Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1797
java-1.8.0-ibm security update
21 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: java-1.8.0-ibm
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-2830 CVE-2020-2805 CVE-2020-2803
CVE-2020-2800 CVE-2020-2781 CVE-2020-2757
CVE-2020-2756 CVE-2020-2755 CVE-2020-2754
CVE-2020-2654 CVE-2019-2949
Reference: ASB-2020.0076
ASB-2019.0294
ESB-2020.1460
ESB-2020.1413
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:2237
https://access.redhat.com/errata/RHSA-2020:2239
https://access.redhat.com/errata/RHSA-2020:2241
Comment: This bulletin contains three (3) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: java-1.8.0-ibm security update
Advisory ID: RHSA-2020:2237-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2237
Issue date: 2020-05-20
CVE Names: CVE-2019-2949 CVE-2020-2654 CVE-2020-2754
CVE-2020-2755 CVE-2020-2756 CVE-2020-2757
CVE-2020-2781 CVE-2020-2800 CVE-2020-2803
CVE-2020-2805 CVE-2020-2830
=====================================================================
1. Summary:
An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux
7 Supplementary.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client Supplementary (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Supplementary (v. 7) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 7) - x86_64
3. Description:
IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.
This update upgrades IBM Java SE 8 to version 8 SR6-FP10.
Security Fix(es):
* OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos,
8220302) (CVE-2019-2949)
* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
(CVE-2020-2803)
* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries,
8235274) (CVE-2020-2805)
* OpenJDK: Excessive memory usage in OID processing in X.509 certificate
parsing (Libraries, 8234037) (CVE-2020-2654)
* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
(CVE-2020-2781)
* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP
Server, 8234825) (CVE-2020-2800)
* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
(CVE-2020-2830)
* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner
(Scripting, 8223898) (CVE-2020-2754)
* OpenJDK: Incorrect handling of empty string nodes in regular expression
Parser (Scripting, 8223904) (CVE-2020-2755)
* OpenJDK: Incorrect handling of references to uninitialized class
descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)
* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass
(Serialization, 8224549) (CVE-2020-2757)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of IBM Java must be restarted for this update to take
effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1761594 - CVE-2019-2949 OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302)
1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037)
1823199 - CVE-2020-2754 OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898)
1823200 - CVE-2020-2755 OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904)
1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541)
1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549)
1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825)
1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274)
1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
6. Package List:
Red Hat Enterprise Linux Client Supplementary (v. 7):
x86_64:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
Red Hat Enterprise Linux ComputeNode Supplementary (v. 7):
x86_64:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 7):
ppc64:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.ppc64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.ppc64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.ppc64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.ppc64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.ppc64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.ppc64.rpm
ppc64le:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm
s390x:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.s390x.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.s390x.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.s390x.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.s390x.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.s390x.rpm
x86_64:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 7):
x86_64:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-2949
https://access.redhat.com/security/cve/CVE-2020-2654
https://access.redhat.com/security/cve/CVE-2020-2754
https://access.redhat.com/security/cve/CVE-2020-2755
https://access.redhat.com/security/cve/CVE-2020-2756
https://access.redhat.com/security/cve/CVE-2020-2757
https://access.redhat.com/security/cve/CVE-2020-2781
https://access.redhat.com/security/cve/CVE-2020-2800
https://access.redhat.com/security/cve/CVE-2020-2803
https://access.redhat.com/security/cve/CVE-2020-2805
https://access.redhat.com/security/cve/CVE-2020-2830
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXsU9w9zjgjWX9erEAQh39A/+O1RaRaPwJWFhMyhrVfyW/795PmJUmH4Z
WEVgoCZEsKX13BcRB81w8m2uv1O8NZj2hu+I0PvzqqOu62evgIZY8i7K/oqntxgJ
6tQte4yTXcYZj8aLrvG2qbBEAMH6Xey6T6iv/7y2coY73gBTCw0O2zY41DP6Yi4r
SdGObur1bg88pMsQqdZ3HqQCVy4hnvEweLrGLtOO21QII4qSkTeRZW0+JQMc0TP8
eV5Q2xHZtwYCMnP67kO4NP8m1EkCCQ1dLowTtzci52hXsOJebA9FsOad8tqYT+Wp
AcUAssNcrMrP6SO7sdlB1MrA0sGNBNzMxv6jewwjnfr2DVZfjDIEbf2ExHF7q/JO
cMLvloRjQ0rIYHf6Kf+JCMftqK61C0KVMlrJidrJ4FZ9AtT2IvBAJW5MCHdER/Yw
M/vqBSzcQ4GxDHxKZ7EviRwEJs93fv6678fAvmyAD3gVvDkdO27gLFBmmh4+3Jwf
qIWLYqOxxHol4iSq9cenJqeCJK5giRr2p9w+IpWLWm/BlGiVBbQ0HEh1WzlMs9Rd
G3md61azTC5vs8nW3+Bo1Eb5hRtnEe2/fYY+frpPBF/0NYACMQH6/blOXt+OgCw0
2xKGTrqOfbs3F+o2cFzGppoivutRbpGRm6Ydo7/mqQ18MYoIIaS5lKU2h/50KocB
oEhIU28Yv+I=
=vNoR
- -----END PGP SIGNATURE-----
- ------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: java-1.8.0-ibm security update
Advisory ID: RHSA-2020:2239-01
Product: Red Hat Enterprise Linux Supplementary
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2239
Issue date: 2020-05-20
CVE Names: CVE-2019-2949 CVE-2020-2654 CVE-2020-2754
CVE-2020-2755 CVE-2020-2756 CVE-2020-2757
CVE-2020-2781 CVE-2020-2800 CVE-2020-2803
CVE-2020-2805 CVE-2020-2830
=====================================================================
1. Summary:
An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux
6 Supplementary.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64
3. Description:
IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.
This update upgrades IBM Java SE 8 to version 8 SR6-FP10.
Security Fix(es):
* OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos,
8220302) (CVE-2019-2949)
* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
(CVE-2020-2803)
* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries,
8235274) (CVE-2020-2805)
* OpenJDK: Excessive memory usage in OID processing in X.509 certificate
parsing (Libraries, 8234037) (CVE-2020-2654)
* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
(CVE-2020-2781)
* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP
Server, 8234825) (CVE-2020-2800)
* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
(CVE-2020-2830)
* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner
(Scripting, 8223898) (CVE-2020-2754)
* OpenJDK: Incorrect handling of empty string nodes in regular expression
Parser (Scripting, 8223904) (CVE-2020-2755)
* OpenJDK: Incorrect handling of references to uninitialized class
descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)
* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass
(Serialization, 8224549) (CVE-2020-2757)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of IBM Java must be restarted for this update to take
effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1761594 - CVE-2019-2949 OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302)
1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037)
1823199 - CVE-2020-2754 OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898)
1823200 - CVE-2020-2755 OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904)
1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541)
1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549)
1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825)
1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274)
1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
6. Package List:
Red Hat Enterprise Linux Desktop Supplementary (v. 6):
i386:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
x86_64:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
x86_64:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Server Supplementary (v. 6):
i386:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
ppc64:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.ppc64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.ppc64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.ppc64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.ppc64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.ppc64.rpm
s390x:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.s390x.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.s390x.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.s390x.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.s390x.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.s390x.rpm
x86_64:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
Red Hat Enterprise Linux Workstation Supplementary (v. 6):
i386:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.i686.rpm
x86_64:
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el6_10.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-2949
https://access.redhat.com/security/cve/CVE-2020-2654
https://access.redhat.com/security/cve/CVE-2020-2754
https://access.redhat.com/security/cve/CVE-2020-2755
https://access.redhat.com/security/cve/CVE-2020-2756
https://access.redhat.com/security/cve/CVE-2020-2757
https://access.redhat.com/security/cve/CVE-2020-2781
https://access.redhat.com/security/cve/CVE-2020-2800
https://access.redhat.com/security/cve/CVE-2020-2803
https://access.redhat.com/security/cve/CVE-2020-2805
https://access.redhat.com/security/cve/CVE-2020-2830
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXsU+ANzjgjWX9erEAQgWDQ//fWaz+bAUBVUThfzlQgjXH0EFgEhIWpSQ
HER3J++aJOSlD1WnpiaAw9qdzJWcSuuj0MxBqpXklhyr+yNnTxsvw+iT8AssqWHP
ffCD5K2dRVeCkKXiplMpuZQxxYr3ZdrTDCCAbd7oTKFLsGwjwqcw96YIT+dt5+GP
6rpTFzpy6XdWt+wWvHhf9DsOdItHnTg9e3QM5LI/jNPU8P2kQLR0yIsH9pSMpKgr
rTcE4tCaSEy7HpOglzzVNXYUcyIdPbHK3RIQTNjk5A52HNs/SYMUi2uOadefUPoY
LnVQod7SYeq57uw/NwoHKuxwz7BPJesVTOVs3MASYAD5EVC6ukhEPrfXaKnlWrzG
ruEfQLVAdFPXyo77JvdgSQIdeN5sSxCHnODdyoXgSGra9SPnBR8+oA0bZ9WEpuBy
P5Tsyr5WjuXERG1tjdssirC1aJo4CleuPejmQ3TmWnZXkKYJvJbc9lFZAZUptS1M
27lF8EuC38Bf5n6NV7uH3l3m8q5OEXKccbYe97kmlBp5K/jpyLAGJygb5g2lTSf4
VYrUZPx1k/rNsZ7kcfAHuKxKnZvPQawGezVPP1GT9qnQgewzI8TwG+Rm/oahNeVG
KklYUCqDF/CL6SO4eL++ffTBYgjU4/Tj9iCuKlVR/LRu8PgUuHnAsFMxn7c28VYe
BTCkYDhQvoU=
=8njU
- -----END PGP SIGNATURE-----
- ------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: java-1.8.0-ibm security update
Advisory ID: RHSA-2020:2241-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2020:2241
Issue date: 2020-05-20
CVE Names: CVE-2019-2949 CVE-2020-2654 CVE-2020-2754
CVE-2020-2755 CVE-2020-2756 CVE-2020-2757
CVE-2020-2781 CVE-2020-2800 CVE-2020-2803
CVE-2020-2805 CVE-2020-2830
=====================================================================
1. Summary:
An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux
8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux 8 Supplementary - ppc64le, s390x, x86_64
3. Description:
IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.
This update upgrades IBM Java SE 8 to version 8 SR6-FP10.
Security Fix(es):
* OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos,
8220302) (CVE-2019-2949)
* OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
(CVE-2020-2803)
* OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries,
8235274) (CVE-2020-2805)
* OpenJDK: Excessive memory usage in OID processing in X.509 certificate
parsing (Libraries, 8234037) (CVE-2020-2654)
* OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
(CVE-2020-2781)
* OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP
Server, 8234825) (CVE-2020-2800)
* OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
(CVE-2020-2830)
* OpenJDK: Misplaced regular expression syntax error check in RegExpScanner
(Scripting, 8223898) (CVE-2020-2754)
* OpenJDK: Incorrect handling of empty string nodes in regular expression
Parser (Scripting, 8223904) (CVE-2020-2755)
* OpenJDK: Incorrect handling of references to uninitialized class
descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)
* OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass
(Serialization, 8224549) (CVE-2020-2757)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
All running instances of IBM Java must be restarted for this update to take
effect.
5. Bugs fixed (https://bugzilla.redhat.com/):
1761594 - CVE-2019-2949 OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302)
1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037)
1823199 - CVE-2020-2754 OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898)
1823200 - CVE-2020-2755 OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904)
1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541)
1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549)
1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825)
1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274)
1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)
6. Package List:
Red Hat Enterprise Linux 8 Supplementary:
ppc64le:
java-1.8.0-ibm-1.8.0.6.10-1.el8_2.ppc64le.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1.el8_2.ppc64le.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1.el8_2.ppc64le.rpm
java-1.8.0-ibm-headless-1.8.0.6.10-1.el8_2.ppc64le.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1.el8_2.ppc64le.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1.el8_2.ppc64le.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1.el8_2.ppc64le.rpm
java-1.8.0-ibm-webstart-1.8.0.6.10-1.el8_2.ppc64le.rpm
s390x:
java-1.8.0-ibm-1.8.0.6.10-1.el8_2.s390x.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1.el8_2.s390x.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1.el8_2.s390x.rpm
java-1.8.0-ibm-headless-1.8.0.6.10-1.el8_2.s390x.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1.el8_2.s390x.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1.el8_2.s390x.rpm
x86_64:
java-1.8.0-ibm-1.8.0.6.10-1.el8_2.x86_64.rpm
java-1.8.0-ibm-demo-1.8.0.6.10-1.el8_2.x86_64.rpm
java-1.8.0-ibm-devel-1.8.0.6.10-1.el8_2.x86_64.rpm
java-1.8.0-ibm-headless-1.8.0.6.10-1.el8_2.x86_64.rpm
java-1.8.0-ibm-jdbc-1.8.0.6.10-1.el8_2.x86_64.rpm
java-1.8.0-ibm-plugin-1.8.0.6.10-1.el8_2.x86_64.rpm
java-1.8.0-ibm-src-1.8.0.6.10-1.el8_2.x86_64.rpm
java-1.8.0-ibm-webstart-1.8.0.6.10-1.el8_2.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-2949
https://access.redhat.com/security/cve/CVE-2020-2654
https://access.redhat.com/security/cve/CVE-2020-2754
https://access.redhat.com/security/cve/CVE-2020-2755
https://access.redhat.com/security/cve/CVE-2020-2756
https://access.redhat.com/security/cve/CVE-2020-2757
https://access.redhat.com/security/cve/CVE-2020-2781
https://access.redhat.com/security/cve/CVE-2020-2800
https://access.redhat.com/security/cve/CVE-2020-2803
https://access.redhat.com/security/cve/CVE-2020-2805
https://access.redhat.com/security/cve/CVE-2020-2830
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXsVU8tzjgjWX9erEAQgQYg/8DsN99sE3VjueIWpVuE+53Vdmzyk4qF8Z
x4BxMLBYvwvSyKa4R3g7HNlBo1KZRoFOYbnii6PBVl6ldokTkovVU2gKtYIUDr1g
6fFktbaL+oTRfdT7XOg/KF9VtbmL/UdXvMHPGXUDkC5MB55UIMhocoHNP3zqjG92
lBviTQIIh0aRZdhUuqjI/uiBnuO+wkIvMzX2XxdtSCXR3pOUdzWJ4L9mo2qrR+Iz
MTJ3H0A/ArtwTy49tB7gLR99mlxaONgP+gi1vlKmfepwTw0I64hQQ3Xt95Jjdjw8
uNCcKnzjkyNtngZy9fKe5EJtn1zKxY7/yjWqmXAiYUU/HHF/L907iUC1dD9ja3QW
YO7sib/L5v5Wko6AZj2oQnxBmqGljOobtmYKnedHakYGF9WFP0Xlj/xqaHauAEEc
Fk9Ffrdv0o+O+X+Y5Z5BTwP56dZ7/gj4Jo1L70Gd53B6qFM58VD8qq8/UrwLNBC9
JUO+nZBK0K5A6yR6beGwCT0DPpx/Elg/NO0yXNsyMefnGuV3jyTlx9jhPEmyiufe
nYgoWMeO1E6TO/5vagycGjgP+bmcl8UPqk5WV7PaJ8kUSiyBOl3T0ZGKTGyxg3w5
QBCqbQSxge1UJ2b59bgD4Tcr0KT3nsR4xq+NkRdpkINGc1QCVX24roqdMJp3OPvg
qX5hayTiKkY=
=r5zd
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXsXKCeNLKJtyKPYoAQj7RA//YqfcH/FzjteKP2GBvtlr+bq6caKO9CBX
SzzYk1YE7DjulVpJ/p24xTPqnGpmLwODwg8sy20HMvhHHVmq9ZOKlw/GJc9fXgFp
iN3s8V7ipMSs4GdwtMZNOusUQmmcyvoXo8HNqdjXqweoUQAHbYnmveitj+fr2J/b
FbtUJ4hJ938zpWEARM6cWNlrs7yy8sN1DkHUgS6Mgs1vmD6PExrzWbtYPiE17djJ
VxiwqI99xlsQhNthf88O7SQzrGRHiEgeer4Sw/ValUdXOtxG+gqO0AWuacbxOafR
5ogc4vx7bk2hcNL9c+FPbZzzhBrbmvFiKYA5Jy3sw5fr2ivP5T7FRL9AFwaGMhIk
HGX8SIQmHeY10yOQMNSvZikufzkSah35jgbGO2xCpa2w5i6iet0e5LG6ukws1f8y
PvALghaxEV04/F3oBTCY/fQbwn5kllQONCXEVYMzDKGJRtBPfEzjIVpUg+XlLOc0
7hRShLkMz68OjRDMlW+nJT6Oixpr4za4K3pMTcRmvBhEI4FWjUfrLSgyzbnMGCJh
jRFw76FCtmgSq35tzwbEW7pCoBCNe7kx+LQ7JIQJRjwkL+11+owuwkYYGwBB2pAh
Wkg83Wfswc6v8PZJXr75kIZL5nc7e/7rt7YmSiTBF6YGHQZTsZqDOsLBMp7SVHpj
wCpuAqF8fsI=
=x5RI
-----END PGP SIGNATURE-----