ArchLinux: 201510-16: jre7-openjdk: multiple issues
Summary
- CVE-2015-4734 (information disclosure)
It was discovered that the JGSS component of OpenJDK did not properly
hide Kerberos realm information from all error exceptions when running
under Security Manager. An untrusted Java application or applet could
use this flaw to obtain certain information about the Kerberos
configuration on the host where they were executed, bypassing certain
Java sandbox restrictions.
- CVE-2015-4803 (denial of service)
It was discovered that the JAXP component of OpenJDK did not use
efficient data structures to store data from parsed XML documents. A
specially-crafted XML input could cause a Java application using JAXP to
use an excessive amount of CPU time by e.g. triggering hash collisions.
- CVE-2015-4805 (arbitrary code execution)
It was discovered that the ObjectStreamClass in the Serialization
component of OpenJDK failed to ensure that the object is fully
initialized before allowing calls of certain methods. An untrusted Java
application or applet could use this flaw to bypass Java sandbox
restrictions to execute code.
- CVE-2015-4806 (improper input validation)
A vulnerability has been discovered leading to HttpURLConnection header
restriction bypass, allowing remote attackers to affect confidentiality
and integrity via unknown vectors related to Libraries.
- CVE-2015-4810 (arbitrary code execution)
An unspecified vulnerability has been discovered that allows local users
to affect confidentiality, integrity, and availability via unknown
vectors related to Deployment.
- CVE-2015-4835 (arbitrary code execution)
It was discovered that the StubGenerator class in the CORBA component of
OpenJDK failed to generate code with all needed permission checks
related to object (de-)serialization. An untursted Java application or
applet could use this flaw to bypass Java sandbox restrictions and
execute arbitrary code.
- CVE-2015-4840 (information disclosure)
It was discovered that the 2D component of OpenJDK could perform out of
bounds access and possibly disclose portions of the Java Virtual Machine
memory when processing specially crafted color profiles. The issue was
caused by having bundled lcms2 code use fast floor() implementation. An
untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions.
- CVE-2015-4842 (information disclosure)
An information disclosure flaw was found in the JAXP component of
OpenJDK. An untrusted Java application or applet could use this flaw to
get information about user home directory location (the content of the
"user.dir" system property), hence bypassing certain Java sandbox
restrictions.
- CVE-2015-4843 (arbitrary code execution)
Multiple integer overflow issues were found in the implementation of
Buffers in the java.nio (Non-blocking I/O) packages in the Libraries
component of OpenJDK. These could lead to out of bounds buffer access
and Java Virtual Machine memory corruption. An untursted Java
application or applet could use these flaws to run arbitrary code with
the Java Virtual Machine privileges or bypass Java sandbox restrictions.
- CVE-2015-4844 (arbitrary code execution)
It was discovered that ICU Layout Engine was missing multiple boundary
and error return checks. These could lead to buffer overflows and memory
corruption. A specially crafted font file could cause an application
using ICU to parse untrusted fonts to crash and, possibly, execute
arbitrary code.
- CVE-2015-4860 (sandbox bypass)
It was discovered that the DGCImpl (for RMI distributed
garbage-collection - DGC) class in the RMI component of OpenJDK failed
to use restricted access control context when processing untrusted
input. An untrusted Java application or applet could use this flaw to
bypass Java sandbox restrictions.
- CVE-2015-4871 (unknown)
An unspecified vulnerability has been discovered that allows remote
attackers to affect confidentiality and integrity via unknown vectors
related to Libraries.
- CVE-2015-4872 (security policy bypass)
It was discovered that the AlgorithmChecker class in the Security
component of OpenJDK failed to properly check if a certificate satisfies
all defined constraints in certain cases. This could cause a Java
application to accept an X.509 certificate which does not meet
requirements of the policy defined in the java.security file.
- CVE-2015-4881 (sandbox bypass)
It was discovered that the IIOPInputStream class in the CORBA component
of OpenJDK failed to properly check object and field types during object
deserialization. An untrusted Java application or applet could use this
flaw to bypass Java sandbox restrictions.
- CVE-2015-4882 (denial of service)
A flaw was found in the way the IIOPInputStream class in the CORBA
component of OpenJDK performed deserialization of String objects. An
untrusted Java application or applet could use this flaw to crash the
Java Virtual Machine.
- CVE-2015-4883 (sandbox bypass)
It was discovered that the DGCClient (for RMI distributed
garbage-collection - DGC) class in the RMI component of OpenJDK failed
to use restricted access control context when handling JRMP (Java Remote
Method Protocol) messages. An untrusted Java application or applet could
use this flaw to bypass Java sandbox restrictions.
- CVE-2015-4893 (denial of service)
It was discovered that the JAXP component of OpenJDK did not enforce the
maximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.
A specially crafted XML document could cause a Java application using
JAXP to consume an excessive amount of memory and CPU time when parsed.
- CVE-2015-4902 (unknown)
An unspecified vulnerability has been discovered that allows remote
attackers to affect integrity via unknown vectors related to Deployment.
- CVE-2015-4903 (sandbox bypass)
It was discovered that the RemoteObjectInvocationHandler class in the
RMI component of OpenJDK did not check if object proxy is an instance of
a proxy class and that it uses correct invocation handler. An untrusted
Java application or applet could use this flaw to bypass certain Java
sandbox restrictions by gaining access to data that should by protected
by the sandbox.
- CVE-2015-4911 (denial of service)
It was discovered that the StAX XML parser in the JAXP component of
OpenJDK could do certain DTD processing even when DTD support was
disabled via the javax.xml.stream.supportDTD system property. A
specially crafted XML document could cause a Java application using JAXP
to consume an excessive amount of memory and CPU time when parsed.
Resolution
Upgrade to 7.u91_2.6.2-1.
# pacman -Syu "jre7-openjdk>=7.u91_2.6.2-1"
The problems have been fixed upstream in version 7.u91.
References
https://mail.openjdk.org/pipermail/distro-pkg-dev/2015-October/033972.html https://www.oracle.com/security-alerts/cpuoct2015.html https://access.redhat.com/security/cve/CVE-2015-4734 https://access.redhat.com/security/cve/CVE-2015-4803 https://access.redhat.com/security/cve/CVE-2015-4805 https://access.redhat.com/security/cve/CVE-2015-4806 https://access.redhat.com/security/cve/CVE-2015-4810 https://access.redhat.com/security/cve/CVE-2015-4835 https://access.redhat.com/security/cve/CVE-2015-4840 https://access.redhat.com/security/cve/CVE-2015-4842 https://access.redhat.com/security/cve/CVE-2015-4843 https://access.redhat.com/security/cve/CVE-2015-4844 https://access.redhat.com/security/cve/CVE-2015-4860 https://access.redhat.com/security/cve/CVE-2015-4871 https://access.redhat.com/security/cve/CVE-2015-4872 https://access.redhat.com/security/cve/CVE-2015-4881 https://access.redhat.com/security/cve/CVE-2015-4882 https://access.redhat.com/security/cve/CVE-2015-4883 https://access.redhat.com/security/cve/CVE-2015-4893 https://access.redhat.com/security/cve/CVE-2015-4902 https://access.redhat.com/security/cve/CVE-2015-4903 https://access.redhat.com/security/cve/CVE-2015-4911
Workaround
None.