Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 510
Alerts This Week
Warning Icon 1 510

Ubuntu 18.04, 18.10, 16.04 LTS: USN-3804-1 OpenJDK Security Issues

ubuntu
Calendar Grey October 30, 2018
Dist Ubuntu Esm H88
Ubuntu Security Notice USN-3804-1 October 30, 2018 openjdk-8, openjdk-lts vulnerabilities A security
Several security issues were fixed in OpenJDK.

Summary

Several security issues were fixed in OpenJDK.

Software Description:

- openjdk-lts: Open Source Java implementation

- openjdk-8: Open Source Java implementation

Details:

It was discovered that the Security component of OpenJDK did not properly

ensure that manifest elements were signed before use. An attacker could

possibly use this to specially construct an untrusted Java application or

applet that could escape sandbox restrictions. (CVE-2018-3136)

Artem Smotrakov discovered that the HTTP client redirection handler

implementation in OpenJDK did not clear potentially sensitive information

in HTTP headers when following redirections to different hosts. An attacker

could use this to expose sensitive information. (CVE-2018-3139)

It was discovered that the Java Naming and Directory Interface (JNDI)

implementation in OpenJDK did not properly enforce restrictions specified

by system properties in some situations. An attacker could potentially use

this to execute...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
  openjdk-11-jdk                  11.0.1+13-2ubuntu1
  openjdk-11-jre                  11.0.1+13-2ubuntu1
  openjdk-11-jre-headless         11.0.1+13-2ubuntu1

Ubuntu 18.04 LTS:
  openjdk-11-jdk                  10.0.2+13-1ubuntu0.18.04.3
  openjdk-11-jre                  10.0.2+13-1ubuntu0.18.04.3
  openjdk-11-jre-headless         10.0.2+13-1ubuntu0.18.04.3

Ubuntu 16.04 LTS:
  openjdk-8-jdk                   8u181-b13-1ubuntu0.16.04.1
  openjdk-8-jre                   8u181-b13-1ubuntu0.16.04.1
  openjdk-8-jre-headless          8u181-b13-1ubuntu0.16.04.1
  openjdk-8-jre-jamvm             8u181-b13-1ubuntu0.16.04.1

This update uses a new upstream release, which includes additional
bug fixes. After a standard system update you need to restart any
Java applications or applets to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3804-1

CVE-2018-3136, CVE-2018-3139, CVE-2018-3149, CVE-2018-3150,

CVE-2018-3169, CVE-2018-3180, CVE-2018-3183, CVE-2018-3214

Severity
critical
Lowest
Low
Medium
High
Critical

October 30, 2018

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.