Ubuntu 3194-1: OpenJDK 7 vulnerabilities

    Date09 Feb 2017
    CategoryUbuntu
    55
    Posted ByLinuxSecurity Advisories
    Several security issues were fixed in OpenJDK 7.
    ==========================================================================
    Ubuntu Security Notice USN-3194-1
    February 09, 2017
    
    openjdk-7 vulnerabilities
    ==========================================================================
    
    A security issue affects these releases of Ubuntu and its derivatives:
    
    - Ubuntu 14.04 LTS
    
    Summary:
    
    Several security issues were fixed in OpenJDK 7.
    
    Software Description:
    - openjdk-7: Open Source Java implementation
    
    Details:
    
    Karthik Bhargavan and Gaetan Leurent discovered that the DES and
    Triple DES ciphers were vulnerable to birthday attacks. A remote
    attacker could possibly use this flaw to obtain clear text data from
    long encrypted sessions. This update moves those algorithms to the
    legacy algorithm set and causes them to be used only if no non-legacy
    algorithms can be negotiated. (CVE-2016-2183)
    
    It was discovered that OpenJDK accepted ECSDA signatures using
    non-canonical DER encoding. An attacker could use this to modify or
    expose sensitive data. (CVE-2016-5546)
    
    It was discovered that OpenJDK did not properly verify object
    identifier (OID) length when reading Distinguished Encoding Rules
    (DER) records, as used in x.509 certificates and elsewhere. An
    attacker could use this to cause a denial of service (memory
    consumption). (CVE-2016-5547)
    
    It was discovered that covert timing channel vulnerabilities existed
    in the DSA implementations in OpenJDK. A remote attacker could use
    this to expose sensitive information. (CVE-2016-5548)
    
    It was discovered that the URLStreamHandler class in OpenJDK did not
    properly parse user information from a URL. A remote attacker could
    use this to expose sensitive information. (CVE-2016-5552)
    
    It was discovered that the URLClassLoader class in OpenJDK did not
    properly check access control context when downloading class files. A
    remote attacker could use this to expose sensitive information.
    (CVE-2017-3231)
    
    It was discovered that the Remote Method Invocation (RMI)
    implementation in OpenJDK performed deserialization of untrusted
    inputs. A remote attacker could use this to execute arbitrary
    code. (CVE-2017-3241)
    
    It was discovered that the Java Authentication and Authorization
    Service (JAAS) component of OpenJDK did not properly perform user
    search LDAP queries. An attacker could use a specially constructed
    LDAP entry to expose or modify sensitive information. (CVE-2017-3252)
    
    It was discovered that the PNGImageReader class in OpenJDK did not
    properly handle iTXt and zTXt chunks. An attacker could use this to
    cause a denial of service (memory consumption). (CVE-2017-3253)
    
    It was discovered that integer overflows existed in the
    SocketInputStream and SocketOutputStream classes of OpenJDK. An
    attacker could use this to expose sensitive information.
    (CVE-2017-3261)
    
    It was discovered that the atomic field updaters in the
    java.util.concurrent.atomic package in OpenJDK did not properly
    restrict access to protected field members. An attacker could use
    this to specially craft a Java application or applet that could bypass
    Java sandbox restrictions. (CVE-2017-3272)
    
    It was discovered that a vulnerability existed in the class
    construction implementation in OpenJDK. An attacker could use this
    to specially craft a Java application or applet that could bypass
    Java sandbox restrictions. (CVE-2017-3289)
    
    Update instructions:
    
    The problem can be corrected by updating your system to the following
    package versions:
    
    Ubuntu 14.04 LTS:
      icedtea-7-jre-jamvm             7u121-2.6.8-1ubuntu0.14.04.3
      openjdk-7-jdk                   7u121-2.6.8-1ubuntu0.14.04.3
      openjdk-7-jre                   7u121-2.6.8-1ubuntu0.14.04.3
      openjdk-7-jre-headless          7u121-2.6.8-1ubuntu0.14.04.3
      openjdk-7-jre-zero              7u121-2.6.8-1ubuntu0.14.04.3
    
    This update uses a new upstream release, which includes additional
    bug fixes. After a standard system update you need to restart any
    Java applications or applets to make all the necessary changes.
    
    References:
      http://www.ubuntu.com/usn/usn-3194-1
      CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548,
      CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252,
      CVE-2017-3253, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289
    
    Package Information:
      https://launchpad.net/ubuntu/+source/openjdk-7/7u121-2.6.8-1ubuntu0.14.04.3
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"64","type":"x","order":"1","pct":57.14,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.39,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.46,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.