Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2767 Moderate: java security updates 18 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: java-1.7.1-ibm java-1.8.0-ibm Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Read-only Data Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-12539 CVE-2018-2973 CVE-2018-2952 CVE-2018-2940 CVE-2018-1656 CVE-2018-1517 CVE-2017-3736 CVE-2017-3732 CVE-2016-0705 Reference: ASB-2018.0197 ASB-2018.0169 ESB-2018.2204 ESB-2018.2131 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2712 https://access.redhat.com/errata/RHSA-2018:2713 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: java-1.7.1-ibm security update Advisory ID: RHSA-2018:2712-01 Product: Red Hat Satellite Advisory URL: https://access.redhat.com/errata/RHSA-2018:2712 Issue date: 2018-09-17 CVE Names: CVE-2018-1517 CVE-2018-1656 CVE-2018-2940 CVE-2018-2952 CVE-2018-2973 CVE-2018-12539 ===================================================================== 1. Summary: An update for java-1.7.1-ibm is now available for Red Hat Satellite 5.6 and Red Hat Satellite 5.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Satellite 5.6 (RHEL v.6) - s390x, x86_64 Red Hat Satellite 5.7 (RHEL v.6) - s390x, x86_64 3. Description: IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 7 to version 7R1 SR4-FP30. Security Fix(es): * IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539) * IBM JDK: DoS in the java.math component (CVE-2018-1517) * IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For this update to take effect, Red Hat Satellite must be restarted ("/usr/sbin/rhn-satellite restart"). All running instances of IBM Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) 1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) 1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) 1618767 - CVE-2018-12539 IBM JDK: privilege escalation via insufficiently restricted access to Attach API 1618869 - CVE-2018-1656 IBM JDK: path traversal flaw in the Diagnostic Tooling Framework 1618871 - CVE-2018-1517 IBM JDK: DoS in the java.math component 6. Package List: Red Hat Satellite 5.6 (RHEL v.6): s390x: java-1.7.1-ibm-1.7.1.4.30-1jpp.2.el6_10.s390x.rpm java-1.7.1-ibm-devel-1.7.1.4.30-1jpp.2.el6_10.s390x.rpm x86_64: java-1.7.1-ibm-1.7.1.4.30-1jpp.2.el6_10.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.30-1jpp.2.el6_10.x86_64.rpm Red Hat Satellite 5.7 (RHEL v.6): s390x: java-1.7.1-ibm-1.7.1.4.30-1jpp.2.el6_10.s390x.rpm java-1.7.1-ibm-devel-1.7.1.4.30-1jpp.2.el6_10.s390x.rpm x86_64: java-1.7.1-ibm-1.7.1.4.30-1jpp.2.el6_10.x86_64.rpm java-1.7.1-ibm-devel-1.7.1.4.30-1jpp.2.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-1517 https://access.redhat.com/security/cve/CVE-2018-1656 https://access.redhat.com/security/cve/CVE-2018-2940 https://access.redhat.com/security/cve/CVE-2018-2952 https://access.redhat.com/security/cve/CVE-2018-2973 https://access.redhat.com/security/cve/CVE-2018-12539 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW5+/o9zjgjWX9erEAQhIFQ/9EmElCefoIRx+nY8HYYAUgOuoAMyYUR/H ty3nUdGain/DM8cfPXC8CnLiagFFdWOicPhUMW9PQu2xRYOMQJI2K1Dhmcee6P4c h8dYPx92yv32kf3ETaqSGMz9s1ll2PwuMGGBTlD/kUqzOBG+q/QtvrFR20yJm5Ae 0e5y+zUaDPBJUHVWlYlt4cDON2Y9vUOgVhbx13swb9wXuXT9P/CvE7O0siVI06oV eK7uKfH7XJwZWep2o+5SYTPwB/u9tWn3D37uNJgV3ZLRU9g1+si/ntG06rFpBR2f rjMinhecUr++yaTpbGtq1Mv/s1/WJRRA8xD37VQs4M4NcMcSSYYplynGz8QqMxBu vw7R2vZ9itK1hFk8HM5c6w/oAFV73aswlwkUPxkt28O3Whh3DsUCWssJP9onZSzK y/i0bYmhB8X+1rMxnhbe/Zy3ItNrhItEolfceUtWdqFm3zuNFXiGeaa6nVGWGkzL E9la2v/wB9X4AV/BjntSAugw4bzoKXwcWPMv6y6+4g0tvbIemPr5CV3wyuRh0s94 +dOPOtkutVhMm3c1g71Ae6TxI9aGaytJVR0bxHH3W+jALXmQEC2VWAs/1QAohCWK 5YrCWU+uUDPV5Y5YOB/9tE08Xjmikqib5WEqg8NAM81YSv+sZbLInnfvA1MjYETX Vc/NZoN+PZk= =smvf - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: java-1.8.0-ibm security update Advisory ID: RHSA-2018:2713-01 Product: Red Hat Satellite Advisory URL: https://access.redhat.com/errata/RHSA-2018:2713 Issue date: 2018-09-17 CVE Names: CVE-2016-0705 CVE-2017-3732 CVE-2017-3736 CVE-2018-1517 CVE-2018-1656 CVE-2018-2940 CVE-2018-2952 CVE-2018-2973 CVE-2018-12539 ===================================================================== 1. Summary: An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Satellite 5.8 (RHEL v.6) - s390x, x86_64 3. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP20. Security Fix(es): * IBM JDK: privilege escalation via insufficiently restricted access to Attach API (CVE-2018-12539) * openssl: BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) * openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736) * IBM JDK: DoS in the java.math component (CVE-2018-1517) * IBM JDK: path traversal flaw in the Diagnostic Tooling Framework (CVE-2018-1656) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) * OpenSSL: Double-free in DSA code (CVE-2016-0705) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the OpenSSL project for reporting CVE-2016-0705. Upstream acknowledges Adam Langley (Google/BoringSSL) as the original reporter of CVE-2016-0705. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 For this update to take effect, Red Hat Satellite must be restarted ("/usr/sbin/rhn-satellite restart"). All running instances of IBM Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code 1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64 1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64 1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) 1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) 1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) 1618767 - CVE-2018-12539 IBM JDK: privilege escalation via insufficiently restricted access to Attach API 1618869 - CVE-2018-1656 IBM JDK: path traversal flaw in the Diagnostic Tooling Framework 1618871 - CVE-2018-1517 IBM JDK: DoS in the java.math component 6. Package List: Red Hat Satellite 5.8 (RHEL v.6): s390x: java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.s390x.rpm java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el6_10.s390x.rpm x86_64: java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-0705 https://access.redhat.com/security/cve/CVE-2017-3732 https://access.redhat.com/security/cve/CVE-2017-3736 https://access.redhat.com/security/cve/CVE-2018-1517 https://access.redhat.com/security/cve/CVE-2018-1656 https://access.redhat.com/security/cve/CVE-2018-2940 https://access.redhat.com/security/cve/CVE-2018-2952 https://access.redhat.com/security/cve/CVE-2018-2973 https://access.redhat.com/security/cve/CVE-2018-12539 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW5/AHdzjgjWX9erEAQg+hw//WsJgqQK6ShvKh5dX3ZPyw3BHMfK4arEn 2jBp1g/+/V/JW3aBb2DJ77NXT4gMGKk5ZdiAon1rkopTAylhrdRfYGHCV5MXNPvC 3KkhP14cjT7nus7j9AGpVmskw4RuqZgTiKvzf2bei9aMUXL/HAW8neh/nKXANDnS WRWkGiGa1cqVdyrJLEqLMcU0JJJO3ogqTwkuH+PpdeQA51EBTA5ABv6h3ENzg62c zHXPVZJonThECAVTuUNFutLNcM6fwIXHbnfgfHE3iPz8bZC3GF2xkcgcjJ+1twZI MYJmZDfFjp1nRWXAuS+uyuVXVkgVhaIwhzog52A7mMzV+xVz/eCoaeUkP3bYmAKl V/EpN8zhtCoUHYooUyOZ5OcKF6HqWLXqDnH4TEweNgJtBHRfr4jJCnmeD/w7Zj0Y BVmmRZpF+8HrUO0CfF8iDYTwmB/0vnL1n4gnffZhKI9BRa5nV7ywfOXynRhvHIzz lXuyxsQs4FAeJd3REqDixtptt68Zq4IL0m69q+i78/4MrNz7PpD7E5P5/Kn8UOls wUAO8g2gHo1YORiBtsoggYrM2ida+k0lDYhxoPJkovD4YDjZIhIHqW7JsDZEKSeZ OBRnahsduks5GtZ27xYd0sTsHHHXr5LCYSJQr7UXGIJg3DnzfzNOTPwCGgDSu8Hl y4syJsg6LbE= =Ter6 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW6BmNmaOgq3Tt24GAQhKBhAAoqjspg175v6Utqq7dgnChqQiwSkhYqsA WZjvG/Iow86uQtIIt0Xkd4ttcX20jlhkNJoDZ5iqq/hr+l4e8or/qoFR5Osk56iY i/2J6q2o7ot7cnF7nQ2Jr57GPd45z5xivy3rQMAC9swy3JPkvFdgggUBBk7Brc2i rmIXJfSmgWzsPw12LRs2K70AS46ShAL8hOivZWoio3b0ICrh8g1CMgwynemctW6a Q1AZepkfxqcC7FLt+pTpcIF5R9P0ae4xGyzg7H87Bd1equshWUzRS+IAq4VOQZDk 51HOR7xVK6G1o6PNKuyMJrEHz9KBAyKBBRXvZkH0x39SDH5IJ6tB6sVsE3WtZVlb 2eCfKsvsa1opkgU3oqbG+FWcjVsTnsizne3auqmezufUQirkkJWo/2Z7SI0RRrI+ mu3PnyWZDTQId8CEwY5N9RG5QLcdKGYoACrXIG8UyhwPx9oEonf4sM6G2PCxeEa5 7/1iEZdheYf43wCv73Boiutd4NgxEzYVf7jmKW3URyir3XAmcJI6XmwcrwYPbY2i GpERuDPAtk39IaQq7rmDJ4XL2+V6xg3iszJV5GughlnVOBShemwCjm3E4CBk519K ElY2ZnEtqJV5FN9Wopia7tMONfwQB7BOPuIWCHczlf9UDOJ1YIJkMuGOmHSZ4ID/ TGIhVJ9jTfs= =7KB5 -----END PGP SIGNATURE-----