Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

Ubuntu 17.04: 3275-1 Critical OpenJDK 8 DoS and Access Issues

ubuntu
Calendar Grey May 11, 2017
Dist Ubuntu Esm H88
Concerns regarding security in OpenJDK 8 for Ubuntu involve risks related to unauthorized access and potential denial-of-service threats.
Several security issues were fixed in OpenJDK 8.

Summary

Several security issues were fixed in OpenJDK 8.

Software Description:

- openjdk-8: Open Source Java implementation

Details:

It was discovered that OpenJDK improperly re-used cached NTLM

connections in some situations. A remote attacker could possibly

use this to cause a Java application to perform actions with the

credentials of a different user. (CVE-2017-3509)

It was discovered that an untrusted library search path flaw existed

in the Java Cryptography Extension (JCE) component of OpenJDK. A

local attacker could possibly use this to gain the privileges of a

Java application. (CVE-2017-3511)

It was discovered that the Java API for XML Processing (JAXP) component

in OpenJDK did not properly enforce size limits when parsing XML

documents. An attacker could use this to cause a denial of service

(processor and memory consumption). (CVE-2017-3526)

It was discovered that the FTP client implementation in OpenJDK did

not properly sanitize user inputs. If a user was tricked into ope...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  openjdk-8-jre                   8u131-b11-0ubuntu1.17.04.1
  openjdk-8-jre-headless          8u131-b11-0ubuntu1.17.04.1
  openjdk-8-jre-zero              8u131-b11-0ubuntu1.17.04.1

Ubuntu 16.10:
  openjdk-8-jre                   8u131-b11-0ubuntu1.16.10.2
  openjdk-8-jre-headless          8u131-b11-0ubuntu1.16.10.2
  openjdk-8-jre-jamvm             8u131-b11-0ubuntu1.16.10.2
  openjdk-8-jre-zero              8u131-b11-0ubuntu1.16.10.2

Ubuntu 16.04 LTS:
  openjdk-8-jre                   8u131-b11-0ubuntu1.16.04.2
  openjdk-8-jre-headless          8u131-b11-0ubuntu1.16.04.2
  openjdk-8-jre-jamvm             8u131-b11-0ubuntu1.16.04.2
  openjdk-8-jre-zero              8u131-b11-0ubuntu1.16.04.2

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3275-1

CVE-2017-3509, CVE-2017-3511, CVE-2017-3526, CVE-2017-3533,

CVE-2017-3539, CVE-2017-3544

Severity
critical
Lowest
Low
Medium
High
Critical

May 11, 2017

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.