Rapid7 Vulnerability & Exploit Database

Ubuntu: USN-3275-3: OpenJDK 7 regression

Back to Search

Ubuntu: USN-3275-3: OpenJDK 7 regression

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
05/18/2017
Created
07/25/2018
Added
05/19/2017
Modified
07/09/2020

Description

USN-3275-2 fixed vulnerabilities in OpenJDK 7. Unfortunately, the update introduced a regression when handling TLS handshakes. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

It was discovered that OpenJDK improperly re-used cached NTLM connections in some situations. A remote attacker could possibly use this to cause a Java application to perform actions with the credentials of a different user. (CVE-2017-3509)

It was discovered that an untrusted library search path flaw existed in the Java Cryptography Extension (JCE) component of OpenJDK. A local attacker could possibly use this to gain the privileges of a Java application. (CVE-2017-3511)

It was discovered that the Java API for XML Processing (JAXP) component in OpenJDK did not properly enforce size limits when parsing XML documents. An attacker could use this to cause a denial of service (processor and memory consumption). (CVE-2017-3526)

It was discovered that the FTP client implementation in OpenJDK did not properly sanitize user inputs. If a user was tricked into opening a specially crafted FTP URL, a remote attacker could use this to manipulate the FTP connection. (CVE-2017-3533)

It was discovered that OpenJDK allowed MD5 to be used as an algorithm for JAR integrity verification. An attacker could possibly use this to modify the contents of a JAR file without detection. (CVE-2017-3539)

It was discovered that the SMTP client implementation in OpenJDK did not properly sanitize sender and recipient addresses. A remote attacker could use this to specially craft email addresses and gain control of a Java application's SMTP connections. (CVE-2017-3544)

Solution(s)

  • ubuntu-upgrade-icedtea-7-jre-jamvm
  • ubuntu-upgrade-openjdk-7-jre
  • ubuntu-upgrade-openjdk-7-jre-headless
  • ubuntu-upgrade-openjdk-7-jre-lib
  • ubuntu-upgrade-openjdk-7-jre-zero

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;