Vulnerability & Exploit Database

Back to search

RHSA-2016:0050: java-1.8.0-openjdk security update

Severity CVSS Published Added Modified
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) January 08, 2016 January 25, 2016 March 21, 2018

Description

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java RuntimeEnvironment and the OpenJDK 8 Java Software Development Kit.An out-of-bounds write flaw was found in the JPEG image format decoder inthe AWT component in OpenJDK. A specially crafted JPEG image could causea Java application to crash or, possibly execute arbitrary code. Anuntrusted Java application or applet could use this flaw to bypass Javasandbox restrictions. (CVE-2016-0483)An integer signedness issue was found in the font parsing code in the 2Dcomponent in OpenJDK. A specially crafted font file could possibly causethe Java Virtual Machine to execute arbitrary code, allowing an untrustedJava application or applet to bypass Java sandbox restrictions.(CVE-2016-0494)It was discovered that the password-based encryption (PBE) implementationin the Libraries component in OpenJDK used an incorrect key length. Thiscould, in certain cases, lead to generation of keys that were weaker thanexpected. (CVE-2016-0475)It was discovered that the JAXP component in OpenJDK did not properlyenforce the totalEntitySizeLimit limit. An attacker able to make a Javaapplication process a specially crafted XML file could use this flaw tomake the application consume an excessive amount of memory. (CVE-2016-0466)A flaw was found in the way TLS 1.2 could use the MD5 hash function forsigning ServerKeyExchange and Client Authentication packets during a TLShandshake. A man-in-the-middle attacker able to force a TLS connection touse the MD5 hash function could use this flaw to conduct collision attacksto impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)Multiple flaws were discovered in the Networking and JMX components inOpenJDK. An untrusted Java application or applet could use these flaws tobypass certain Java sandbox restrictions. (CVE-2016-0402, CVE-2016-0448)Note: This update also disallows the use of the MD5 hash algorithm in thecertification path processing. The use of MD5 can be re-enabled by removingMD5 from the jdk.certpath.disabledAlgorithms security property defined inthe java.security file.All users of java-1.8.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial

References

Solution Reference

Java Security Update

Solution

redhat-upgrade-java-1-8-0-openjdk

Related Vulnerabilities