVE-2017-3289
Summary Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 7u121 and 8u112; Java SE Embedded: 8u111. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts).
References
Vulnerable Configurations
  • cpe:2.3:a:oracle:jdk:1.7:update_121
    cpe:2.3:a:oracle:jdk:1.7:update_121
  • cpe:2.3:a:oracle:jdk:1.8:update_111
    cpe:2.3:a:oracle:jdk:1.8:update_111
  • cpe:2.3:a:oracle:jdk:1.8:update_112
    cpe:2.3:a:oracle:jdk:1.8:update_112
  • cpe:2.3:a:oracle:jre:1.7:update_121
    cpe:2.3:a:oracle:jre:1.7:update_121
  • cpe:2.3:a:oracle:jre:1.8:update_111
    cpe:2.3:a:oracle:jre:1.8:update_111
  • cpe:2.3:a:oracle:jre:1.8:update_112
    cpe:2.3:a:oracle:jre:1.8:update_112
CVSS
Base: 6.8 (as of 30-01-2017 - 21:52)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-201.NASL
    description This update for java-1_8_0-openjdk fixes the following issues: Oracle Critical Patch Update of January 2017 (bsc#1020905) Upgrade to version jdk8u121 (icedtea 3.3.0) : - S8138725: Add options for Javadoc generation - S8140353: Improve signature checking - S8151934, CVE-2017-3231: Resolve class resolution - S8156804, CVE-2017-3241: Better constraint checking - S8158406: Limited Parameter Processing - S8158997: JNDI Protocols Switch - S8159507: RuntimeVisibleAnnotation validation - S8161218: Better bytecode loading - S8161743, CVE-2017-3252: Provide proper login context - S8162577: Standardize logging levels - S8162973: Better component components - S8164143, CVE-2017-3260: Improve components for menu items - S8164147, CVE-2017-3261: Improve streaming socket output - S8165071, CVE-2016-2183: Expand TLS support - S8165344, CVE-2017-3272: Update concurrency support - S8166988, CVE-2017-3253: Improve image processing performance - S8167104, CVE-2017-3289: Additional class construction refinements - S8167223, CVE-2016-5552: URL handling improvements - S8168705, CVE-2016-5547: Better ObjectIdentifier validation - S8168714, CVE-2016-5546: Tighten ECDSA validation - S8168728, CVE-2016-5548: DSA signing improvements - S8168724, CVE-2016-5549: ECDSA signing improvements This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2017-02-06
    plugin id 97002
    published 2017-02-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97002
    title openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2017-201)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0346-1.NASL
    description This update for java-1_8_0-openjdk fixes the following issues: Oracle Critical Patch Update of January 2017 (bsc#1020905) Upgrade to version jdk8u121 (icedtea 3.3.0) : - S8138725: Add options for Javadoc generation - S8140353: Improve signature checking - S8151934, CVE-2017-3231: Resolve class resolution - S8156804, CVE-2017-3241: Better constraint checking - S8158406: Limited Parameter Processing - S8158997: JNDI Protocols Switch - S8159507: RuntimeVisibleAnnotation validation - S8161218: Better bytecode loading - S8161743, CVE-2017-3252: Provide proper login context - S8162577: Standardize logging levels - S8162973: Better component components - S8164143, CVE-2017-3260: Improve components for menu items - S8164147, CVE-2017-3261: Improve streaming socket output - S8165071, CVE-2016-2183: Expand TLS support - S8165344, CVE-2017-3272: Update concurrency support - S8166988, CVE-2017-3253: Improve image processing performance - S8167104, CVE-2017-3289: Additional class construction refinements - S8167223, CVE-2016-5552: URL handling improvements - S8168705, CVE-2016-5547: Better ObjectIdentifier validation - S8168714, CVE-2016-5546: Tighten ECDSA validation - S8168728, CVE-2016-5548: DSA signing improvements - S8168724, CVE-2016-5549: ECDSA signing improvements Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 96926
    published 2017-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96926
    title SUSE SLED12 / SLES12 Security Update : java-1_8_0-openjdk (SUSE-SU-2017:0346-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1216.NASL
    description An update for java-1.7.1-ibm is now available for Red Hat Satellite 5.7 and Red Hat Satellite 5.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP1. Security Fix(es) : * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2016-2183, CVE-2017-3272, CVE-2017-3289, CVE-2017-3253, CVE-2017-3261, CVE-2017-3231, CVE-2016-5547, CVE-2016-5552, CVE-2017-3252, CVE-2016-5546, CVE-2016-5548, CVE-2016-5549, CVE-2017-3241, CVE-2017-3259, CVE-2016-5573, CVE-2016-5554, CVE-2016-5542, CVE-2016-5597, CVE-2016-5556, CVE-2016-3598, CVE-2016-3511, CVE-2016-0363, CVE-2016-0686, CVE-2016-0687, CVE-2016-3426, CVE-2016-3427, CVE-2016-3443, CVE-2016-3449, CVE-2016-3422, CVE-2016-0376, CVE-2016-0264)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 100094
    published 2017-05-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100094
    title RHEL 6 : java-1.7.1-ibm (RHSA-2017:1216)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201707-01.NASL
    description The remote host is affected by the vulnerability described in GLSA-201707-01 (IcedTea: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in IcedTea. Please review the CVE identifiers referenced below for details. Note: If the web browser plug-in provided by the dev-java/icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, gain access to information, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-07-06
    plugin id 101248
    published 2017-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101248
    title GLSA-201707-01 : IcedTea: Multiple vulnerabilities
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0016_OPENJDK.NASL
    description An update of the openjdk package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121693
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121693
    title Photon OS 1.0: Openjdk PHSA-2017-0016
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0175.NASL
    description An update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6 and Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 8 to version 8 Update 121. Security Fix(es) : * This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2016-8328, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3261, CVE-2017-3262, CVE-2017-3272, CVE-2017-3289) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96650
    published 2017-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96650
    title RHEL 6 / 7 : java-1.8.0-oracle (RHSA-2017:0175)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0337.NASL
    description An update for java-1.7.0-ibm is now available for Red Hat Enterprise Linux 5 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7 SR10-FP1. Security Fix(es) : * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 97461
    published 2017-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97461
    title RHEL 5 : java-1.7.0-ibm (RHSA-2017:0337)
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-0180.NASL
    description An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. * Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) * A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) * It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) * It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) * It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) * It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) * It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) * Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS /SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-19
    plugin id 101412
    published 2017-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101412
    title Virtuozzo 6 : java-1.8.0-openjdk / java-1.8.0-openjdk-debug / etc (VZLSA-2017-0180)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1016.NASL
    description According to the versions of the java-1.8.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) - Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) - A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) - It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) - It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) - It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) - It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) - It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) - Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) - A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-05
    plugin id 99862
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99862
    title EulerOS 2.0 SP2 : java-1.8.0-openjdk (EulerOS-SA-2017-1016)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1400-1.NASL
    description This update for java-1_7_0-openjdk fixes the following issues : - Update to 2.6.10 - OpenJDK 7u141 (bsc#1034849) - Security fixes - S8163520, CVE-2017-3509: Reuse cache entries - S8163528, CVE-2017-3511: Better library loading - S8165626, CVE-2017-3512: Improved window framing - S8167110, CVE-2017-3514: Windows peering issue - S8169011, CVE-2017-3526: Resizing XML parse trees - S8170222, CVE-2017-3533: Better transfers of files - S8171121, CVE-2017-3539: Enhancing jar checking - S8171533, CVE-2017-3544: Better email transfer - S8172299: Improve class processing - New features - PR3347: jstack.stp should support AArch64 - Import of OpenJDK 7 u141 build 0 - S4717864: setFont() does not update Fonts of Menus already on screen - S6474807: (smartcardio) CardTerminal.connect() throws CardException instead of CardNotPresentException - S6518907: cleanup IA64 specific code in Hotspot - S6869327: Add new C2 flag to keep safepoints in counted loops. - S7112912: Message 'Error occurred during initialization of VM' on boxes with lots of RAM - S7124213: [macosx] pack() does ignore size of a component; doesn't on the other platforms - S7124219: [macosx] Unable to draw images to fullscreen - S7124552: [macosx] NullPointerException in getBufferStrategy() - S7148275: [macosx] setIconImages() not working correctly (distorted icon when minimized) - S7154841: [macosx] Popups appear behind taskbar - S7155957: closed/java/awt/MenuBar/MenuBarStress1/MenuBarStress1.ja va hangs on win 64 bit with jdk8 - S7160627: [macosx] TextArea has wrong initial size - S7167293: FtpURLConnection connection leak on FileNotFoundException - S7168851: [macosx] Netbeans crashes in CImage.nativeCreateNSImageFromArray - S7197203: sun/misc/URLClassPath/ClassnameCharTest.sh failed, compile error - S8005255: [macosx] Cleanup warnings in sun.lwawt - S8006088: Incompatible heap size flags accepted by VM - S8007295: Reduce number of warnings in awt classes - S8010722: assert: failed: heap size is too big for compressed oops - S8011059: [macosx] Support automatic @2x images loading on Mac OS X - S8014058: Regression tests for 8006088 - S8014489: tests/gc/arguments/Test(Serial|CMS|Parallel|G1)HeapSizeF lags jtreg tests invoke wrong class - S8016302: Change type of the number of GC workers to unsigned int (2) - S8024662: gc/arguments/TestUseCompressedOopsErgo.java does not compile. - S8024669: Native OOME when allocating after changes to maximum heap supporting Coops sizing on sparcv9 - S8024926: [macosx] AquaIcon HiDPI support - S8025974: l10n for policytool - S8027025: [macosx] getLocationOnScreen returns 0 if parent invisible - S8028212: Custom cursor HiDPI support - S8028471: PPC64 (part 215): opto: Extend ImplicitNullCheck optimization. - S8031573: [macosx] Checkmarks of JCheckBoxMenuItems aren't rendered in high resolution on Retina - S8033534: [macosx] Get MultiResolution image from native system - S8033786: White flashing when opening Dialogs and Menus using Nimbus with dark background - S8035568: [macosx] Cursor management unification - S8041734: JFrame in full screen mode leaves empty workspace after close - S8059803: Update use of GetVersionEx to get correct Windows version in hs_err files - S8066504: GetVersionEx in java.base/windows/native/libjava/java_props_md.c might not get correct Windows version 0 - S8079595: Resizing dialog which is JWindow parent makes JVM crash - S8080729: [macosx] java 7 and 8 JDialogs on multiscreen jump to parent frame on focus - S8130769: The new menu can't be shown on the menubar after clicking the 'Add' button. - S8133357: 8u65 l10n resource file translation update - S8146602: jdk/test/sun/misc/URLClassPath/ClassnameCharTest.java test fails with NullPointerException - S8147842: IME Composition Window is displayed at incorrect location - S8147910: Cache initial active_processor_count - S8150490: Update OS detection code to recognize Windows Server 2016 - S8161147: jvm crashes when -XX:+UseCountedLoopSafepoints is enabled - S8161195: Regression: closed/javax/swing/text/FlowView/LayoutTest.java - S8161993: G1 crashes if active_processor_count changes during startup - S8162603: Unrecognized VM option 'UseCountedLoopSafepoints' - S8162876: [TEST_BUG] sun/net/www/protocol/http/HttpInputStream.java fails intermittently - S8164533: sun/security/ssl/SSLSocketImpl/CloseSocket.java failed with 'Error while cleaning up threads after test' - S8167179: Make XSL generated namespace prefixes local to transformation process - S8169465: Deadlock in com.sun.jndi.ldap.pool.Connections - S8169589: [macosx] Activating a JDialog puts to back another dialog - S8170307: Stack size option -Xss is ignored - S8170316: (tz) Support tzdata2016j - S8170814: Reuse cache entries (part II) - S8171388: Update JNDI Thread contexts - S8171949: [macosx] AWT_ZoomFrame Automated tests fail with error: The bitwise mask Frame.ICONIFIED is not setwhen the frame is in ICONIFIED state - S8171952: [macosx] AWT_Modality/Automated/ModalExclusion/NoExclusion/Modele ssDialog test fails as DummyButton on Dialog did not gain focus when clicked. - S8173931: 8u131 L10n resource file update - S8174844: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle - S8175087: [bsd] Fix build after '8024900: PPC64: Enable new build on AIX (jdk part)' - S8175163: [bsd] Fix build after '8005629: javac warnings compiling java.awt.EventDispatchThread...' - S8176044: (tz) Support tzdata2017a - Import of OpenJDK 7 u141 build 1 - S8043723: max_heap_for_compressed_oops() declared with size_t, but defined with uintx - Import of OpenJDK 7 u141 build 2 - S8011123: serialVersionUID of java.awt.dnd.InvalidDnDOperationException changed in JDK8-b82 - Backports - S6515172, PR3362: Runtime.availableProcessors() ignores Linux taskset command - S8022284, PR3209: Hide internal data structure in PhaseCFG - S8023003, PR3209: Cleanup the public interface to PhaseCFG - S8023691, PR3209: Create interface for nodes in class Block - S8023988, PR3209: Move local scheduling of nodes to the CFG creation and code motion phase (PhaseCFG) - S8043780, PR3369: Use open(O_CLOEXEC) instead of fcntl(FD_CLOEXEC) - S8157306, PR3209: Random infrequent NULL pointer exceptions in javac - S8173783, PR3329: IllegalArgumentException: jdk.tls.namedGroups - S8173941, PR3330: SA does not work if executable is DSO - S8174729, PR3361: Race Condition in java.lang.reflect.WeakCache - Bug fixes - PR3349: Architectures unsupported by SystemTap tapsets throw a parse error - PR3370: Disable ARM32 JIT by default in jdk_generic_profile.sh - PR3379: Perl should be mandatory - PR3390: javac.in and javah.in should use @PERL@ rather than a hard-coded path - CACAO - PR2732: Raise javadoc memory limits for CACAO again! - AArch64 port - S8177661, PR3367: Correct ad rule output register types from iRegX to iRegXNoSp - Get ecj.jar path from gcj, use the gcc variant that provides Java to build C code to make sure jni.h is available. - S8167104, CVE-2017-3289: Additional class construction - S6253144: Long narrowing conversion should describe the - S6328537: Improve javadocs for Socket class by adding - S6978886: javadoc shows stacktrace after print error - S6995421: Eliminate the static dependency to - S7027045: (doc) java/awt/Window.java has several typos in - S7054969: Null-check-in-finally pattern in java/security - S7072353: JNDI libraries do not build with javac -Xlint:all - S7092447: Clarify the default locale used in each locale - S7103570: AtomicIntegerFieldUpdater does not work when - S7187144: JavaDoc for ScriptEngineFactory.getProgram() - S8000418: javadoc should used a standard 'generated by - S8000666: javadoc should write directly to Writer instead of - S8000970: break out auxiliary classes that will prevent - S8001669: javadoc internal DocletAbortException should set - S8011402: Move blacklisting certificate logic from hard code - S8011547: Update XML Signature implementation to Apache - S8012288: XML DSig API allows wrong tag names and extra - S8017325: Cleanup of the javadoc tag in - S8017326: Cleanup of the javadoc tag in - S8019772: Fix doclint issues in javax.crypto and - S8020688: Broken links in documentation at - S8021108: Clean up doclint warnings and errors in java.text - S8022120: JCK test api/javax_xml/crypto/dsig/TransformService/index_ParamMe thods - S8025409: Fix javadoc comments errors and warning reported by - S8026021: more fix of javadoc errors and warnings reported by - S8037099: [macosx] Remove all references to GC from native - S8038184: XMLSignature throws StringIndexOutOfBoundsException - S8038349: Signing XML with DSA throws Exception when key is - S8049244: XML Signature performance issue caused by - S8050893: (smartcardio) Invert reset argument in tests in - S8059212: Modify sun/security/smartcardio manual regression - S8068279: (typo in the spec) - S8068491: Update the protocol for references of - S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs - S8076369: Introduce the jdk.tls.client.protocols system - S8139565: Restrict certificates with DSA keys less than 1024 - S8140422: Add mechanism to allow non default root CAs to be - S8140587: Atomic*FieldUpdaters should use Class.isInstance - S8149029: Secure validation of XML based digital signature - S8151893: Add security property to configure XML Signature - S8161228: URL objects with custom protocol handlers have port - S8163304: jarsigner -verbose -verify should print the - S8164908: ReflectionFactory support for IIOP and custom - S8165230: RMIConnection addNotificationListeners failing with - S8166393: disabledAlgorithms property should not be strictly - S8166591: [macos 10.12] Trackpad scrolling of text on OS X - S8166739: Improve extensibility of ObjectInputFilter - S8167356: Follow up fix for jdk8 backport of 8164143. Changes - S8167459: Add debug output for indicating if a chosen - S8168861: AnchorCertificates uses hard-coded password for - S8169688: Backout (remove) MD5 from - S8169911: Enhanced tests for jarsigner -verbose -verify after - S8170131: Certificates not being blocked by - S8173854: [TEST] Update DHEKeySizing test case following - S7102489, PR3316, RH1390708: RFE: cleanup jlong typedef on - S8000351, PR3316, RH1390708: Tenuring threshold should be - S8153711, PR3315, RH1284948: [REDO] JDWP: Memory Leak : - S8170888, PR3316, RH1390708: [linux] Experimental support for - PR3318: Replace 'infinality' with 'improved font rendering' - PR3324: Fix NSS_LIBDIR substitution in - S8165673, PR3320: AArch64: Fix JNI floating point argument + S6604109, PR3162 : - Add -fno-delete-null-pointer-checks -fno-lifetime-dse to try to directory to be specified versions of IcedTea Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 100409
    published 2017-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100409
    title SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2017:1400-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-278.NASL
    description This update for java-1_7_0-openjdk fixes the following issues : - Oracle Critical Patch Update of January 2017 to OpenJDK 7u131 (bsc#1020905) : - Security Fixes - S8138725: Add options for Javadoc generation - S8140353: Improve signature checking - S8151934, CVE-2017-3231: Resolve class resolution - S8156804, CVE-2017-3241: Better constraint checking - S8158406: Limited Parameter Processing - S8158997: JNDI Protocols Switch - S8159507: RuntimeVisibleAnnotation validation - S8161218: Better bytecode loading - S8161743, CVE-2017-3252: Provide proper login context - S8162577: Standardize logging levels - S8162973: Better component components - S8164143, CVE-2017-3260: Improve components for menu items - S8164147, CVE-2017-3261: Improve streaming socket output - S8165071, CVE-2016-2183: Expand TLS support - S8165344, CVE-2017-3272: Update concurrency support - S8166988, CVE-2017-3253: Improve image processing performance - S8167104, CVE-2017-3289: Additional class construction refinements - S8167223, CVE-2016-5552: URL handling improvements - S8168705, CVE-2016-5547: Better ObjectIdentifier validation - S8168714, CVE-2016-5546: Tighten ECDSA validation - S8168728, CVE-2016-5548: DSA signing improvments - S8168724, CVE-2016-5549: ECDSA signing improvments - S6253144: Long narrowing conversion should describe the algorithm used and implied 'risks' - S6328537: Improve javadocs for Socket class by adding references to SocketOptions - S6978886: javadoc shows stacktrace after print error resulting from disk full - S6995421: Eliminate the static dependency to sun.security.ec.ECKeyFactory - S6996372: synchronizing handshaking hash - S7027045: (doc) java/awt/Window.java has several typos in javadoc - S7054969: Null-check-in-finally pattern in java/security documentation - S7072353: JNDI libraries do not build with javac -Xlint:all -Werror - S7075563: Broken link in 'javax.swing.SwingWorker' - S7077672: jdk8_tl nightly fail in step-2 build on 8/10/11 - S7088502: Security libraries don't build with javac -Werror - S7092447: Clarify the default locale used in each locale sensitive operation - S7093640: Enable client-side TLS 1.2 by default - S7103570: AtomicIntegerFieldUpdater does not work when SecurityManager is installed - S7117360: Warnings in java.util.concurrent.atomic package - S7117465: Warning cleanup for IMF classes - S7187144: JavaDoc for ScriptEngineFactory.getProgram() contains an error - S8000418: javadoc should used a standard 'generated by javadoc' string - S8000666: javadoc should write directly to Writer instead of composing strings - S8000673: remove dead code from HtmlWriter and subtypes - S8000970: break out auxiliary classes that will prevent multi-core compilation of the JDK - S8001669: javadoc internal DocletAbortException should set cause when appropriate - S8008949: javadoc stopped copying doc-files - S8011402: Move blacklisting certificate logic from hard code to data - S8011547: Update XML Signature implementation to Apache Santuario 1.5.4 - S8012288: XML DSig API allows wrong tag names and extra elements in SignedInfo - S8016217: More javadoc warnings - S8017325: Cleanup of the javadoc tag in java.security.cert - S8017326: Cleanup of the javadoc tag in java.security.spec - S8019772: Fix doclint issues in javax.crypto and javax.security subpackages - S8020557: javadoc cleanup in javax.security - S8020688: Broken links in documentation at http://docs.oracle.com/javase/6/docs/api/index. - S8021108: Clean up doclint warnings and errors in java.text package - S8021417: Fix doclint issues in java.util.concurrent - S8021833: javadoc cleanup in java.net - S8022120: JCK test api/javax_xml/crypto/dsig/TransformService/index_ParamMe thods fails - S8022175: Fix doclint warnings in javax.print - S8022406: Fix doclint issues in java.beans - S8022746: List of spelling errors in API doc - S8024779: [macosx] SwingNode crashes on exit - S8025085: [javadoc] some errors in javax/swing - S8025218: [javadoc] some errors in java/awt classes - S8025249: [javadoc] fix some javadoc errors in javax/swing/ - S8025409: Fix javadoc comments errors and warning reported by doclint report - S8026021: more fix of javadoc errors and warnings reported by doclint, see the description - S8037099: [macosx] Remove all references to GC from native OBJ-C code - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String - S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits - S8049244: XML Signature performance issue caused by unbuffered signature data - S8049432: New tests for TLS property jdk.tls.client.protocols - S8050893: (smartcardio) Invert reset argument in tests in sun/security/smartcardio - S8059212: Modify regression tests so that they do not just fail if no cardreader found - S8068279: (typo in the spec) javax.script.ScriptEngineFactory.getLanguageName - S8068491: Update the protocol for references of docs.oracle.com to HTTPS. - S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be updated for JDK-8061210 - S8076369: Introduce the jdk.tls.client.protocols system property for JDK 7u - S8139565: Restrict certificates with DSA keys less than 1024 bits - S8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions - S8140587: Atomic*FieldUpdaters should use Class.isInstance instead of direct class check - S8143959: Certificates requiring blacklisting - S8145984: [macosx] sun.lwawt.macosx.CAccessible leaks - S8148516: Improve the default strength of EC in JDK - S8149029: Secure validation of XML based digital signature always enabled when checking wrapping attacks - S8151893: Add security property to configure XML Signature secure validation mode - S8155760: Implement Serialization Filtering - S8156802: Better constraint checking - S8161228: URL objects with custom protocol handlers have port changed after deserializing - S8161571: Verifying ECDSA signatures permits trailing bytes - S8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar - S8164908: ReflectionFactory support for IIOP and custom serialization - S8165230: RMIConnection addNotificationListeners failing with specific inputs - S8166393: disabledAlgorithms property should not be strictly parsed - S8166591: [macos 10.12] Trackpad scrolling of text on OS X 10.12 Sierra is very fast (Trackpad, Retina only) - S8166739: Improve extensibility of ObjectInputFilter information passed to the filter - S8166875: (tz) Support tzdata2016g - S8166878: Connection reset during TLS handshake - S8167356: Follow up fix for jdk8 backport of 8164143. Changes for CMenuComponent.m were missed - S8167459: Add debug output for indicating if a chosen ciphersuite was legacy - S8167472: Chrome interop regression with JDK-8148516 - S8167591: Add MD5 to signed JAR restrictions - S8168861: AnchorCertificates uses hardcoded password for cacerts keystore - S8168993: JDK8u121 L10n resource file update - S8169191: (tz) Support tzdata2016i - S8169688: Backout (remove) MD5 from jdk.jar.disabledAlgorithms for January CPU - S8169911: Enhanced tests for jarsigner -verbose -verify after JDK-8163304 - S8170131: Certificates not being blocked by jdk.tls.disabledAlgorithms property - S8170268: 8u121 L10n resource file update - msgdrop 20 - S8173622: Backport of 7180907 is incomplete - S8173849: Fix use of java.util.Base64 in test cases - S8173854: [TEST] Update DHEKeySizing test case following 8076328 & 8081760 - CVE-2017-3259 Vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. - Backports - S7102489, PR3316, RH1390708: RFE: cleanup jlong typedef on __APPLE__and _LLP64 systems. - S8000351, PR3316, RH1390708: Tenuring threshold should be unsigned - S8153711, PR3315, RH1284948: [REDO] GlobalRefs never deleted when processing invokeMethod command - S8170888, PR3316, RH1390708: [linux] support for cgroup memory limits in container (ie Docker) environments - Bug fixes - PR3318: Replace 'infinality' with 'improved font rendering' (--enable-improved-font-rendering) - PR3318: Fix compatibility with vanilla Fontconfig - PR3318: Fix glyph y advance - PR3318: Always round glyph advance in 26.6 space - PR3318: Simplify glyph advance handling - PR3324: Fix NSS_LIBDIR substitution in make_generic_profile.sh broken by PR1989 - AArch64 port - S8165673, PR3320: AArch64: Fix JNI floating point argument handling This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 97287
    published 2017-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97287
    title openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2017-278)
  • NASL family AIX Local Security Checks
    NASL id AIX_JAVA_JAN2017_ADVISORY.NASL
    description The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities in the following subcomponents : - A vulnerability exists in the Libraries subcomponent, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. (CVE-2016-2183) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-5546) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-5547) - Multiple unspecified flaws exist in the Libraries subcomponent that allow an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5548, CVE-2016-5549) - An unspecified flaw exists in the Networking subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-5552) - Multiple unspecified flaws exist in the Networking subcomponent that allow an unauthenticated, remote attacker to disclose sensitive information. (CVE-2017-3231, CVE-2017-3261) - An unspecified flaw exists in the RMI subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3241) - An unspecified flaw exists in the JAAS subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2017-3252) - An unspecified flaw exists in the 2D subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3253) - An unspecified flaw exists in the Deployment subcomponent that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2017-3259) - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3260) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3272) - An unspecified flaw exists in the Hotspot subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3289) Note that CVE-2017-3241 can only be exploited by supplying data to APIs in the specified component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service. Note that CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5552, CVE-2017-3252, and CVE-2017-3253 can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. They can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 103190
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103190
    title AIX Java Advisory : java_jan2017_advisory.asc (January 2017 CPU) (SWEET32)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0016_OPENJRE.NASL
    description An update of the openjre package has been released.
    last seen 2019-02-08
    modified 2019-02-07
    plugin id 121694
    published 2019-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=121694
    title Photon OS 1.0: Openjre PHSA-2017-0016
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3179-1.NASL
    description Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves those algorithms to the legacy algorithm set and causes them to be used only if no non-legacy algorithms can be negotiated. (CVE-2016-2183) It was discovered that OpenJDK accepted ECSDA signatures using non-canonical DER encoding. An attacker could use this to modify or expose sensitive data. (CVE-2016-5546) It was discovered that OpenJDK did not properly verify object identifier (OID) length when reading Distinguished Encoding Rules (DER) records, as used in x.509 certificates and elsewhere. An attacker could use this to cause a denial of service (memory consumption). (CVE-2016-5547) It was discovered that covert timing channel vulnerabilities existed in the DSA and ECDSA implementations in OpenJDK. A remote attacker could use this to expose sensitive information. (CVE-2016-5548, CVE-2016-5549) It was discovered that the URLStreamHandler class in OpenJDK did not properly parse user information from a URL. A remote attacker could use this to expose sensitive information. (CVE-2016-5552) It was discovered that the URLClassLoader class in OpenJDK did not properly check access control context when downloading class files. A remote attacker could use this to expose sensitive information. (CVE-2017-3231) It was discovered that the Remote Method Invocation (RMI) implementation in OpenJDK performed deserialization of untrusted inputs. A remote attacker could use this to execute arbitrary code. (CVE-2017-3241) It was discovered that the Java Authentication and Authorization Service (JAAS) component of OpenJDK did not properly perform user search LDAP queries. An attacker could use a specially constructed LDAP entry to expose or modify sensitive information. (CVE-2017-3252) It was discovered that the PNGImageReader class in OpenJDK did not properly handle iTXt and zTXt chunks. An attacker could use this to cause a denial of service (memory consumption). (CVE-2017-3253) It was discovered that integer overflows existed in the SocketInputStream and SocketOutputStream classes of OpenJDK. An attacker could use this to expose sensitive information. (CVE-2017-3261) It was discovered that the atomic field updaters in the java.util.concurrent.atomic package in OpenJDK did not properly restrict access to protected field members. An attacker could use this to specially craft a Java application or applet that could bypass Java sandbox restrictions. (CVE-2017-3272) It was discovered that a vulnerability existed in the class construction implementation in OpenJDK. An attacker could use this to specially craft a Java application or applet that could bypass Java sandbox restrictions. (CVE-2017-3289). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 96796
    published 2017-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96796
    title Ubuntu 16.04 LTS / 16.10 : openjdk-8 vulnerabilities (USN-3179-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-629.NASL
    description This update for java-1_7_0-openjdk fixes the following issues : - Update to 2.6.10 - OpenJDK 7u141 (bsc#1034849) - Security fixes - S8163520, CVE-2017-3509: Reuse cache entries - S8163528, CVE-2017-3511: Better library loading - S8165626, CVE-2017-3512: Improved window framing - S8167110, CVE-2017-3514: Windows peering issue - S8169011, CVE-2017-3526: Resizing XML parse trees - S8170222, CVE-2017-3533: Better transfers of files - S8171121, CVE-2017-3539: Enhancing jar checking - S8171533, CVE-2017-3544: Better email transfer - S8172299: Improve class processing - New features - PR3347: jstack.stp should support AArch64 - Import of OpenJDK 7 u141 build 0 - S4717864: setFont() does not update Fonts of Menus already on screen - S6474807: (smartcardio) CardTerminal.connect() throws CardException instead of CardNotPresentException - S6518907: cleanup IA64 specific code in Hotspot - S6869327: Add new C2 flag to keep safepoints in counted loops. - S7112912: Message 'Error occurred during initialization of VM' on boxes with lots of RAM - S7124213: [macosx] pack() does ignore size of a component; doesn't on the other platforms - S7124219: [macosx] Unable to draw images to fullscreen - S7124552: [macosx] NullPointerException in getBufferStrategy() - S7148275: [macosx] setIconImages() not working correctly (distorted icon when minimized) - S7154841: [macosx] Popups appear behind taskbar - S7155957: closed/java/awt/MenuBar/MenuBarStress1/MenuBarStress1.ja va hangs on win 64 bit with jdk8 - S7160627: [macosx] TextArea has wrong initial size - S7167293: FtpURLConnection connection leak on FileNotFoundException - S7168851: [macosx] Netbeans crashes in CImage.nativeCreateNSImageFromArray - S7197203: sun/misc/URLClassPath/ClassnameCharTest.sh failed, compile error - S8005255: [macosx] Cleanup warnings in sun.lwawt - S8006088: Incompatible heap size flags accepted by VM - S8007295: Reduce number of warnings in awt classes - S8010722: assert: failed: heap size is too big for compressed oops - S8011059: [macosx] Support automatic @2x images loading on Mac OS X - S8014058: Regression tests for 8006088 - S8014489: tests/gc/arguments/Test(Serial|CMS|Parallel|G1)HeapSizeF lags jtreg tests invoke wrong class - S8016302: Change type of the number of GC workers to unsigned int (2) - S8024662: gc/arguments/TestUseCompressedOopsErgo.java does not compile. - S8024669: Native OOME when allocating after changes to maximum heap supporting Coops sizing on sparcv9 - S8024926: [macosx] AquaIcon HiDPI support - S8025974: l10n for policytool - S8027025: [macosx] getLocationOnScreen returns 0 if parent invisible - S8028212: Custom cursor HiDPI support - S8028471: PPC64 (part 215): opto: Extend ImplicitNullCheck optimization. - S8031573: [macosx] Checkmarks of JCheckBoxMenuItems aren't rendered in high resolution on Retina - S8033534: [macosx] Get MultiResolution image from native system - S8033786: White flashing when opening Dialogs and Menus using Nimbus with dark background - S8035568: [macosx] Cursor management unification - S8041734: JFrame in full screen mode leaves empty workspace after close - S8059803: Update use of GetVersionEx to get correct Windows version in hs_err files - S8066504: GetVersionEx in java.base/windows/native/libjava/java_props_md.c might not get correct Windows version 0 - S8079595: Resizing dialog which is JWindow parent makes JVM crash - S8080729: [macosx] java 7 and 8 JDialogs on multiscreen jump to parent frame on focus - S8130769: The new menu can't be shown on the menubar after clicking the 'Add' button. - S8133357: 8u65 l10n resource file translation update - S8146602: jdk/test/sun/misc/URLClassPath/ClassnameCharTest.java test fails with NullPointerException - S8147842: IME Composition Window is displayed at incorrect location - S8147910: Cache initial active_processor_count - S8150490: Update OS detection code to recognize Windows Server 2016 - S8161147: jvm crashes when -XX:+UseCountedLoopSafepoints is enabled - S8161195: Regression: closed/javax/swing/text/FlowView/LayoutTest.java - S8161993: G1 crashes if active_processor_count changes during startup - S8162603: Unrecognized VM option 'UseCountedLoopSafepoints' - S8162876: [TEST_BUG] sun/net/www/protocol/http/HttpInputStream.java fails intermittently - S8164533: sun/security/ssl/SSLSocketImpl/CloseSocket.java failed with 'Error while cleaning up threads after test' - S8167179: Make XSL generated namespace prefixes local to transformation process - S8169465: Deadlock in com.sun.jndi.ldap.pool.Connections - S8169589: [macosx] Activating a JDialog puts to back another dialog - S8170307: Stack size option -Xss is ignored - S8170316: (tz) Support tzdata2016j - S8170814: Reuse cache entries (part II) - S8171388: Update JNDI Thread contexts - S8171949: [macosx] AWT_ZoomFrame Automated tests fail with error: The bitwise mask Frame.ICONIFIED is not setwhen the frame is in ICONIFIED state - S8171952: [macosx] AWT_Modality/Automated/ModalExclusion/NoExclusion/Modele ssDialog test fails as DummyButton on Dialog did not gain focus when clicked. - S8173931: 8u131 L10n resource file update - S8174844: Incorrect GPL header causes RE script to miss swap to commercial header for licensee source bundle - S8175087: [bsd] Fix build after '8024900: PPC64: Enable new build on AIX (jdk part)' - S8175163: [bsd] Fix build after '8005629: javac warnings compiling java.awt.EventDispatchThread...' - S8176044: (tz) Support tzdata2017a - Import of OpenJDK 7 u141 build 1 - S8043723: max_heap_for_compressed_oops() declared with size_t, but defined with uintx - Import of OpenJDK 7 u141 build 2 - S8011123: serialVersionUID of java.awt.dnd.InvalidDnDOperationException changed in JDK8-b82 - Backports - S6515172, PR3362: Runtime.availableProcessors() ignores Linux taskset command - S8022284, PR3209: Hide internal data structure in PhaseCFG - S8023003, PR3209: Cleanup the public interface to PhaseCFG - S8023691, PR3209: Create interface for nodes in class Block - S8023988, PR3209: Move local scheduling of nodes to the CFG creation and code motion phase (PhaseCFG) - S8043780, PR3369: Use open(O_CLOEXEC) instead of fcntl(FD_CLOEXEC) - S8157306, PR3209: Random infrequent NULL pointer exceptions in javac - S8173783, PR3329: IllegalArgumentException: jdk.tls.namedGroups - S8173941, PR3330: SA does not work if executable is DSO - S8174729, PR3361: Race Condition in java.lang.reflect.WeakCache - Bug fixes - PR3349: Architectures unsupported by SystemTap tapsets throw a parse error - PR3370: Disable ARM32 JIT by default in jdk_generic_profile.sh - PR3379: Perl should be mandatory - PR3390: javac.in and javah.in should use @PERL@ rather than a hardcoded path - CACAO - PR2732: Raise javadoc memory limits for CACAO again! - AArch64 port - S8177661, PR3367: Correct ad rule output register types from iRegX to iRegXNoSp - Get ecj.jar path from gcj, use the gcc variant that provides Java to build C code to make sure jni.h is available. - S8167104, CVE-2017-3289: Additional class construction - S6253144: Long narrowing conversion should describe the - S6328537: Improve javadocs for Socket class by adding - S6978886: javadoc shows stacktrace after print error - S6995421: Eliminate the static dependency to - S7027045: (doc) java/awt/Window.java has several typos in - S7054969: Null-check-in-finally pattern in java/security - S7072353: JNDI libraries do not build with javac -Xlint:all - S7092447: Clarify the default locale used in each locale - S7103570: AtomicIntegerFieldUpdater does not work when - S7187144: JavaDoc for ScriptEngineFactory.getProgram() - S8000418: javadoc should used a standard 'generated by - S8000666: javadoc should write directly to Writer instead of - S8000970: break out auxiliary classes that will prevent - S8001669: javadoc internal DocletAbortException should set - S8011402: Move blacklisting certificate logic from hard code - S8011547: Update XML Signature implementation to Apache - S8012288: XML DSig API allows wrong tag names and extra - S8017325: Cleanup of the javadoc tag in - S8017326: Cleanup of the javadoc tag in - S8019772: Fix doclint issues in javax.crypto and - S8020688: Broken links in documentation at - S8021108: Clean up doclint warnings and errors in java.text - S8022120: JCK test api/javax_xml/crypto/dsig/TransformService/index_ParamMe thods - S8025409: Fix javadoc comments errors and warning reported by - S8026021: more fix of javadoc errors and warnings reported by - S8037099: [macosx] Remove all references to GC from native - S8038184: XMLSignature throws StringIndexOutOfBoundsException - S8038349: Signing XML with DSA throws Exception when key is - S8049244: XML Signature performance issue caused by - S8050893: (smartcardio) Invert reset argument in tests in - S8059212: Modify sun/security/smartcardio manual regression - S8068279: (typo in the spec) - S8068491: Update the protocol for references of - S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs - S8076369: Introduce the jdk.tls.client.protocols system - S8139565: Restrict certificates with DSA keys less than 1024 - S8140422: Add mechanism to allow non default root CAs to be - S8140587: Atomic*FieldUpdaters should use Class.isInstance - S8149029: Secure validation of XML based digital signature - S8151893: Add security property to configure XML Signature - S8161228: URL objects with custom protocol handlers have port - S8163304: jarsigner -verbose -verify should print the - S8164908: ReflectionFactory support for IIOP and custom - S8165230: RMIConnection addNotificationListeners failing with - S8166393: disabledAlgorithms property should not be strictly - S8166591: [macos 10.12] Trackpad scrolling of text on OS X - S8166739: Improve extensibility of ObjectInputFilter - S8167356: Follow up fix for jdk8 backport of 8164143. Changes - S8167459: Add debug output for indicating if a chosen - S8168861: AnchorCertificates uses hardcoded password for - S8169688: Backout (remove) MD5 from - S8169911: Enhanced tests for jarsigner -verbose -verify after - S8170131: Certificates not being blocked by - S8173854: [TEST] Update DHEKeySizing test case following - S7102489, PR3316, RH1390708: RFE: cleanup jlong typedef on - S8000351, PR3316, RH1390708: Tenuring threshold should be - S8153711, PR3315, RH1284948: [REDO] JDWP: Memory Leak : - S8170888, PR3316, RH1390708: [linux] Experimental support for - PR3318: Replace 'infinality' with 'improved font rendering' - PR3324: Fix NSS_LIBDIR substitution in - S8165673, PR3320: AArch64: Fix JNI floating point argument + S6604109, PR3162 : - Add -fno-delete-null-pointer-checks -fno-lifetime-dse to try to directory to be specified versions of IcedTea This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2017-05-30
    plugin id 100503
    published 2017-05-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100503
    title openSUSE Security Update : java-1_7_0-openjdk (openSUSE-2017-629)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0263.NASL
    description An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR4. Security Fix(es) : * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 97095
    published 2017-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97095
    title RHEL 6 / 7 : java-1.8.0-ibm (RHSA-2017:0263)
  • NASL family Misc.
    NASL id ORACLE_JAVA_CPU_JAN_2017_UNIX.NASL
    description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 121, 7 Update 131, or 6 Update 141. It is, therefore, affected by multiple vulnerabilities : - A vulnerability exists in the Libraries subcomponent, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. (CVE-2016-2183) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-5546) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-5547) - Multiple unspecified flaws exist in the Libraries subcomponent that allow an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5548, CVE-2016-5549) - An unspecified flaw exists in the Networking subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-5552) - An unspecified flaw exists in the Mission Control subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-8328) - Multiple unspecified flaws exist in the Networking subcomponent that allow an unauthenticated, remote attacker to disclose sensitive information. (CVE-2017-3231, CVE-2017-3261) - An unspecified flaw exists in the RMI subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3241) - An unspecified flaw exists in the JAAS subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2017-3252) - An unspecified flaw exists in the 2D subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3253) - An unspecified flaw exists in the Deployment subcomponent that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2017-3259) - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3260) - An unspecified flaw exists in the Java Mission Control subcomponent that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2017-3262) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3272) - An unspecified flaw exists in the Hotspot subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3289) Note that CVE-2017-3241 can only be exploited by supplying data to APIs in the specified component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service. Note that CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5552, CVE-2017-3252, and CVE-2017-3253 can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. They can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 96629
    published 2017-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96629
    title Oracle Java SE Multiple Vulnerabilities (January 2017 CPU) (Unix) (SWEET32)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-821.NASL
    description Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the bypass of Java sandbox restrictions, denial of service, arbitrary code execution, incorrect parsing or URLs/LDAP DNs or cryptoraphice timing side channel attacks. For Debian 7 'Wheezy', these problems have been fixed in version 7u121-2.6.8-2~deb7u1. We recommend that you upgrade your openjdk-7 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 97105
    published 2017-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97105
    title Debian DLA-821-1 : openjdk-7 security update
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1028.NASL
    description According to the versions of the java-1.7.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) - Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) - A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) - It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) - It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) - It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) - It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) - It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) - Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) - A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-05
    plugin id 99873
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99873
    title EulerOS 2.0 SP2 : java-1.7.0-openjdk (EulerOS-SA-2017-1028)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0269.NASL
    description An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. * Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) * A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) * It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) * It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) * It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) * It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) * It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) * Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 97121
    published 2017-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97121
    title RHEL 5 / 6 / 7 : java-1.7.0-openjdk (RHSA-2017:0269)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-791.NASL
    description It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272 , CVE-2017-3289) A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261 , CVE-2017-3231) A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 96809
    published 2017-01-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96809
    title Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2017-791)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0180.NASL
    description An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. * Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) * A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) * It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) * It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) * It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) * It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) * It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) * Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS /SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96693
    published 2017-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96693
    title RHEL 6 / 7 : java-1.8.0-openjdk (RHSA-2017:0180)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1015.NASL
    description According to the versions of the java-1.8.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) - Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) - A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) - It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) - It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) - It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) - It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) - It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) - Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) - A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-05
    plugin id 99861
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99861
    title EulerOS 2.0 SP1 : java-1.8.0-openjdk (EulerOS-SA-2017-1015)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0016.NASL
    description An update of [gnutls,openjdk,openjre] packages for PhotonOS has been released.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 111865
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111865
    title Photon OS 1.0: Gnutls / Linux / Openjdk / Openjre PHSA-2017-0016 (deprecated)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-0180.NASL
    description From Red Hat Security Advisory 2017:0180 : An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. * Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) * A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) * It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) * It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) * It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) * It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) * It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) * Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS /SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 96692
    published 2017-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96692
    title Oracle Linux 6 / 7 : java-1.8.0-openjdk (ELSA-2017-0180)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-0269.NASL
    description From Red Hat Security Advisory 2017:0269 : An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. * Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) * A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) * It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) * It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) * It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) * It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) * It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) * Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 97139
    published 2017-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97139
    title Oracle Linux 5 / 6 / 7 : java-1.7.0-openjdk (ELSA-2017-0269)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0176.NASL
    description An update for java-1.7.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 5, Oracle Java for Red Hat Enterprise Linux 6, and Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 7 to version 7 Update 131. Security Fix(es) : * This update fixes multiple vulnerabilities in the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. Further information about these flaws can be found on the Oracle Java SE Critical Patch Update Advisory page, listed in the References section. (CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96651
    published 2017-01-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96651
    title RHEL 5 / 6 / 7 : java-1.7.0-oracle (RHSA-2017:0176)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-0336.NASL
    description An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary and Red Hat Enterprise Linux 7 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP1. Security Fix(es) : * This update fixes multiple vulnerabilities in the IBM Java Runtime Environment and the IBM Java Software Development Kit. Further information about these flaws can be found on the IBM Java Security alerts page, listed in the References section. (CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 97460
    published 2017-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97460
    title RHEL 6 / 7 : java-1.7.1-ibm (RHSA-2017:0336)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-0180.NASL
    description An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit. Security Fix(es) : * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. * Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) * A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) * It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) * It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) * It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) * It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) * It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) * Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS /SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 96664
    published 2017-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96664
    title CentOS 6 / 7 : java-1.8.0-openjdk (CESA-2017:0180)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1027.NASL
    description According to the versions of the java-1.7.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) - Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) - A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) - It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) - It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) - It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) - It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) - It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) - Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) - A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 99872
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99872
    title EulerOS 2.0 SP1 : java-1.7.0-openjdk (EulerOS-SA-2017-1027)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-0269.NASL
    description An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. * Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) * A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) * It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) * It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) * It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) * It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) * It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) * Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 97134
    published 2017-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97134
    title CentOS 5 / 6 / 7 : java-1.7.0-openjdk (CESA-2017:0269)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201701-65.NASL
    description The remote host is affected by the vulnerability described in GLSA-201701-65 (Oracle JRE/JDK: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in in Oracle’s JRE and JDK. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, gain access to information, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2017-10-02
    plugin id 96787
    published 2017-01-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96787
    title GLSA-201701-65 : Oracle JRE/JDK: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0490-1.NASL
    description This update for java-1_7_0-openjdk fixes the following issues : - Oracle Critical Patch Update of January 2017 to OpenJDK 7u131 (bsc#1020905) : - Security Fixes - S8138725: Add options for Javadoc generation - S8140353: Improve signature checking - S8151934, CVE-2017-3231: Resolve class resolution - S8156804, CVE-2017-3241: Better constraint checking - S8158406: Limited Parameter Processing - S8158997: JNDI Protocols Switch - S8159507: RuntimeVisibleAnnotation validation - S8161218: Better bytecode loading - S8161743, CVE-2017-3252: Provide proper login context - S8162577: Standardize logging levels - S8162973: Better component components - S8164143, CVE-2017-3260: Improve components for menu items - S8164147, CVE-2017-3261: Improve streaming socket output - S8165071, CVE-2016-2183: Expand TLS support - S8165344, CVE-2017-3272: Update concurrency support - S8166988, CVE-2017-3253: Improve image processing performance - S8167104, CVE-2017-3289: Additional class construction refinements - S8167223, CVE-2016-5552: URL handling improvements - S8168705, CVE-2016-5547: Better ObjectIdentifier validation - S8168714, CVE-2016-5546: Tighten ECDSA validation - S8168728, CVE-2016-5548: DSA signing improvments - S8168724, CVE-2016-5549: ECDSA signing improvments - S6253144: Long narrowing conversion should describe the algorithm used and implied 'risks' - S6328537: Improve javadocs for Socket class by adding references to SocketOptions - S6978886: javadoc shows stacktrace after print error resulting from disk full - S6995421: Eliminate the static dependency to sun.security.ec.ECKeyFactory - S6996372: synchronizing handshaking hash - S7027045: (doc) java/awt/Window.java has several typos in javadoc - S7054969: Null-check-in-finally pattern in java/security documentation - S7072353: JNDI libraries do not build with javac -Xlint:all -Werror - S7075563: Broken link in 'javax.swing.SwingWorker' - S7077672: jdk8_tl nightly fail in step-2 build on 8/10/11 - S7088502: Security libraries don't build with javac -Werror - S7092447: Clarify the default locale used in each locale sensitive operation - S7093640: Enable client-side TLS 1.2 by default - S7103570: AtomicIntegerFieldUpdater does not work when SecurityManager is installed - S7117360: Warnings in java.util.concurrent.atomic package - S7117465: Warning cleanup for IMF classes - S7187144: JavaDoc for ScriptEngineFactory.getProgram() contains an error - S8000418: javadoc should used a standard 'generated by javadoc' string - S8000666: javadoc should write directly to Writer instead of composing strings - S8000673: remove dead code from HtmlWriter and subtypes - S8000970: break out auxiliary classes that will prevent multi-core compilation of the JDK - S8001669: javadoc internal DocletAbortException should set cause when appropriate - S8008949: javadoc stopped copying doc-files - S8011402: Move blacklisting certificate logic from hard code to data - S8011547: Update XML Signature implementation to Apache Santuario 1.5.4 - S8012288: XML DSig API allows wrong tag names and extra elements in SignedInfo - S8016217: More javadoc warnings - S8017325: Cleanup of the javadoc tag in java.security.cert - S8017326: Cleanup of the javadoc tag in java.security.spec - S8019772: Fix doclint issues in javax.crypto and javax.security subpackages - S8020557: javadoc cleanup in javax.security - S8020688: Broken links in documentation at http://docs.oracle.com/javase/6/docs/api/index. - S8021108: Clean up doclint warnings and errors in java.text package - S8021417: Fix doclint issues in java.util.concurrent - S8021833: javadoc cleanup in java.net - S8022120: JCK test api/javax_xml/crypto/dsig/TransformService/index_ParamMe thods fails - S8022175: Fix doclint warnings in javax.print - S8022406: Fix doclint issues in java.beans - S8022746: List of spelling errors in API doc - S8024779: [macosx] SwingNode crashes on exit - S8025085: [javadoc] some errors in javax/swing - S8025218: [javadoc] some errors in java/awt classes - S8025249: [javadoc] fix some javadoc errors in javax/swing/ - S8025409: Fix javadoc comments errors and warning reported by doclint report - S8026021: more fix of javadoc errors and warnings reported by doclint, see the description - S8037099: [macosx] Remove all references to GC from native OBJ-C code - S8038184: XMLSignature throws StringIndexOutOfBoundsException if ID attribute value is empty String - S8038349: Signing XML with DSA throws Exception when key is larger than 1024 bits - S8049244: XML Signature performance issue caused by unbuffered signature data - S8049432: New tests for TLS property jdk.tls.client.protocols - S8050893: (smartcardio) Invert reset argument in tests in sun/security/smartcardio - S8059212: Modify regression tests so that they do not just fail if no cardreader found - S8068279: (typo in the spec) javax.script.ScriptEngineFactory.getLanguageName - S8068491: Update the protocol for references of docs.oracle.com to HTTPS. - S8069038: javax/net/ssl/TLS/TLSClientPropertyTest.java needs to be updated for JDK-8061210 - S8076369: Introduce the jdk.tls.client.protocols system property for JDK 7u - S8139565: Restrict certificates with DSA keys less than 1024 bits - S8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions - S8140587: Atomic*FieldUpdaters should use Class.isInstance instead of direct class check - S8143959: Certificates requiring blacklisting - S8145984: [macosx] sun.lwawt.macosx.CAccessible leaks - S8148516: Improve the default strength of EC in JDK - S8149029: Secure validation of XML based digital signature always enabled when checking wrapping attacks - S8151893: Add security property to configure XML Signature secure validation mode - S8155760: Implement Serialization Filtering - S8156802: Better constraint checking - S8161228: URL objects with custom protocol handlers have port changed after deserializing - S8161571: Verifying ECDSA signatures permits trailing bytes - S8163304: jarsigner -verbose -verify should print the algorithms used to sign the jar - S8164908: ReflectionFactory support for IIOP and custom serialization - S8165230: RMIConnection addNotificationListeners failing with specific inputs - S8166393: disabledAlgorithms property should not be strictly parsed - S8166591: [macos 10.12] Trackpad scrolling of text on OS X 10.12 Sierra is very fast (Trackpad, Retina only) - S8166739: Improve extensibility of ObjectInputFilter information passed to the filter - S8166875: (tz) Support tzdata2016g - S8166878: Connection reset during TLS handshake - S8167356: Follow up fix for jdk8 backport of 8164143. Changes for CMenuComponent.m were missed - S8167459: Add debug output for indicating if a chosen ciphersuite was legacy - S8167472: Chrome interop regression with JDK-8148516 - S8167591: Add MD5 to signed JAR restrictions - S8168861: AnchorCertificates uses hard-coded password for cacerts keystore - S8168993: JDK8u121 L10n resource file update - S8169191: (tz) Support tzdata2016i - S8169688: Backout (remove) MD5 from jdk.jar.disabledAlgorithms for January CPU - S8169911: Enhanced tests for jarsigner -verbose -verify after JDK-8163304 - S8170131: Certificates not being blocked by jdk.tls.disabledAlgorithms property - S8170268: 8u121 L10n resource file update - msgdrop 20 - S8173622: Backport of 7180907 is incomplete - S8173849: Fix use of java.util.Base64 in test cases - S8173854: [TEST] Update DHEKeySizing test case following 8076328 & 8081760 - CVE-2017-3259 Vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. - Backports - S7102489, PR3316, RH1390708: RFE: cleanup jlong typedef on __APPLE__and _LLP64 systems. - S8000351, PR3316, RH1390708: Tenuring threshold should be unsigned - S8153711, PR3315, RH1284948: [REDO] GlobalRefs never deleted when processing invokeMethod command - S8170888, PR3316, RH1390708: [linux] support for cgroup memory limits in container (ie Docker) environments - Bug fixes - PR3318: Replace 'infinality' with 'improved font rendering' (--enable-improved-font-rendering) - PR3318: Fix compatibility with vanilla Fontconfig - PR3318: Fix glyph y advance - PR3318: Always round glyph advance in 26.6 space - PR3318: Simplify glyph advance handling - PR3324: Fix NSS_LIBDIR substitution in make_generic_profile.sh broken by PR1989 - AArch64 port - S8165673, PR3320: AArch64: Fix JNI floating point argument handling Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 97296
    published 2017-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97296
    title SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2017:0490-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170213_JAVA_1_7_0_OPENJDK_ON_SL5_X.NASL
    description Security Fix(es) : - It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. - Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) - A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) - It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) - It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) - It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) - It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) - It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) - Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) - A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 97122
    published 2017-02-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97122
    title Scientific Linux Security Update : java-1.7.0-openjdk on SL5.x, SL6.x, SL7.x i386/x86_64
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170120_JAVA_1_8_0_OPENJDK_ON_SL6_X.NASL
    description Security Fix(es) : - It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. - Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) - A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) - It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) - It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) - It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) - It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) - It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) - Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) - A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite. Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 96757
    published 2017-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96757
    title Scientific Linux Security Update : java-1.8.0-openjdk on SL6.x, SL7.x i386/x86_64
  • NASL family Virtuozzo Local Security Checks
    NASL id VIRTUOZZO_VZLSA-2017-0269.NASL
    description An update for java-1.7.0-openjdk is now available for Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit. Security Fix(es) : * It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-3241) This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. * Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272, CVE-2017-3289) * A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) * It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) * It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) * It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) * It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) * It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) * Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261, CVE-2017-3231) * A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183) This update mitigates the CVE-2016-2183 issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-01-29
    plugin id 101422
    published 2017-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101422
    title Virtuozzo 6 : java-1.7.0-openjdk / java-1.7.0-openjdk-demo / etc (VZLSA-2017-0269)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3782.NASL
    description Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in the bypass of Java sandbox restrictions, denial of service, arbitrary code execution, incorrect parsing of URLs/LDAP DNs or cryptographic timing side channel attacks.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 97067
    published 2017-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97067
    title Debian DSA-3782-1 : openjdk-7 - security update
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3194-1.NASL
    description Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves those algorithms to the legacy algorithm set and causes them to be used only if no non-legacy algorithms can be negotiated. (CVE-2016-2183) It was discovered that OpenJDK accepted ECSDA signatures using non-canonical DER encoding. An attacker could use this to modify or expose sensitive data. (CVE-2016-5546) It was discovered that OpenJDK did not properly verify object identifier (OID) length when reading Distinguished Encoding Rules (DER) records, as used in x.509 certificates and elsewhere. An attacker could use this to cause a denial of service (memory consumption). (CVE-2016-5547) It was discovered that covert timing channel vulnerabilities existed in the DSA implementations in OpenJDK. A remote attacker could use this to expose sensitive information. (CVE-2016-5548) It was discovered that the URLStreamHandler class in OpenJDK did not properly parse user information from a URL. A remote attacker could use this to expose sensitive information. (CVE-2016-5552) It was discovered that the URLClassLoader class in OpenJDK did not properly check access control context when downloading class files. A remote attacker could use this to expose sensitive information. (CVE-2017-3231) It was discovered that the Remote Method Invocation (RMI) implementation in OpenJDK performed deserialization of untrusted inputs. A remote attacker could use this to execute arbitrary code. (CVE-2017-3241) It was discovered that the Java Authentication and Authorization Service (JAAS) component of OpenJDK did not properly perform user search LDAP queries. An attacker could use a specially constructed LDAP entry to expose or modify sensitive information. (CVE-2017-3252) It was discovered that the PNGImageReader class in OpenJDK did not properly handle iTXt and zTXt chunks. An attacker could use this to cause a denial of service (memory consumption). (CVE-2017-3253) It was discovered that integer overflows existed in the SocketInputStream and SocketOutputStream classes of OpenJDK. An attacker could use this to expose sensitive information. (CVE-2017-3261) It was discovered that the atomic field updaters in the java.util.concurrent.atomic package in OpenJDK did not properly restrict access to protected field members. An attacker could use this to specially craft a Java application or applet that could bypass Java sandbox restrictions. (CVE-2017-3272) It was discovered that a vulnerability existed in the class construction implementation in OpenJDK. An attacker could use this to specially craft a Java application or applet that could bypass Java sandbox restrictions. (CVE-2017-3289). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 97084
    published 2017-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97084
    title Ubuntu 12.04 LTS / 14.04 LTS : openjdk-7 vulnerabilities (USN-3194-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-797.NASL
    description It was discovered that the RMI registry and DCG implementations in the RMI component of OpenJDK performed deserialization of untrusted inputs. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. This issue was addressed by introducing whitelists of classes that can be deserialized by RMI registry or DCG. These whitelists can be customized using the newly introduced sun.rmi.registry.registryFilter and sun.rmi.transport.dgcFilter security properties. (CVE-2017-3241) Multiple flaws were discovered in the Libraries and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-3272 , CVE-2017-3289) A covert timing channel flaw was found in the DSA implementation in the Libraries component of OpenJDK. A remote attacker could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2016-5548) It was discovered that the Libraries component of OpenJDK accepted ECSDA signatures using non-canonical DER encoding. This could cause a Java application to accept signature in an incorrect format not accepted by other cryptographic tools. (CVE-2016-5546) It was discovered that the 2D component of OpenJDK performed parsing of iTXt and zTXt PNG image chunks even when configured to ignore metadata. An attacker able to make a Java application parse a specially crafted PNG image could cause the application to consume an excessive amount of memory. (CVE-2017-3253) It was discovered that the Libraries component of OpenJDK did not validate the length of the object identifier read from the DER input before allocating memory to store the OID. An attacker able to make a Java application decode a specially crafted DER input could cause the application to consume an excessive amount of memory. (CVE-2016-5547) It was discovered that the JAAS component of OpenJDK did not use the correct way to extract user DN from the result of the user search LDAP query. A specially crafted user LDAP entry could cause the application to use an incorrect DN. (CVE-2017-3252) It was discovered that the Networking component of OpenJDK failed to properly parse user info from the URL. A remote attacker could cause a Java application to incorrectly parse an attacker supplied URL and interpret it differently from other applications processing the same URL. (CVE-2016-5552) Multiple flaws were found in the Networking components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-3261 , CVE-2017-3231) A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. This update mitigates this issue by adding 3DES cipher suites to the list of legacy algorithms (defined using the jdk.tls.legacyAlgorithms security property) so they are only used if connecting TLS/SSL client and server do not share any other non-legacy cipher suite. (CVE-2016-2183)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 97147
    published 2017-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97147
    title Amazon Linux AMI : java-1.7.0-openjdk (ALAS-2017-797)
  • NASL family Windows
    NASL id ORACLE_JAVA_CPU_JAN_2017.NASL
    description The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 8 Update 121, 7 Update 131, or 6 Update 141. It is, therefore, affected by multiple vulnerabilities : - A vulnerability exists in the Libraries subcomponent, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. (CVE-2016-2183) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-5546) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2016-5547) - Multiple unspecified flaws exist in the Libraries subcomponent that allow an unauthenticated, remote attacker to disclose sensitive information. (CVE-2016-5548, CVE-2016-5549) - An unspecified flaw exists in the Networking subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-5552) - An unspecified flaw exists in the Mission Control subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2016-8328) - Multiple unspecified flaws exist in the Networking subcomponent that allow an unauthenticated, remote attacker to disclose sensitive information. (CVE-2017-3231, CVE-2017-3261) - An unspecified flaw exists in the RMI subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3241) - An unspecified flaw exists in the JAAS subcomponent that allows an unauthenticated, remote attacker to impact integrity. (CVE-2017-3252) - An unspecified flaw exists in the 2D subcomponent that allows an unauthenticated, remote attacker to cause a denial of service condition. (CVE-2017-3253) - An unspecified flaw exists in the Deployment subcomponent that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2017-3259) - An unspecified flaw exists in the AWT subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3260) - An unspecified flaw exists in the Java Mission Control subcomponent that allows an unauthenticated, remote attacker to disclose sensitive information. (CVE-2017-3262) - An unspecified flaw exists in the Libraries subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3272) - An unspecified flaw exists in the Hotspot subcomponent that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2017-3289) Note that CVE-2017-3241 can only be exploited by supplying data to APIs in the specified component without using untrusted Java Web Start applications or untrusted Java applets, such as through a web service. Note that CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5552, CVE-2017-3252, and CVE-2017-3253 can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. They can also be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 96628
    published 2017-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96628
    title Oracle Java SE Multiple Vulnerabilities (January 2017 CPU) (SWEET32)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0460-1.NASL
    description This update for java-1_8_0-ibm to version 8.0-4.0 fixes a lot of security issues (bsc#1024218): Following CVEs are fixed: CVE-2016-5552 CVE-2017-3231 CVE-2017-3241 CVE-2017-3253 CVE-2017-3259 CVE-2017-3261 CVE-2017-3272 CVE-2017-3289 CVE-2016-2183 CVE-2016-5547 CVE-2016-5548 CVE-2016-5549 CVE-2017-3252 More information can be found on: https://developer.ibm.com/javasdk/support/security-vulnerabilities/ Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 97187
    published 2017-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97187
    title SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2017:0460-1)
redhat via4
advisories
  • bugzilla
    id 1413955
    title CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802)
    oval
    OR
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhsa:tst:20100842001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhsa:tst:20100842002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20100842003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20100842004
      • OR
        • AND
          • comment java-1.8.0-openjdk is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180015
          • comment java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636006
        • AND
          • comment java-1.8.0-openjdk-debug is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180019
          • comment java-1.8.0-openjdk-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919012
        • AND
          • comment java-1.8.0-openjdk-demo is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180009
          • comment java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636012
        • AND
          • comment java-1.8.0-openjdk-demo-debug is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180007
          • comment java-1.8.0-openjdk-demo-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919018
        • AND
          • comment java-1.8.0-openjdk-devel is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180005
          • comment java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636016
        • AND
          • comment java-1.8.0-openjdk-devel-debug is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180021
          • comment java-1.8.0-openjdk-devel-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919016
        • AND
          • comment java-1.8.0-openjdk-headless is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180023
          • comment java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636008
        • AND
          • comment java-1.8.0-openjdk-headless-debug is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180013
          • comment java-1.8.0-openjdk-headless-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919006
        • AND
          • comment java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180027
          • comment java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636014
        • AND
          • comment java-1.8.0-openjdk-javadoc-debug is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180025
          • comment java-1.8.0-openjdk-javadoc-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919028
        • AND
          • comment java-1.8.0-openjdk-src is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180011
          • comment java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636010
        • AND
          • comment java-1.8.0-openjdk-src-debug is earlier than 1:1.8.0.121-0.b13.el6_8
            oval oval:com.redhat.rhsa:tst:20170180017
          • comment java-1.8.0-openjdk-src-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919022
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhsa:tst:20140675001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhsa:tst:20140675002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20140675003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20140675004
      • OR
        • AND
          • comment java-1.8.0-openjdk is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180039
          • comment java-1.8.0-openjdk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636006
        • AND
          • comment java-1.8.0-openjdk-accessibility is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180035
          • comment java-1.8.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20150809023
        • AND
          • comment java-1.8.0-openjdk-accessibility-debug is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180037
          • comment java-1.8.0-openjdk-accessibility-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20160049016
        • AND
          • comment java-1.8.0-openjdk-debug is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180034
          • comment java-1.8.0-openjdk-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919012
        • AND
          • comment java-1.8.0-openjdk-demo is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180041
          • comment java-1.8.0-openjdk-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636012
        • AND
          • comment java-1.8.0-openjdk-demo-debug is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180040
          • comment java-1.8.0-openjdk-demo-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919018
        • AND
          • comment java-1.8.0-openjdk-devel is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180045
          • comment java-1.8.0-openjdk-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636016
        • AND
          • comment java-1.8.0-openjdk-devel-debug is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180046
          • comment java-1.8.0-openjdk-devel-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919016
        • AND
          • comment java-1.8.0-openjdk-headless is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180042
          • comment java-1.8.0-openjdk-headless is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636008
        • AND
          • comment java-1.8.0-openjdk-headless-debug is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180043
          • comment java-1.8.0-openjdk-headless-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919006
        • AND
          • comment java-1.8.0-openjdk-javadoc is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180052
          • comment java-1.8.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636014
        • AND
          • comment java-1.8.0-openjdk-javadoc-debug is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180049
          • comment java-1.8.0-openjdk-javadoc-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919028
        • AND
          • comment java-1.8.0-openjdk-javadoc-zip is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180050
          • comment java-1.8.0-openjdk-javadoc-zip is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20170180051
        • AND
          • comment java-1.8.0-openjdk-javadoc-zip-debug is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180047
          • comment java-1.8.0-openjdk-javadoc-zip-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20170180048
        • AND
          • comment java-1.8.0-openjdk-src is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180033
          • comment java-1.8.0-openjdk-src is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20141636010
        • AND
          • comment java-1.8.0-openjdk-src-debug is earlier than 1:1.8.0.121-0.b13.el7_3
            oval oval:com.redhat.rhsa:tst:20170180044
          • comment java-1.8.0-openjdk-src-debug is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20151919022
    rhsa
    id RHSA-2017:0180
    released 2017-01-20
    severity Critical
    title RHSA-2017:0180: java-1.8.0-openjdk security update (Critical)
  • bugzilla
    id 1413955
    title CVE-2017-3241 OpenJDK: untrusted input deserialization in RMI registry and DCG (RMI, 8156802)
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhsa:tst:20070055001
      • OR
        • AND
          • comment java-1.7.0-openjdk is earlier than 1:1.7.0.131-2.6.9.0.el5_11
            oval oval:com.redhat.rhsa:tst:20170269008
          • comment java-1.7.0-openjdk is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130165017
        • AND
          • comment java-1.7.0-openjdk-demo is earlier than 1:1.7.0.131-2.6.9.0.el5_11
            oval oval:com.redhat.rhsa:tst:20170269004
          • comment java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130165025
        • AND
          • comment java-1.7.0-openjdk-devel is earlier than 1:1.7.0.131-2.6.9.0.el5_11
            oval oval:com.redhat.rhsa:tst:20170269006
          • comment java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130165023
        • AND
          • comment java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.131-2.6.9.0.el5_11
            oval oval:com.redhat.rhsa:tst:20170269010
          • comment java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130165021
        • AND
          • comment java-1.7.0-openjdk-src is earlier than 1:1.7.0.131-2.6.9.0.el5_11
            oval oval:com.redhat.rhsa:tst:20170269002
          • comment java-1.7.0-openjdk-src is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130165019
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhsa:tst:20100842001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhsa:tst:20100842002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20100842003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20100842004
      • OR
        • AND
          • comment java-1.7.0-openjdk is earlier than 1:1.7.0.131-2.6.9.0.el6_8
            oval oval:com.redhat.rhsa:tst:20170269018
          • comment java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009006
        • AND
          • comment java-1.7.0-openjdk-demo is earlier than 1:1.7.0.131-2.6.9.0.el6_8
            oval oval:com.redhat.rhsa:tst:20170269020
          • comment java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009010
        • AND
          • comment java-1.7.0-openjdk-devel is earlier than 1:1.7.0.131-2.6.9.0.el6_8
            oval oval:com.redhat.rhsa:tst:20170269016
          • comment java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009008
        • AND
          • comment java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.131-2.6.9.0.el6_8
            oval oval:com.redhat.rhsa:tst:20170269024
          • comment java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009012
        • AND
          • comment java-1.7.0-openjdk-src is earlier than 1:1.7.0.131-2.6.9.0.el6_8
            oval oval:com.redhat.rhsa:tst:20170269022
          • comment java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009014
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhsa:tst:20140675001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhsa:tst:20140675002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20140675003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20140675004
      • OR
        • AND
          • comment java-1.7.0-openjdk is earlier than 1:1.7.0.131-2.6.9.0.el7_3
            oval oval:com.redhat.rhsa:tst:20170269037
          • comment java-1.7.0-openjdk is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009006
        • AND
          • comment java-1.7.0-openjdk-accessibility is earlier than 1:1.7.0.131-2.6.9.0.el7_3
            oval oval:com.redhat.rhsa:tst:20170269033
          • comment java-1.7.0-openjdk-accessibility is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140675018
        • AND
          • comment java-1.7.0-openjdk-demo is earlier than 1:1.7.0.131-2.6.9.0.el7_3
            oval oval:com.redhat.rhsa:tst:20170269030
          • comment java-1.7.0-openjdk-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009010
        • AND
          • comment java-1.7.0-openjdk-devel is earlier than 1:1.7.0.131-2.6.9.0.el7_3
            oval oval:com.redhat.rhsa:tst:20170269035
          • comment java-1.7.0-openjdk-devel is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009008
        • AND
          • comment java-1.7.0-openjdk-headless is earlier than 1:1.7.0.131-2.6.9.0.el7_3
            oval oval:com.redhat.rhsa:tst:20170269031
          • comment java-1.7.0-openjdk-headless is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20140675012
        • AND
          • comment java-1.7.0-openjdk-javadoc is earlier than 1:1.7.0.131-2.6.9.0.el7_3
            oval oval:com.redhat.rhsa:tst:20170269038
          • comment java-1.7.0-openjdk-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009012
        • AND
          • comment java-1.7.0-openjdk-src is earlier than 1:1.7.0.131-2.6.9.0.el7_3
            oval oval:com.redhat.rhsa:tst:20170269036
          • comment java-1.7.0-openjdk-src is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20121009014
    rhsa
    id RHSA-2017:0269
    released 2017-02-13
    severity Critical
    title RHSA-2017:0269: java-1.7.0-openjdk security update (Critical)
  • rhsa
    id RHSA-2017:0175
  • rhsa
    id RHSA-2017:0176
  • rhsa
    id RHSA-2017:0263
  • rhsa
    id RHSA-2017:0336
  • rhsa
    id RHSA-2017:0337
  • rhsa
    id RHSA-2017:1216
rpms
  • java-1.8.0-openjdk-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-debug-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-demo-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-devel-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-headless-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-javadoc-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-src-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-src-debug-1:1.8.0.121-0.b13.el6_8
  • java-1.8.0-openjdk-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-accessibility-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-accessibility-debug-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-debug-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-demo-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-demo-debug-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-devel-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-devel-debug-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-headless-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-headless-debug-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-javadoc-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-javadoc-debug-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-javadoc-zip-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-javadoc-zip-debug-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-src-1:1.8.0.121-0.b13.el7_3
  • java-1.8.0-openjdk-src-debug-1:1.8.0.121-0.b13.el7_3
  • java-1.7.0-openjdk-1:1.7.0.131-2.6.9.0.el5_11
  • java-1.7.0-openjdk-demo-1:1.7.0.131-2.6.9.0.el5_11
  • java-1.7.0-openjdk-devel-1:1.7.0.131-2.6.9.0.el5_11
  • java-1.7.0-openjdk-javadoc-1:1.7.0.131-2.6.9.0.el5_11
  • java-1.7.0-openjdk-src-1:1.7.0.131-2.6.9.0.el5_11
  • java-1.7.0-openjdk-1:1.7.0.131-2.6.9.0.el6_8
  • java-1.7.0-openjdk-demo-1:1.7.0.131-2.6.9.0.el6_8
  • java-1.7.0-openjdk-devel-1:1.7.0.131-2.6.9.0.el6_8
  • java-1.7.0-openjdk-javadoc-1:1.7.0.131-2.6.9.0.el6_8
  • java-1.7.0-openjdk-src-1:1.7.0.131-2.6.9.0.el6_8
  • java-1.7.0-openjdk-1:1.7.0.131-2.6.9.0.el7_3
  • java-1.7.0-openjdk-accessibility-1:1.7.0.131-2.6.9.0.el7_3
  • java-1.7.0-openjdk-demo-1:1.7.0.131-2.6.9.0.el7_3
  • java-1.7.0-openjdk-devel-1:1.7.0.131-2.6.9.0.el7_3
  • java-1.7.0-openjdk-headless-1:1.7.0.131-2.6.9.0.el7_3
  • java-1.7.0-openjdk-javadoc-1:1.7.0.131-2.6.9.0.el7_3
  • java-1.7.0-openjdk-src-1:1.7.0.131-2.6.9.0.el7_3
refmap via4
bid 95525
confirm
debian DSA-3782
gentoo
  • GLSA-201701-65
  • GLSA-201707-01
sectrack 1037637
Last major update 10-02-2017 - 21:59
Published 27-01-2017 - 17:59
Last modified 04-01-2018 - 21:31
Back to Top