Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Ubuntu: 4223-1 Critical: OpenJDK Multiple Security Fixes

ubuntu
Calendar Grey December 17, 2019
Dist Ubuntu Esm H88
Multiple vulnerabilities addressed in OpenJDK for Ubuntu, including threats of denial of service and potential data leakage.
Several security issues were fixed in OpenJDK.

Summary

Several security issues were fixed in OpenJDK.

Software Description:

- openjdk-lts: Open Source Java implementation

- openjdk-8: Open Source Java implementation

Details:

Jan Jancar, Petr Svenda, and Vladimir Sedlacek discovered that a side-

channel vulnerability existed in the ECDSA implementation in OpenJDK. An

Attacker could use this to expose sensitive information. (CVE-2019-2894)

It was discovered that the Socket implementation in OpenJDK did not

properly restrict the creation of subclasses with a custom Socket

implementation. An attacker could use this to specially create a Java class

that could possibly bypass Java sandbox restrictions. (CVE-2019-2945)

Rob Hamm discovered that the Kerberos implementation in OpenJDK did not

properly handle proxy credentials. An attacker could possibly use this to

impersonate another user. (CVE-2019-2949)

It was discovered that a NULL pointer dereference existed in the font

handling implementation in OpenJDK. An attacker could use this to...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.10:
  openjdk-11-jdk                  11.0.5+10-0ubuntu1.1
  openjdk-11-jre                  11.0.5+10-0ubuntu1.1
  openjdk-11-jre-headless         11.0.5+10-0ubuntu1.1
  openjdk-11-jre-zero             11.0.5+10-0ubuntu1.1

Ubuntu 19.04:
  openjdk-11-jdk                  11.0.5+10-0ubuntu1.1~19.04
  openjdk-11-jre                  11.0.5+10-0ubuntu1.1~19.04
  openjdk-11-jre-headless         11.0.5+10-0ubuntu1.1~19.04
  openjdk-11-jre-zero             11.0.5+10-0ubuntu1.1~19.04

Ubuntu 18.04 LTS:
  openjdk-11-jdk                  11.0.5+10-0ubuntu1.1~18.04
  openjdk-11-jre                  11.0.5+10-0ubuntu1.1~18.04
  openjdk-11-jre-headless         11.0.5+10-0ubuntu1.1~18.04
  openjdk-11-jre-zero             11.0.5+10-0ubuntu1.1~18.04

Ubuntu 16.04 LTS:
  openjdk-8-jdk                   8u232-b09-0ubuntu1~16.04.1
  openjdk-8-jre                   8u232-b09-0ubuntu1~16.04.1
  openjdk-8-jre-headless          8u232-b09-0ubuntu1~16.04.1
  openjdk-8-jre-jamvm             8u232-b09-0ubuntu1~16.04.1
  openjdk-8-jre-zero              8u232-b09-0ubuntu1~16.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-4223-1

CVE-2019-2894, CVE-2019-2945, CVE-2019-2949, CVE-2019-2962,

CVE-2019-2964, CVE-2019-2973, CVE-2019-2975, CVE-2019-2977,

CVE-2019-2978, CVE-2019-2981, CVE-2019-2983, CVE-2019-2987,

CVE-2019-2988, CVE-2019-2989, CVE-2019-2992, CVE-2019-2999

Severity
critical
Lowest
Low
Medium
High
Critical

December 17, 2019

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here