Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Ubuntu 20.10: USN-4607-1 Critical: OpenJDK DoS and Info Exposure

ubuntu
Calendar Grey October 27, 2020
Dist Ubuntu Esm H88
The latest Ubuntu Security Announcement USN-4607-1 pertains to vulnerabilities in OpenJDK that may result in unauthorized data access and potential service interruptions.
Several security issues were fixed in OpenJDK.

Summary

Several security issues were fixed in OpenJDK.

Software Description:

- openjdk-8: Open Source Java implementation

- openjdk-lts: Open Source Java implementation

Details:

It was discovered that OpenJDK incorrectly handled deserializing Proxy

class objects with many interfaces. A remote attacker could possibly use

this issue to cause a denial of service (memory consumption) via a

specially crafted input. (CVE-2020-14779)

Sergey Ostanin discovered that OpenJDK incorrectly restricted

authentication mechanisms. A remote attacker could possibly use this

issue to obtain sensitive information over an unencrypted connection.

(CVE-2020-14781)

It was discovered that OpenJDK incorrectly handled untrusted certificates.

An attacker could possibly use this issue to read or write sensitive

information. (CVE-2020-14782)

Zhiqiang Zang discovered that OpenJDK incorrectly checked for integer

overflows. An attacker could possibly use this issue to bypass certain

Java sandbox restrictions. (CVE-20...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 20.10:
  openjdk-11-jdk                  11.0.9+11-0ubuntu1
  openjdk-11-jre                  11.0.9+11-0ubuntu1
  openjdk-11-jre-headless         11.0.9+11-0ubuntu1
  openjdk-11-jre-zero             11.0.9+11-0ubuntu1
  openjdk-8-jdk                   8u272-b10-0ubuntu1~20.10
  openjdk-8-jre                   8u272-b10-0ubuntu1~20.10
  openjdk-8-jre-headless          8u272-b10-0ubuntu1~20.10
  openjdk-8-jre-zero              8u272-b10-0ubuntu1~20.10

Ubuntu 20.04 LTS:
  openjdk-11-jdk                  11.0.9+11-0ubuntu1~20.04
  openjdk-11-jre                  11.0.9+11-0ubuntu1~20.04
  openjdk-11-jre-headless         11.0.9+11-0ubuntu1~20.04
  openjdk-11-jre-zero             11.0.9+11-0ubuntu1~20.04
  openjdk-8-jdk                   8u272-b10-0ubuntu1~20.04
  openjdk-8-jre                   8u272-b10-0ubuntu1~20.04
  openjdk-8-jre-headless          8u272-b10-0ubuntu1~20.04
  openjdk-8-jre-zero              8u272-b10-0ubuntu1~20.04

Ubuntu 18.04 LTS:
  openjdk-11-jdk                  11.0.9+11-0ubuntu1~18.04.1
  openjdk-11-jre                  11.0.9+11-0ubuntu1~18.04.1
  openjdk-11-jre-headless         11.0.9+11-0ubuntu1~18.04.1
  openjdk-11-jre-zero             11.0.9+11-0ubuntu1~18.04.1
  openjdk-8-jdk                   8u272-b10-0ubuntu1~18.04
  openjdk-8-jre                   8u272-b10-0ubuntu1~18.04
  openjdk-8-jre-headless          8u272-b10-0ubuntu1~18.04
  openjdk-8-jre-zero              8u272-b10-0ubuntu1~18.04

Ubuntu 16.04 LTS:
  openjdk-8-jdk                   8u272-b10-0ubuntu1~16.04
  openjdk-8-jre                   8u272-b10-0ubuntu1~16.04
  openjdk-8-jre-headless          8u272-b10-0ubuntu1~16.04
  openjdk-8-jre-zero              8u272-b10-0ubuntu1~16.04

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-4607-1

CVE-2020-14779, CVE-2020-14781, CVE-2020-14782, CVE-2020-14792,

CVE-2020-14796, CVE-2020-14797, CVE-2020-14798, CVE-2020-14803

Severity
critical
Lowest
Low
Medium
High
Critical

October 27, 2020

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here