Rapid7 Vulnerability & Exploit Database

RHSA-2016:0049: java-1.8.0-openjdk security update

Back to Search

RHSA-2016:0049: java-1.8.0-openjdk security update

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
01/08/2016
Created
07/25/2018
Added
01/21/2016
Modified
03/21/2018

Description

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java RuntimeEnvironment and the OpenJDK 8 Java Software Development Kit.An out-of-bounds write flaw was found in the JPEG image format decoder inthe AWT component in OpenJDK. A specially crafted JPEG image could causea Java application to crash or, possibly execute arbitrary code. Anuntrusted Java application or applet could use this flaw to bypass Javasandbox restrictions. (CVE-2016-0483)An integer signedness issue was found in the font parsing code in the 2Dcomponent in OpenJDK. A specially crafted font file could possibly causethe Java Virtual Machine to execute arbitrary code, allowing an untrustedJava application or applet to bypass Java sandbox restrictions.(CVE-2016-0494)It was discovered that the password-based encryption (PBE) implementationin the Libraries component in OpenJDK used an incorrect key length. Thiscould, in certain cases, lead to generation of keys that were weaker thanexpected. (CVE-2016-0475)It was discovered that the JAXP component in OpenJDK did not properlyenforce the totalEntitySizeLimit limit. An attacker able to make a Javaapplication process a specially crafted XML file could use this flaw tomake the application consume an excessive amount of memory. (CVE-2016-0466)A flaw was found in the way TLS 1.2 could use the MD5 hash function forsigning ServerKeyExchange and Client Authentication packets during a TLShandshake. A man-in-the-middle attacker able to force a TLS connection touse the MD5 hash function could use this flaw to conduct collision attacksto impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)Multiple flaws were discovered in the Networking and JMX components inOpenJDK. An untrusted Java application or applet could use these flaws tobypass certain Java sandbox restrictions. (CVE-2016-0402, CVE-2016-0448)Note: If the web browser plug-in provided by the icedtea-web package wasinstalled, the issues exposed via Java applets could have been exploitedwithout user interaction if a user visited a malicious website.Note: This update also disallows the use of the MD5 hash algorithm in thecertification path processing. The use of MD5 can be re-enabled by removingMD5 from the jdk.certpath.disabledAlgorithms security property defined inthe java.security file.All users of java-1.8.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

Solution(s)

  • redhat-upgrade-java-1-8-0-openjdk
  • redhat-upgrade-java-1-8-0-openjdk-accessibility
  • redhat-upgrade-java-1-8-0-openjdk-accessibility-debug
  • redhat-upgrade-java-1-8-0-openjdk-debug
  • redhat-upgrade-java-1-8-0-openjdk-debuginfo
  • redhat-upgrade-java-1-8-0-openjdk-demo
  • redhat-upgrade-java-1-8-0-openjdk-demo-debug
  • redhat-upgrade-java-1-8-0-openjdk-devel
  • redhat-upgrade-java-1-8-0-openjdk-devel-debug
  • redhat-upgrade-java-1-8-0-openjdk-headless
  • redhat-upgrade-java-1-8-0-openjdk-headless-debug
  • redhat-upgrade-java-1-8-0-openjdk-javadoc
  • redhat-upgrade-java-1-8-0-openjdk-javadoc-debug
  • redhat-upgrade-java-1-8-0-openjdk-src
  • redhat-upgrade-java-1-8-0-openjdk-src-debug

References

  • redhat-upgrade-java-1-8-0-openjdk
  • redhat-upgrade-java-1-8-0-openjdk-accessibility
  • redhat-upgrade-java-1-8-0-openjdk-accessibility-debug
  • redhat-upgrade-java-1-8-0-openjdk-debug
  • redhat-upgrade-java-1-8-0-openjdk-debuginfo
  • redhat-upgrade-java-1-8-0-openjdk-demo
  • redhat-upgrade-java-1-8-0-openjdk-demo-debug
  • redhat-upgrade-java-1-8-0-openjdk-devel
  • redhat-upgrade-java-1-8-0-openjdk-devel-debug
  • redhat-upgrade-java-1-8-0-openjdk-headless
  • redhat-upgrade-java-1-8-0-openjdk-headless-debug
  • redhat-upgrade-java-1-8-0-openjdk-javadoc
  • redhat-upgrade-java-1-8-0-openjdk-javadoc-debug
  • redhat-upgrade-java-1-8-0-openjdk-src
  • redhat-upgrade-java-1-8-0-openjdk-src-debug

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;