Vulnerability & Exploit Database

Back to search

RHSA-2016:0054: java-1.7.0-openjdk security update

Severity CVSS Published Added Modified
10 (AV:N/AC:L/Au:N/C:C/I:C/A:C) October 21, 2015 January 25, 2016 March 21, 2018


The java-1.7.0-openjdk packages provide the OpenJDK 7 Java RuntimeEnvironment and the OpenJDK 7 Java Software Development Kit.An out-of-bounds write flaw was found in the JPEG image format decoder inthe AWT component in OpenJDK. A specially crafted JPEG image could causea Java application to crash or, possibly execute arbitrary code. Anuntrusted Java application or applet could use this flaw to bypass Javasandbox restrictions. (CVE-2016-0483)An integer signedness issue was found in the font parsing code in the 2Dcomponent in OpenJDK. A specially crafted font file could possibly causethe Java Virtual Machine to execute arbitrary code, allowing an untrustedJava application or applet to bypass Java sandbox restrictions.(CVE-2016-0494)It was discovered that the JAXP component in OpenJDK did not properlyenforce the totalEntitySizeLimit limit. An attacker able to make a Javaapplication process a specially crafted XML file could use this flaw tomake the application consume an excessive amount of memory. (CVE-2016-0466)A flaw was found in the way TLS 1.2 could use the MD5 hash function forsigning ServerKeyExchange and Client Authentication packets during a TLShandshake. A man-in-the-middle attacker able to force a TLS connection touse the MD5 hash function could use this flaw to conduct collision attacksto impersonate a TLS server or an authenticated TLS client. (CVE-2015-7575)Multiple flaws were discovered in the Libraries, Networking, and JMXcomponents in OpenJDK. An untrusted Java application or applet could usethese flaws to bypass certain Java sandbox restrictions. (CVE-2015-4871,CVE-2016-0402, CVE-2016-0448)Note: This update also disallows the use of the MD5 hash algorithm in thecertification path processing. The use of MD5 can be re-enabled by removingMD5 from the jdk.certpath.disabledAlgorithms security property defined inthe file.All users of java-1.7.0-openjdk are advised to upgrade to these updatedpackages, which resolve these issues. All running instances of OpenJDK Javamust be restarted for the update to take effect.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial




Related Vulnerabilities