Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0962
java-1.8.0-ibm security update
18 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: java-1.8.0-ibm
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux WS/Desktop 6
Impact/Access: Denial of Service -- Remote/Unauthenticated
Modify Permissions -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2659 CVE-2020-2604 CVE-2020-2593
CVE-2020-2583
Reference: ESB-2020.0744
ESB-2020.0674
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:0856
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: java-1.8.0-ibm security update
Advisory ID: RHSA-2020:0856-01
Product: Red Hat Satellite
Advisory URL: https://access.redhat.com/errata/RHSA-2020:0856
Issue date: 2020-03-17
CVE Names: CVE-2020-2583 CVE-2020-2593 CVE-2020-2604
CVE-2020-2659
=====================================================================
1. Summary:
An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Satellite 5.8 (RHEL v.6) - s390x, x86_64
3. Description:
IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.
This update upgrades IBM Java SE 8 to version 8 SR6-FP5.
Security Fix(es):
* OpenJDK: Serialization filter changes via jdk.serialFilter property
modification (Serialization, 8231422) (CVE-2020-2604)
* OpenJDK: Incorrect isBuiltinStreamHandler check causing URL normalization
issues (Networking, 8228548) (CVE-2020-2593)
* OpenJDK: Incorrect exception processing during deserialization in
BeanContextSupport (Serialization, 8224909) (CVE-2020-2583)
* OpenJDK: Incomplete enforcement of maxDatagramSockets limit in
DatagramChannelImpl (Networking, 8231795) (CVE-2020-2659)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1790444 - CVE-2020-2583 OpenJDK: Incorrect exception processing during deserialization in BeanContextSupport (Serialization, 8224909)
1790884 - CVE-2020-2593 OpenJDK: Incorrect isBuiltinStreamHandler check causing URL normalization issues (Networking, 8228548)
1790944 - CVE-2020-2604 OpenJDK: Serialization filter changes via jdk.serialFilter property modification (Serialization, 8231422)
1791284 - CVE-2020-2659 OpenJDK: Incomplete enforcement of maxDatagramSockets limit in DatagramChannelImpl (Networking, 8231795)
6. Package List:
Red Hat Satellite 5.8 (RHEL v.6):
s390x:
java-1.8.0-ibm-1.8.0.6.5-1jpp.1.el6_10.s390x.rpm
java-1.8.0-ibm-devel-1.8.0.6.5-1jpp.1.el6_10.s390x.rpm
x86_64:
java-1.8.0-ibm-1.8.0.6.5-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.5-1jpp.1.el6_10.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-2583
https://access.redhat.com/security/cve/CVE-2020-2593
https://access.redhat.com/security/cve/CVE-2020-2604
https://access.redhat.com/security/cve/CVE-2020-2659
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXnDMrtzjgjWX9erEAQjNfA//fj9vCx6drsguClX7ZZPIi2/c7r4iyxRx
swlYAZnOwkaFCIbeCklR3C524vKQw6e9wY1em2R5407A7VekqwxQcWozTdTBG0+x
PNfHQ6PB+AhgrjcAJhBAef2LN6uATehoa3ZIpj6W/a1bug+QQ0TmHBpDuSABJeVd
CxOAxpOwngItXOxWPDh/XsUN8Dg4znPPA8EsnOMWXOqz3TUySNWVwehfU0kt/jUc
vltLg5o4gWaTG5BYhJ6pKotG9UrCmoxqvnzz/FtVAl+OTojciQZm07p3idNAHb2S
0Y7J6u9uK/pZoY+udvrn2HZGdOYsnQ3+ylHcsYMW+0ljYJxaiNTmzysC7ip+0z3X
AtT92JbR72rfUZad+VzijqMmv7RM79u8RdtAe9dz0jARJOtSFlUryFnr7PWSwEnR
shuj8/gYJfQD9lBrU1n76DcNNgQuYHuAa+SU086txWOpf9e45W24jk3waeo6mmjD
kgEz/Sx3KGeSaF1fPmrtP+WnuN7nVE3kCJzt4+5er/MTOhSG/x1sqMT6eT7HmXAH
W7/vFG9nF06I1hvResCMjBX9IErXojFJcmir/GQBqLds59JRuWSvhXfl9hFxwy9d
r9HfGPcFbzYiKgcbuugPJdlAIoRlCDAcsr6Sc6DQwv7c5C003BoQlYdKRSckIbfv
PfU24hFaSOQ=
=FICx
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXnHDJGaOgq3Tt24GAQi7TQ/9EYe0ydN9XwNS1YhF4Do9jzjyBfmNKDLQ
pToYC34+VNzpy4GlWAws5Sy1gq3uomnzGf5bGZ/7TvHEZwAPW7a5NnKqtnpWuoVl
MqiYKIaGSj16vFKm+ScDQEDdkQqgQm9d+ReopnX1BbVTN6vV+4Xx3u66/2rPBfo0
vlnua+4+tH/+jvae6fjjY1N39s3P5e9GfM4l42ZaVV0e6kWZ1Rw/6QbdAoyxf3JI
/IUVJeNtjv2uItAhyPIDm6ehLsZL6KdEV+izOGkyRDlIrrn1GXjw1wFuRu7izDSs
Lq55HNtZg5joBfnEvLcz72pHVVLCJU+HekUNpYv6WpLpWi8aeSpXKkjHFDNtWhrG
9igrxCPNasg2uUQAqfP/NGx2s+id6ChueTZv5ifZekSKUmWK4LKHAaq9J7YNnr53
Hh3mMek8eMlU/LJD16qBAc0FWQkok/oftLQmb3LxFqDATFKGDMlxmdBYKsvxuHMH
Xw1+TUGmT4PUM7d52vrcKRO0Hn0LPUBZgGoptIVOwgqJhFkbVdJZUd3fbs5Cr0Df
iQbiNYA8tjxnVBLymUyEXyCUEa8fKVZ72jLV4pxSj9YDaERmbYmOo5GkEuyNEm//
7Y/tpFQc9koDn/xYBpjM/CB4AV+xRM0QoowTc6m4Bs/o7jdtIeAscxqHhfTEvORJ
Sao/9au2uNY=
=OrNB
-----END PGP SIGNATURE-----