ESB-2017.2095 - [Ubuntu] openjdk: Multiple vulnerabilities 2017-08-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2095
                         OpenJDK 7 vulnerabilities
                              22 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openjdk
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Access Privileged Data          -- Remote with User Interaction
                   Modify Arbitrary Files          -- Remote with User Interaction
                   Delete Arbitrary Files          -- Remote with User Interaction
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-10243 CVE-2017-10176 CVE-2017-10135
                   CVE-2017-10118 CVE-2017-10116 CVE-2017-10115
                   CVE-2017-10110 CVE-2017-10109 CVE-2017-10108
                   CVE-2017-10107 CVE-2017-10102 CVE-2017-10101
                   CVE-2017-10096 CVE-2017-10090 CVE-2017-10089
                   CVE-2017-10087 CVE-2017-10081 CVE-2017-10074
                   CVE-2017-10067 CVE-2017-10053 

Reference:         ESB-2017.2038
                   ESB-2017.2023
                   ESB-2017.1858
                   ESB-2017.1837

Original Bulletin: 
   http://www.ubuntu.com/usn/usn-3396-1

- --------------------------BEGIN INCLUDED TEXT--------------------

==========================================================================
Ubuntu Security Notice USN-3396-1
August 18, 2017

openjdk-7 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in OpenJDK 7.

Software Description:
- - openjdk-7: Open Source Java implementation

Details:

It was discovered that the JPEGImageReader class in OpenJDK would
incorrectly read unused image data. An attacker could use this to specially
construct a jpeg image file that when opened by a Java application would
cause a denial of service. (CVE-2017-10053)

It was discovered that the JAR verifier in OpenJDK did not properly handle
archives containing files missing digests. An attacker could use this to
modify the signed contents of a JAR file. (CVE-2017-10067)

It was discovered that integer overflows existed in the Hotspot component
of OpenJDK when generating range check loop predicates. An attacker could
use this to specially construct an untrusted Java application or applet
that could escape sandbox restrictions and cause a denial of service or
possibly execute arbitrary code. (CVE-2017-10074)

It was discovered that OpenJDK did not properly process parentheses in
function signatures. An attacker could use this to specially construct an
untrusted Java application or applet that could escape sandbox
restrictions. (CVE-2017-10081)

It was discovered that the ThreadPoolExecutor class in OpenJDK did not
properly perform access control checks when cleaning up threads. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions and possibly
execute arbitrary code. (CVE-2017-10087)

It was discovered that the ServiceRegistry implementation in OpenJDK did
not perform access control checks in certain situations. An attacker could
use this to specially construct an untrusted Java application or applet
that escaped sandbox restrictions. (CVE-2017-10089)

It was discovered that the channel groups implementation in OpenJDK did not
properly perform access control checks in some situations. An attacker
could use this to specially construct an untrusted Java application or
applet that could escape sandbox restrictions. (CVE-2017-10090)

It was discovered that the DTM exception handling code in the JAXP
component of OpenJDK did not properly perform access control checks. An
attacker could use this to specially construct an untrusted Java
application or applet that could escape sandbox restrictions.
(CVE-2017-10096)

It was discovered that the JAXP component of OpenJDK incorrectly granted
access to some internal resolvers. An attacker could use this to specially
construct an untrusted Java application or applet that could escape sandbox
restrictions. (CVE-2017-10101)

It was discovered that the Distributed Garbage Collector (DGC) in OpenJDK
did not properly track references in some situations. A remote attacker
could possibly use this to execute arbitrary code. (CVE-2017-10102)

It was discovered that the Activation ID implementation in the RMI
component of OpenJDK did not properly check access control permissions in
some situations. An attacker could use this to specially construct an
untrusted Java application or applet that could escape sandbox
restrictions. (CVE-2017-10107)

It was discovered that the BasicAttribute class in OpenJDK did not properly
bound memory allocation when de-serializing objects. An attacker could use
this to cause a denial of service (memory consumption). (CVE-2017-10108)

It was discovered that the CodeSource class in OpenJDK did not properly
bound memory allocations when de-serializing object instances. An attacker
could use this to cause a denial of service (memory consumption).
(CVE-2017-10109)

It was discovered that the AWT ImageWatched class in OpenJDK did not
properly perform access control checks, An attacker could use this to
specially construct an untrusted Java application or applet that could
escape sandbox restrictions (CVE-2017-10110)

It was discovered that a timing side-channel vulnerability existed in the
DSA implementation in OpenJDK. An attacker could use this to expose
sensitive information. (CVE-2017-10115)

It was discovered that the LDAP implementation in OpenJDK incorrectly
followed references to non-LDAP URLs. An attacker could use this to
specially craft an LDAP referral URL that exposes sensitive information or
bypass access restrictions. (CVE-2017-10116)

It was discovered that a timing side-channel vulnerability existed in the
ECDSA implementation in OpenJDK. An attacker could use this to expose
sensitive information. (CVE-2017-10118)

Ilya Maykov discovered that a timing side-channel vulnerability existed in
the PKCS#8 implementation in OpenJDK. An attacker could use this to expose
sensitive information. (CVE-2017-10135)

It was discovered that the Elliptic Curve (EC) implementation in OpenJDK
did not properly compute certain elliptic curve points. An attacker could
use this to expose sensitive information. (CVE-2017-10176)

It was discovered that OpenJDK did not properly perform access control
checks when handling Web Service Definition Language (WSDL) XML documents.
An attacker could use this to expose sensitive information.
(CVE-2017-10243)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
  icedtea-7-jre-jamvm             7u151-2.6.11-0ubuntu1.14.04.1
  openjdk-7-jre                   7u151-2.6.11-0ubuntu1.14.04.1
  openjdk-7-jre-headless          7u151-2.6.11-0ubuntu1.14.04.1
  openjdk-7-jre-lib               7u151-2.6.11-0ubuntu1.14.04.1
  openjdk-7-jre-zero              7u151-2.6.11-0ubuntu1.14.04.1

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References:
  https://www.ubuntu.com/usn/usn-3396-1
  CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10081,
  CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096,
  CVE-2017-10101, CVE-2017-10102, CVE-2017-10107, CVE-2017-10108,
  CVE-2017-10109, CVE-2017-10110, CVE-2017-10115, CVE-2017-10116,
  CVE-2017-10118, CVE-2017-10135, CVE-2017-10176, CVE-2017-10243

Package Information:
  https://launchpad.net/ubuntu/+source/openjdk-7/7u151-2.6.11-0ubuntu1.14.04.1

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZueJYx+lLeg9Ub1AQg9Ew/+PozmhPEVGDAqaKg8YEiKhmII5f0bGKzO
096ZoTBAReIo9we4e9k7Y2BMdh+yyrdvz8aFEEP2/GDUsCUYz3iIfB4fdaRDNiVS
mB1stcnDgqZ+QJQFAjkj8vfmiU0OJl1LsKOA++byptqzJfFYvNeQkIbmPEa7gH05
Q+XwmJI4mihcBongrYX2aLFdae4CJvBTEFBYXGnIV9MC962rsjygM6YAGOxqT/w7
+8xyyyZ8gLmIPpg9AfWz0lHER8TZujUaJzktDSWADnGoMo2lw+7mqLmqKwX2oufK
qgB0htCYGS1s+uNrDVGdo6msntfQ7cwXjtVhPFlv3nG6StH9aHuYuKZLOi44Z0kf
Ez+a9EUc28kuFS/5WwrK9JEcuXn/BwqO9m+u1c6LiVCr/PLAJ5z3mq2wTr4eHlY9
902EuzSMbpQu0QH0hZmK51wpSvaLTCXCVMDksMOjzs6+2btGoVQFK+y4tZ54sPGQ
7OPbrSVMqjGh79Ii3xsGA72iY/0w1HcF1+Uq82hKajQs/tgRxFtn6X5Cf5QeZE7o
ydMafAFOjZLS2TxYKwR+dCd3DPoBzHDHIlnI9f9rW6wt5tJZw3chZb4c8ICDfX89
BJcWJieNT1qT8AjrPOkM98k2lpIoxcqW8wM2nDH5mibiHndJRKzchJGopCzBQqAn
wfV9vm3KJIo=
=HUQW
-----END PGP SIGNATURE-----

« Back to bulletins