Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3465 Important: java-1.8.0-ibm security update 12 September 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: java-1.8.0-ibm Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Overwrite Arbitrary Files -- Remote/Unauthenticated Create Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-11775 CVE-2019-11772 CVE-2019-7317 CVE-2019-2816 CVE-2019-2786 CVE-2019-2769 CVE-2019-2762 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:2737 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: java-1.8.0-ibm security update Advisory ID: RHSA-2019:2737-01 Product: Red Hat Satellite Advisory URL: https://access.redhat.com/errata/RHSA-2019:2737 Issue date: 2019-09-11 CVE Names: CVE-2019-2762 CVE-2019-2769 CVE-2019-2786 CVE-2019-2816 CVE-2019-7317 CVE-2019-11772 CVE-2019-11775 ===================================================================== 1. Summary: An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Satellite 5.8 (RHEL v.6) - s390x, x86_64 3. Description: IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit. This update upgrades IBM Java SE 8 to version 8 SR5-FP40. Security Fix(es): * IBM JDK: Out-of-bounds access in the String.getBytes method (CVE-2019-11772) * IBM JDK: Failure to privatize a value pulled out of the loop by versioning (CVE-2019-11775) * OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) (CVE-2019-2762) * OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) (CVE-2019-2769) * OpenJDK: Missing URL format validation (Networking, 8221518) (CVE-2019-2816) * OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) (CVE-2019-2786) * libpng: use-after-free in png_image_free in png.c (CVE-2019-7317) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1672409 - CVE-2019-7317 libpng: use-after-free in png_image_free in png.c 1730056 - CVE-2019-2769 OpenJDK: Unbounded memory allocation during deserialization in Collections (Utilities, 8213432) 1730099 - CVE-2019-2816 OpenJDK: Missing URL format validation (Networking, 8221518) 1730255 - CVE-2019-2786 OpenJDK: Insufficient restriction of privileges in AccessController (Security, 8216381) 1730415 - CVE-2019-2762 OpenJDK: Insufficient checks of suppressed exceptions in deserialization (Utilities, 8212328) 1738547 - CVE-2019-11772 IBM JDK: Out-of-bounds access in the String.getBytes method 1738549 - CVE-2019-11775 IBM JDK: Failure to privatize a value pulled out of the loop by versioning 6. Package List: Red Hat Satellite 5.8 (RHEL v.6): s390x: java-1.8.0-ibm-1.8.0.5.40-1jpp.1.el6_10.s390x.rpm java-1.8.0-ibm-devel-1.8.0.5.40-1jpp.1.el6_10.s390x.rpm x86_64: java-1.8.0-ibm-1.8.0.5.40-1jpp.1.el6_10.x86_64.rpm java-1.8.0-ibm-devel-1.8.0.5.40-1jpp.1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-2762 https://access.redhat.com/security/cve/CVE-2019-2769 https://access.redhat.com/security/cve/CVE-2019-2786 https://access.redhat.com/security/cve/CVE-2019-2816 https://access.redhat.com/security/cve/CVE-2019-7317 https://access.redhat.com/security/cve/CVE-2019-11772 https://access.redhat.com/security/cve/CVE-2019-11775 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXXkN19zjgjWX9erEAQh/fg/9HFMBddvgH3NO7oY+Of9OO2bPeS8/P6BF LaupsMXf16Y8KZkFfOt6Gd2jFkXKkfhaRtF0fXzy95cl2UR9Rbhy3iU8Lscw954f MoLTXSsRLXYiu7FI78ZJhYKxskipJw9WWVnxNb5Agxkh+tuTQ1xWgL2n3XD9fpxr 9+S2h2Btau3I4VPVSECmgjat7j5wTZun2B4ptKThTWk8zMs79ZfuFugkXbvcD1kp 6ZQt4JtAmtQsKH9rCXsc9mPRea/XTBd5zZs28Gty7XVfSjgNSAG+hiQTcIKTN+Yg zfvEFvj6r+vGN5gekVc2BktMN2RdRusH45uj3Mk73gHRD883gB8Vndt0KRXRlTef Ghe3tD4c3RLyQdYhORmkNVp5jtMtGDoGNO8VpBXdWXjGpi/RzS/3LlKX3inZ+b6U 8KnnO50YkdMV7J37ll+RdrS93IBXqRstzpnwUZ48J5zBff5MAa/1ZDDuDpsefXz/ JEIjEZ+DEiMFllKDD1E48nsI8Cz03Y5m5Lj5MloNdxda6ZAzRNTOsL2caoDiSz+R CioMmOSs4NW870hGSzA6O239OIA3IYMhuucLiYu8rh67rBrwA27fIt0cNcR+Ixsw bR3M52/LZdJzx6aV4Z5pDAj2dbuYzvUE9Y5Upk51mCl94bA7OmRV3oLn62B32SsB mbahXGlbEcQ= =jy51 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXXmO9WaOgq3Tt24GAQirLQ//dkQ1xJMHwzsjJekjApp3CZL8kFaqybE5 KEQCErFAKSXuve4syjmBkc0XKxhHFWvKTwFBK6tU+trpvVroOiws1V/1K9GVdKw/ FXsaCWtrltYTkIMkiUIeDHoxabQjJ/ZaffgSrsPRh06jRDJ9JKnvzIV2Sihlg4O0 ROvNJv3oKnGVkAToygYSoKnJgm3MpguudMr0kAfBaLGbsAGIsXsvuuoQfzvZZFEJ Gfq7urNrqkwI7oUo2w9O+wLD1wfxlfYu85bMCF9xtqfh+UoVoI1MPp+QQ50haR9e xBlfbVkr7lJQpPeXcKZVJzVxrRuOoIHSHlm+Iq+V8ycztdzcfJ6pyhRIDOQF22hf 5OZLW6hORBAXJm59gB0q1y30i5h3hfArCL3DQ17iycKAjKFaKtO0zYcpuOJ2QFUb kynlI9o2JOabCqnaYa0swQQZXepWN9bhJXKlbFvJLq8h0oagC8/um0Q4y2pt/GOH 3XQroX6Q6Z4TGsYthO+ljbsllu7q3vwneWXb59xf1PquWwhy1/j6xzCtvEIoJIGi hDOFhmDMu30RxwfDN6+xZSEpMLmt7nSjFOFKXRfveZGTEsws9juXgTZWriy0FFY8 MxDAv03u1phfCrm1HzfFAKWFRYKzMD8qyGKXFOEq1R8z95iRHRYjxu7aPL1l05bm b9zi7zXntYY= =uLwT -----END PGP SIGNATURE-----