Advisories ยป MGASA-2017-0460

Updated java-1.8.0-openjdk packages fix security vulnerabilities

Publication date: 21 Dec 2017
Modification date: 21 Dec 2017
Type: security
Affected Mageia releases : 5 , 6
CVE: CVE-2017-10285 , CVE-2017-10346 , CVE-2017-10388 , CVE-2017-10356 , CVE-2017-10274 , CVE-2017-10355 , CVE-2017-10295 , CVE-2017-10349 , CVE-2017-10357 , CVE-2017-10347 , CVE-2017-10281 , CVE-2017-10345 , CVE-2017-10348 , CVE-2017-10350

Description

Multiple flaws were discovered in the RMI and Hotspot components in
OpenJDK. An untrusted Java application or applet could use these flaws
to completely bypass Java sandbox restrictions. (CVE-2017-10285,
CVE-2017-10346)

It was discovered that the Kerberos client implementation in the
Libraries component of OpenJDK used the sname field from the plain text
part rather than encrypted part of the KDC reply message. A man-in-the-
middle attacker could possibly use this flaw to impersonate Kerberos
services to Java applications acting as Kerberos clients.
(CVE-2017-10388)

It was discovered that the Security component of OpenJDK generated weak
password-based encryption keys used to protect private keys stored in
key stores. This made it easier to perform password guessing attacks to
decrypt stored keys if an attacker could gain access to a key store.
(CVE-2017-10356)

A flaw was found in the Smart Card IO component in OpenJDK. An untrusted
Java application or applet could use this flaw to bypass certain Java
sandbox restrictions. (CVE-2017-10274)

It was found that the FtpClient implementation in the Networking
component of OpenJDK did not set connect and read timeouts by default.
A malicious FTP server or a man-in-the-middle attacker could use this
flaw to block execution of a Java application connecting to an FTP
server. (CVE-2017-10355)

It was found that the HttpURLConnection and HttpsURLConnection classes
in the Networking component of OpenJDK failed to check for newline
characters embedded in URLs. An attacker able to make a Java application
perform an HTTP request using an attacker provided URL could possibly
inject additional headers into the request. (CVE-2017-10295)

It was discovered that multiple classes in the JAXP, Serialization,
Libraries, and JAX-WS components of OpenJDK did not limit the amount of
memory allocated when creating object instances from the serialized
form. A specially-crafted input could cause a Java application to use an
excessive amount of memory when deserialized. (CVE-2017-10349,
CVE-2017-10357, CVE-2017-10347, CVE-2017-10281, CVE-2017-10345,
CVE-2017-10348, CVE-2017-10350)
                

References

SRPMS

6/core

5/core