ArchLinux: 201507-16: jre7-openjdk: multiple issues
Summary
- CVE-2015-2590 (deserialization issue in
ObjectInputStream.readSerialData()):
ObjectInputStream's readSerialData() could, in certain cases,
incorrectly perform deserialization of data from serialized input. An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions.
- CVE-2015-2601 (non-constant time comparisons in crypto code):
It was discovered that the JCE component in OpenJDK failed to use
constant time comparisons in multiple cases. An attacker could possibly
use these flaws to disclose sensitive information by measuring the time
used to perform operations using these non-constant time comparisons.
- CVE-2015-2613 (NSS / JCE: missing EC parameter validation in
ECDH_Derive()):
It was discovered that the Elliptic Curve (EC) cryptography code as used
in Mozilla NSS (Network Security Services) library and OpenJDK JCE (Java
Cryptography Extension) component failed to properly validate EC
parameters as used in ECDH_Derive() function, which performs ECDH
(Elliptic Curve Diffie-Hellman) key derivation. A remote attacker could
use this flaw to disclose sensitive information.
- CVE-2015-2621 (incorrect code permission checks in RMIConnectionImpl):
It was discovered that the RMIConnectionImpl class in the JMX component
of OpenJDK failed to properly check code permissions when creating
repository class loaders. An untrusted Java application or applet could
use this flaw to read information access to which should be restricted
by the Java sandbox, partially bypassing sandbox restrictions.
- CVE-2015-2625 (name for reverse DNS lookup used in certificate
identity check):
A flaw was found in the way the JSSE component in OpenJDK performed
X.509 certificate identify verification when establishing TLS/SSL
connection to a host identified using IP address. In certain cases, it
would incorrectly use a host name obtained after performing reverse DNS
lookup of the specified IP address rather than the original IP address
for the identity check, possibly leading to having a certificate issued
for different identity to be accepted as valid.
This issue is know to affect cases when SSLSocketFactory.createSocket()
is called with certain InetAddress instances. It is not known to affect
cases when target host IP is passed to createSocket() as string, or when
IP is used in URL used for HttpsURLConnection.
With this patch, reverse DNS lookup is no longer performed. The fix also
adds new system property jdk.tls.trustNameService that can be used to
allow the DNS lookup to be performed and hence have its result used
during identity check.
- CVE-2015-2628 (IIOPInputStream type confusion vulnerability):
It was discovered that the IIOPInputStream class in the CORBA component
in OpenJDK failed to properly check object field types. An untrusted
Java application or applet could use this flaw to bypass Java sandbox
restrictions.
- CVE-2015-2632 (integer overflow in LETableReference verifyLength()):
An integer overflow flaw, leading to out-of-bounds read, was found in
the LETableReference's verifyLength() method. A specially crafted file
could cause an application using ICU to parse untrusted font files to
perform an invalid memory access, leading to crash and possibly
disclosure of portion of application memory.
ICU code is embedded the 2D component in OpenJDK and used by
FontManager. An untrusted Java application or applet could use this flaw
to bypass certain Java sandbox restrictions.
- CVE-2015-2808 (prohibit RC4 cipher suites):
It was discovered that the Invariance Weakness of the RC4 stream cipher
could be used to recover plaintext from a TLS connection, when RC4
encryption is used.
"The Invariance Weakness is an L-shape key pattern in RC4 keys, which
once it exists in an RC4 key, preserves part of the state permutation
intact throughout the initialization process. This intact part includes
the least significant bits of the permutation, when processed by the
PRGA algorithm, determines the least significant bits of the allegedly
pseudo-random output stream along a long prefix of the stream."
This can lead to significant leakage of plaintext bytes from the ciphertext.
- CVE-2015-4000 (make jdk8 mode the default for jdk.tls.ephemeralDHKeySize):
Prevent logjam attack
TLS connections using Diffie-Hellman key exchange protocol were found to
be vulnerable to an attack, in which a man-in-the-middle attacker could
downgrade vulnerable TLS connections to 512-bit export-grade
cryptography. The attack affects any server that supports DHE_EXPORT
ciphers.
- CVE-2015-4731 (improper permission checks in
MBeanServerInvocationHandler):
It was discovered that the JMX component in OpenJDK failed to properly
handle MBean connection proxy classes. An untrusted Java application or
applet could use this flaw to bypass Java sandbox restrictions.
- CVE-2015-4732 (insufficient context checks during object deserialization):
It was discovered that the Libraries component of OpenJDK failed to
check current context / thread while performing object deserialization,
possibly leading to incorrect input deserialization. An untrusted Java
application or applet could use this flaw to bypass Java sandbox
restrictions.
- CVE-2015-4733 (RemoteObjectInvocationHandler allows calling finalize()):
It was discovered that the RemoteObjectInvocationHandler class in the
RMI component of OpenJDK did not prevent calls to the finalize() method.
An untrusted Java application or applet could use this flaw to bypass
Java sandbox restrictions.
- CVE-2015-4748 (incorrect OCSP nextUpdate checking):
A flaw was found in the way the Libraries component of OpenJDK verified
OCSP (Online Certificate Status Protocol) response. An OCSP response
with no nextUpdate date specified was incorrectly handled as having
unlimited validity. This could allow a Java application to accept a
revoked X.509 certificate as valid if it was presented with an OCSP
response generated before certificate revocation.
- CVE-2015-4749 (DnsClient fails to release request information after
error):
It was discovered that the DnsClient client class in the JNDI (Java
Naming and Directory Interface) component in OpenJDK failed to properly
remove information about an outgoing DNS request from the list of
outstanding DNS requests when certain errors occurred during DNS
resolution. An attacker able to trigger such DNS errors could cause a
Java application using JNDI to consume memory and possibly block further
DNS resolution (after exhausting all DNS transaction ids).
- CVE-2015-4760 (missing boundary checks in layout engine):
It was discovered that ICU Layout Engine was missing multiple boundary
checks. These could lead to buffer overflows and JVM memory corruption.
A specially crafted file could cause an application using ICU to parse
untrusted font files to crash and, possibly, execute arbitrary code.
ICU code is embedded the 2D component in OpenJDK and used by
FontManager. An untrusted Java application or applet could use this
flaw to bypass Java sandbox restrictions.
Resolution
Upgrade to 7.u85_2.6.1-1.
# pacman -Syu "jre7-openjdk>=7.u85_2.6.1-1"
The problem has been fixed upstream in version 7.u85 of OpenJDK and
2.6.1 of IcedTea.
References
https://www.trendmicro.com/en_us/research.html https://access.redhat.com/security/cve/CVE-2015-2590 https://access.redhat.com/security/cve/CVE-2015-2601 https://access.redhat.com/security/cve/CVE-2015-2613 https://access.redhat.com/security/cve/CVE-2015-2621 https://access.redhat.com/security/cve/CVE-2015-2625 https://access.redhat.com/security/cve/CVE-2015-2628 https://access.redhat.com/security/cve/CVE-2015-2632 https://access.redhat.com/security/cve/CVE-2015-2808 https://access.redhat.com/security/cve/CVE-2015-4000 https://access.redhat.com/security/cve/CVE-2015-4731 https://access.redhat.com/security/cve/CVE-2015-4732 https://access.redhat.com/security/cve/CVE-2015-4733 https://access.redhat.com/security/cve/CVE-2015-4748 https://access.redhat.com/security/cve/CVE-2015-4749 https://access.redhat.com/security/cve/CVE-2015-4760
Workaround
None.
