Rapid7 Vulnerability & Exploit Database

RHSA-2014:0889: java-1.7.0-openjdk security update

Back to Search

RHSA-2014:0889: java-1.7.0-openjdk security update



The java-1.7.0-openjdk packages provide the OpenJDK 7 Java RuntimeEnvironment and the OpenJDK 7 Java Software Development Kit.It was discovered that the Hotspot component in OpenJDK did not properlyverify bytecode from the class files. An untrusted Java application orapplet could possibly use these flaws to bypass Java sandbox restrictions.(CVE-2014-4216, CVE-2014-4219)A format string flaw was discovered in the Hotspot component event loggerin OpenJDK. An untrusted Java application or applet could use this flaw tocrash the Java Virtual Machine or, potentially, execute arbitrary code withthe privileges of the Java Virtual Machine. (CVE-2014-2490)Multiple improper permission check issues were discovered in the Librariescomponent in OpenJDK. An untrusted Java application or applet could usethese flaws to bypass Java sandbox restrictions. (CVE-2014-4223,CVE-2014-4262, CVE-2014-2483)Multiple flaws were discovered in the JMX, Libraries, Security, andServiceability components in OpenJDK. An untrusted Java application orapplet could use these flaws to bypass certain Java sandbox restrictions.(CVE-2014-4209, CVE-2014-4218, CVE-2014-4221, CVE-2014-4252, CVE-2014-4266)It was discovered that the RSA algorithm in the Security component inOpenJDK did not sufficiently perform blinding while performing operationsthat were using private keys. An attacker able to measure timingdifferences of those operations could possibly leak information about theused keys. (CVE-2014-4244)The Diffie-Hellman (DH) key exchange algorithm implementation in theSecurity component in OpenJDK failed to validate public DH parametersproperly. This could cause OpenJDK to accept and use weak parameters,allowing an attacker to recover the negotiated key. (CVE-2014-4263)The CVE-2014-4262 issue was discovered by Florian Weimer of Red HatProduct Security.Note: If the web browser plug-in provided by the icedtea-web package wasinstalled, the issues exposed via Java applets could have been exploitedwithout user interaction if a user visited a malicious website.All users of java-1.7.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.


  • redhat-upgrade-java-1-7-0-openjdk
  • redhat-upgrade-java-1-7-0-openjdk-accessibility
  • redhat-upgrade-java-1-7-0-openjdk-debuginfo
  • redhat-upgrade-java-1-7-0-openjdk-demo
  • redhat-upgrade-java-1-7-0-openjdk-devel
  • redhat-upgrade-java-1-7-0-openjdk-headless
  • redhat-upgrade-java-1-7-0-openjdk-javadoc
  • redhat-upgrade-java-1-7-0-openjdk-src

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center