Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3465
Important: java-1.8.0-ibm security update
12 September 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: java-1.8.0-ibm
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux WS/Desktop 6
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Overwrite Arbitrary Files -- Remote/Unauthenticated
Create Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11775 CVE-2019-11772 CVE-2019-7317
CVE-2019-2816 CVE-2019-2786 CVE-2019-2769
CVE-2019-2762
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:2737
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: java-1.8.0-ibm security update
Advisory ID: RHSA-2019:2737-01
Product: Red Hat Satellite
Advisory URL: https://access.redhat.com/errata/RHSA-2019:2737
Issue date: 2019-09-11
CVE Names: CVE-2019-2762 CVE-2019-2769 CVE-2019-2786
CVE-2019-2816 CVE-2019-7317 CVE-2019-11772
CVE-2019-11775
=====================================================================
1. Summary:
An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Satellite 5.8 (RHEL v.6) - s390x, x86_64
3. Description:
IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.
This update upgrades IBM Java SE 8 to version 8 SR5-FP40.
Security Fix(es):
* IBM JDK: Out-of-bounds access in the String.getBytes method
(CVE-2019-11772)
* IBM JDK: Failure to privatize a value pulled out of the loop by
versioning (CVE-2019-11775)
* OpenJDK: Insufficient checks of suppressed exceptions in deserialization
(Utilities, 8212328) (CVE-2019-2762)
* OpenJDK: Unbounded memory allocation during deserialization in
Collections (Utilities, 8213432) (CVE-2019-2769)
* OpenJDK: Missing URL format validation (Networking, 8221518)
(CVE-2019-2816)
* OpenJDK: Insufficient restriction of privileges in AccessController
(Security, 8216381) (CVE-2019-2786)
* libpng: use-after-free in png_image_free in png.c (CVE-2019-7317)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1672409 - CVE-2019-7317 libpng: use-after-free in png_image_free in png.c
1730056 - CVE-2019-2769 OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432)
1730099 - CVE-2019-2816 OpenJDK: Missing URL format validation (Networking, 8221518)
1730255 - CVE-2019-2786 OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381)
1730415 - CVE-2019-2762 OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328)
1738547 - CVE-2019-11772 IBM JDK: Out-of-bounds access in the String.getBytes method
1738549 - CVE-2019-11775 IBM JDK: Failure to privatize a value pulled out of the loop by versioning
6. Package List:
Red Hat Satellite 5.8 (RHEL v.6):
s390x:
java-1.8.0-ibm-1.8.0.5.40-1jpp.1.el6_10.s390x.rpm
java-1.8.0-ibm-devel-1.8.0.5.40-1jpp.1.el6_10.s390x.rpm
x86_64:
java-1.8.0-ibm-1.8.0.5.40-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.5.40-1jpp.1.el6_10.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-2762
https://access.redhat.com/security/cve/CVE-2019-2769
https://access.redhat.com/security/cve/CVE-2019-2786
https://access.redhat.com/security/cve/CVE-2019-2816
https://access.redhat.com/security/cve/CVE-2019-7317
https://access.redhat.com/security/cve/CVE-2019-11772
https://access.redhat.com/security/cve/CVE-2019-11775
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXXkN19zjgjWX9erEAQh/fg/9HFMBddvgH3NO7oY+Of9OO2bPeS8/P6BF
LaupsMXf16Y8KZkFfOt6Gd2jFkXKkfhaRtF0fXzy95cl2UR9Rbhy3iU8Lscw954f
MoLTXSsRLXYiu7FI78ZJhYKxskipJw9WWVnxNb5Agxkh+tuTQ1xWgL2n3XD9fpxr
9+S2h2Btau3I4VPVSECmgjat7j5wTZun2B4ptKThTWk8zMs79ZfuFugkXbvcD1kp
6ZQt4JtAmtQsKH9rCXsc9mPRea/XTBd5zZs28Gty7XVfSjgNSAG+hiQTcIKTN+Yg
zfvEFvj6r+vGN5gekVc2BktMN2RdRusH45uj3Mk73gHRD883gB8Vndt0KRXRlTef
Ghe3tD4c3RLyQdYhORmkNVp5jtMtGDoGNO8VpBXdWXjGpi/RzS/3LlKX3inZ+b6U
8KnnO50YkdMV7J37ll+RdrS93IBXqRstzpnwUZ48J5zBff5MAa/1ZDDuDpsefXz/
JEIjEZ+DEiMFllKDD1E48nsI8Cz03Y5m5Lj5MloNdxda6ZAzRNTOsL2caoDiSz+R
CioMmOSs4NW870hGSzA6O239OIA3IYMhuucLiYu8rh67rBrwA27fIt0cNcR+Ixsw
bR3M52/LZdJzx6aV4Z5pDAj2dbuYzvUE9Y5Upk51mCl94bA7OmRV3oLn62B32SsB
mbahXGlbEcQ=
=jy51
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXXmO9WaOgq3Tt24GAQirLQ//dkQ1xJMHwzsjJekjApp3CZL8kFaqybE5
KEQCErFAKSXuve4syjmBkc0XKxhHFWvKTwFBK6tU+trpvVroOiws1V/1K9GVdKw/
FXsaCWtrltYTkIMkiUIeDHoxabQjJ/ZaffgSrsPRh06jRDJ9JKnvzIV2Sihlg4O0
ROvNJv3oKnGVkAToygYSoKnJgm3MpguudMr0kAfBaLGbsAGIsXsvuuoQfzvZZFEJ
Gfq7urNrqkwI7oUo2w9O+wLD1wfxlfYu85bMCF9xtqfh+UoVoI1MPp+QQ50haR9e
xBlfbVkr7lJQpPeXcKZVJzVxrRuOoIHSHlm+Iq+V8ycztdzcfJ6pyhRIDOQF22hf
5OZLW6hORBAXJm59gB0q1y30i5h3hfArCL3DQ17iycKAjKFaKtO0zYcpuOJ2QFUb
kynlI9o2JOabCqnaYa0swQQZXepWN9bhJXKlbFvJLq8h0oagC8/um0Q4y2pt/GOH
3XQroX6Q6Z4TGsYthO+ljbsllu7q3vwneWXb59xf1PquWwhy1/j6xzCtvEIoJIGi
hDOFhmDMu30RxwfDN6+xZSEpMLmt7nSjFOFKXRfveZGTEsws9juXgTZWriy0FFY8
MxDAv03u1phfCrm1HzfFAKWFRYKzMD8qyGKXFOEq1R8z95iRHRYjxu7aPL1l05bm
b9zi7zXntYY=
=uLwT
-----END PGP SIGNATURE-----