Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 568
Alerts This Week
Warning Icon 1 568

Ubuntu 14.04: USN-3691-1 Critical OpenJDK 7 Memory Exhaustion Attacks

ubuntu
Calendar Grey June 21, 2018
Dist Ubuntu Esm H88
Ubuntu 16.04 LTS encounters severe OpenJDK 8 security flaws; multiple vulnerabilities addressed to safeguard system integrity.
Several security issues were fixed in OpenJDK 7.

Summary

Several security issues were fixed in OpenJDK 7.

Software Description:

- openjdk-7: Open Source Java implementation

Details:

It was discovered that the Security component of OpenJDK did not correctly

perform merging of multiple sections for the same file listed in JAR

archive file manifests. An attacker could possibly use this to modify

attributes in a manifest without invalidating the signature.

(CVE-2018-2790)

Francesco Palmarini, Marco Squarcina, Mauro Tempesta, and Riccardo Focardi

discovered that the Security component of OpenJDK did not restrict which

classes could be used when deserializing keys from the JCEKS key stores. An

attacker could use this to specially craft a JCEKS key store to execute

arbitrary code. (CVE-2018-2794)

It was discovered that the Security component of OpenJDK in some situations

did not properly limit the amount of memory allocated when performing

deserialization. An attacker could use this to cause a denial of service

(memory exhaustion). (CVE-20...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.04 LTS:
  icedtea-7-jre-jamvm             7u181-2.6.14-0ubuntu0.1
  openjdk-7-jre                   7u181-2.6.14-0ubuntu0.1
  openjdk-7-jre-headless          7u181-2.6.14-0ubuntu0.1
  openjdk-7-jre-lib               7u181-2.6.14-0ubuntu0.1
  openjdk-7-jre-zero              7u181-2.6.14-0ubuntu0.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3691-1

CVE-2018-2790, CVE-2018-2794, CVE-2018-2795, CVE-2018-2796,

CVE-2018-2797, CVE-2018-2798, CVE-2018-2799, CVE-2018-2800,

CVE-2018-2814, CVE-2018-2815

Severity
critical
Lowest
Low
Medium
High
Critical

June 21, 2018

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.