http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

105597

1041889

RHSA-2018:3521

GLSA-201908-10

https://security.netapp.com/advisory/ntap-20181018-0001/

USN-3804-1

An update of the openjdk11 package has been released.

The remote host is affected by the vulnerability described in GLSA-201908-10 (Oracle JDK/JRE: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Oracle&rsquo;s JDK and JRE       software suites. Please review the CVE identifiers referenced below for       details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 11 Update 1, 8 Update 191, 7 Update 201, or 6 Update 211. It is, therefore, affected by multiple vulnerabilities related to the following components :

 - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Deployment (libpng) subcomponent could allow an unauthenticated, remote attacker with network access via HTTP to compromise Java SE, Java SE Embedded. (CVE-2018-13785)

 - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Hotspot subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. (CVE-2018-3169)

 - An unspecified vulnerability in the Java SE component of Oracle Java SE in the JavaFX subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE.
 (CVE-2018-3209)

 - An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE in the JNDI subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit.
 (CVE-2018-3149) 
 - An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE in the JSSE subcomponent could allow an unauthenticated, remote attacker with network access via SSL/TLS to compromise Java SE, Java SE Embedded, JRockit.
 (CVE-2018-3180)

 - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Networking subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded.
 (CVE-2018-3139)

 - An unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE in the Scripting subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. (CVE-2018-3183)

 - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Security subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. (CVE-2018-3136)

 - An unspecified vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE in the Serviceability subcomponent could allow a low privileged attacker with logon to the infrastructure where Java SE, Java SE Embedded executes to compromise Java SE, Java SE Embedded. (CVE-2018-3211)

 - An unspecified vulnerability in the Java SE component of Oracle Java SE in the Sound subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE.
 (CVE-2018-3157)
 - An unspecified vulnerability in the Java SE component of Oracle Java SE in the Utility subcomponent could allow an unauthenticated, remote attacker with network access via multiple protocols to compromise Java SE. (CVE-2018-3150)

This update for java-11-openjdk fixes the following issues :

Update to upstream tag jdk-11.0.1+13 (Oracle October 2018 CPU)

Security fixes :

  - S8202936, CVE-2018-3183, bsc#1112148: Improve script     engine support

  - S8199226, CVE-2018-3169, bsc#1112146: Improve field     accesses

  - S8199177, CVE-2018-3149, bsc#1112144: Enhance JNDI     lookups

  - S8202613, CVE-2018-3180, bsc#1112147: Improve TLS     connections stability

  - S8208209, CVE-2018-3180, bsc#1112147: Improve TLS     connection stability again

  - S8199172, CVE-2018-3150, bsc#1112145: Improve jar     attribute checks

  - S8200648, CVE-2018-3157, bsc#1112149: Make midi code     more sound

  - S8194534, CVE-2018-3136, bsc#1112142: Manifest better     support

  - S8208754, CVE-2018-3136, bsc#1112142: The fix for     JDK-8194534 needs updates

  - S8196902, CVE-2018-3139, bsc#1112143: Better HTTP     Redirection

Security-In-Depth fixes :

  - S8194546: Choosier FileManagers

  - S8195874: Improve jar specification adherence

  - S8196897: Improve PRNG support

  - S8197881: Better StringBuilder support

  - S8201756: Improve cipher inputs

  - S8203654: Improve cypher state updates

  - S8204497: Better formatting of decimals

  - S8200666: Improve LDAP support

  - S8199110: Address Internet Addresses

Update to upstream tag jdk-11+28 (OpenJDK 11 rc1)

  - S8207317: SSLEngine negotiation fail exception behavior     changed from fail-fast to fail-lazy

  - S8207838: AArch64: Float registers incorrectly restored     in JNI call

  - S8209637: [s390x] Interpreter doesn't call result     handler after native calls

  - S8209670: CompilerThread releasing code buffer in     destructor is unsafe

  - S8209735: Disable avx512 by default

  - S8209806: API docs should be updated to refer to     javase11

  - Report version without the '-internal' postfix

  - Don't build against gdk making the accessibility depend     on a particular version of gtk.

Update to upstream tag jdk-11+27

  - S8031761: [TESTBUG] Add a regression test for     JDK-8026328

  - S8151259: [TESTBUG]     nsk/jvmti/RedefineClasses/redefclass030 fails with     'unexpected values of outer fields of the class' when     running with -Xcomp

  - S8164639: Configure PKCS11 tests to use user-supplied     NSS libraries

  - S8189667: Desktop#moveToTrash expects incorrect '<<ALL     FILES>>' FilePermission

  - S8194949: [Graal] gc/TestNUMAPageSize.java fail with OOM     in

    -Xcomp

  - S8195156: [Graal] serviceability/jvmti/GetModulesInfo/     /JvmtiGetAllModulesTest.java fails with Graal in Xcomp     mode

  - S8199081: [Testbug] compiler/linkage/LinkageErrors.java     fails if run twice

  - S8201394: Update java.se module summary to reflect     removal of java.se.ee module

  - S8204931: Colors with alpha are painted incorrectly on     Linux

  - S8204966: [TESTBUG] hotspot/test/compiler/whitebox/     /IsMethodCompilableTest.java test fails with

    -XX:CompileThreshold=1

  - S8205608: Fix 'frames()' in ThreadReferenceImpl.c to     prevent quadratic runtime behavior

  - S8205687: TimeoutHandler generates huge core files

  - S8206176: Remove the temporary tls13VN field

  - S8206258: [Test Error] sun/security/pkcs11 tests fail if     NSS libs not found

  - S8206965: java/util/TimeZone/Bug8149452.java failed on     de_DE and ja_JP locale.

  - S8207009: TLS 1.3 half-close and synchronization issues

  - S8207046: arm32 vm crash: C1 arm32 platform functions     parameters type mismatch

  - S8207139: NMT is not enabled on Windows 2016/10

  - S8207237: SSLSocket#setEnabledCipherSuites is accepting     empty string

  - S8207355: C1 compilation hangs in     ComputeLinearScanOrder::compute_dominator

  - S8207746: C2: Lucene crashes on AVX512 instruction

  - S8207765: HeapMonitorTest.java intermittent failure

  - S8207944: java.lang.ClassFormatError: Extra bytes at the     end of class file test' possibly violation of JVMS 4.7.1

  - S8207948: JDK 11 L10n resource file update msg drop 10

  - S8207966: HttpClient response without content-length     does not return body

  - S8208125: Cannot input text into JOptionPane Text Input     Dialog

  - S8208164: (str) improve specification of String::lines

  - S8208166: Still unable to use custom SSLEngine with     default TrustManagerFactory after JDK-8207029

  - S8208189: ProblemList     compiler/graalunit/JttThreadsTest.java

  - S8208205: ProblemList tests that fail due to 'Error     attaching to process: Can't create thread_db agent!'

  - S8208226: ProblemList     com/sun/jdi/BasicJDWPConnectionTest.java

  - S8208251: serviceability/jvmti/HeapMonitor/MyPackage/     /HeapMonitorGCCMSTest.java fails intermittently on     Linux-X64

  - S8208305: ProblemList     compiler/jvmci/compilerToVM/GetFlagValueTest.java

  - S8208347: ProblemList     compiler/cpuflags/TestAESIntrinsicsOnSupportedConfig.jav     a

  - S8208353: Upgrade JDK 11 to libpng 1.6.35

  - S8208358: update bug ids mentioned in tests

  - S8208370: fix typo in ReservedStack tests' @requires

  - S8208391: Differentiate response and connect timeouts in     HTTP Client API

  - S8208466: Fix potential memory leak in harfbuzz shaping.

  - S8208496: New Test to verify concurrent behavior of TLS.

  - S8208521: ProblemList more tests that fail due to 'Error     attaching to process: Can't create thread_db agent!'

  - S8208640: [a11y] [macos] Unable to navigate between     Radiobuttons in Radio group using keyboard.

  - S8208663: JDK 11 L10n resource file update msg drop 20

  - S8208676: Missing NULL check and resource leak in     NetworkPerformanceInterface::NetworkPerformance::network
    _utilization

  - S8208691: Tighten up jdk.includeInExceptions security     property

  - S8209011: [TESTBUG] AArch64: sun/security/pkcs11/Secmod/     /TestNssDbSqlite.java fails in aarch64 platforms

  - S8209029: ProblemList tests that fail due to 'Error     attaching to process: Can't create thread_db agent!' in     jdk-11+25 testing

  - S8209149: [TESTBUG] runtime/RedefineTests/     /RedefineRunningMethods.java needs a longer timeout

  - S8209451: Please change jdk 11 milestone to FCS

  - S8209452: VerifyCACerts.java failed with 'At least one     cacert test failed'

  - S8209506: Add Google Trust Services GlobalSign root     certificates

  - S8209537: Two security tests failed after JDK-8164639     due to dependency was missed

This update was imported from the SUSE:SLE-15:Update update project.

Security Fix(es) :

  - OpenJDK: Improper field access checks (Hotspot, 8199226)     (CVE-2018-3169)

  - OpenJDK: Unrestricted access to scripting engine     (Scripting, 8202936) (CVE-2018-3183)

  - OpenJDK: Incomplete enforcement of the trustURLCodebase     restriction (JNDI, 8199177) (CVE-2018-3149)

  - OpenJDK: Incorrect handling of unsigned attributes in     signed Jar manifests (Security, 8194534) (CVE-2018-3136)

  - OpenJDK: Leak of sensitive header data via HTTP redirect     (Networking, 8196902) (CVE-2018-3139)

  - OpenJDK: Multi-Release attribute read from outside of     the main manifest attributes (Utility, 8199171)     (CVE-2018-3150)

  - OpenJDK: Missing endpoint identification algorithm check     during TLS session resumption (JSSE, 8202613)     (CVE-2018-3180)

An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es) :

* OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169)

* OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183)

* OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149)

* OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136)

* OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139)

* OpenJDK: Multi-Release attribute read from outside of the main manifest attributes (Utility, 8199171) (CVE-2018-3150)

* OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

From Red Hat Security Advisory 2018:3521 :

An update for java-11-openjdk is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit.

Security Fix(es) :

* OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169)

* OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183)

* OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149)

* OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136)

* OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139)

* OpenJDK: Multi-Release attribute read from outside of the main manifest attributes (Utility, 8199171) (CVE-2018-3150)

* OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

It was discovered that the Security component of OpenJDK did not properly ensure that manifest elements were signed before use. An attacker could possibly use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions.
(CVE-2018-3136)

Artem Smotrakov discovered that the HTTP client redirection handler implementation in OpenJDK did not clear potentially sensitive information in HTTP headers when following redirections to different hosts. An attacker could use this to expose sensitive information.
(CVE-2018-3139)

It was discovered that the Java Naming and Directory Interface (JNDI) implementation in OpenJDK did not properly enforce restrictions specified by system properties in some situations. An attacker could potentially use this to execute arbitrary code. (CVE-2018-3149)

It was discovered that the Utility component of OpenJDK did not properly ensure all attributes in a JAR were signed before use. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-3150)

It was discovered that the Hotspot component of OpenJDK did not properly perform access checks in certain cases when performing field link resolution. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2018-3169)

Felix Dorre discovered that the Java Secure Socket Extension (JSSE) implementation in OpenJDK did not ensure that the same endpoint identification algorithm was used during TLS session resumption as during initial session setup. An attacker could use this to expose sensitive information. (CVE-2018-3180)

Krzysztof Szafranski discovered that the Scripting component did not properly restrict access to the scripting engine in some situations.
An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions.
(CVE-2018-3183)

Tobias Ospelt discovered that the Resource Interchange File Format (RIFF) reader implementation in OpenJDK contained an infinite loop. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-3214).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 11 Update 1, 8 Update 191, 7 Update 201, or 6 Update 211. It is, therefore, affected by multiple vulnerabilities related to the following components :

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the Deployment     (libpng) subcomponent could allow an unauthenticated,     remote attacker with network access via HTTP to     compromise Java SE, Java SE Embedded. (CVE-2018-13785)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the Hotspot     subcomponent could allow an unauthenticated, remote     attacker with network access via multiple protocols to     compromise Java SE, Java SE Embedded. (CVE-2018-3169)

  - An unspecified vulnerability in the Java SE component     of Oracle Java SE in the JavaFX subcomponent could allow     an unauthenticated, remote attacker with network access     via multiple protocols to compromise Java SE.
    (CVE-2018-3209)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded, JRockit component of Oracle Java SE in the     JNDI subcomponent could allow an unauthenticated, remote     attacker with network access via multiple protocols to     compromise Java SE, Java SE Embedded, JRockit.
    (CVE-2018-3149)  
  - An unspecified vulnerability in the Java SE, Java SE     Embedded, JRockit component of Oracle Java SE in the     JSSE subcomponent could allow an unauthenticated,     remote attacker with network access via SSL/TLS to     compromise Java SE, Java SE Embedded, JRockit.
    (CVE-2018-3180)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the     Networking subcomponent could allow an unauthenticated,     remote attacker with network access via multiple     protocols to compromise Java SE, Java SE Embedded.
    (CVE-2018-3139)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded, JRockit component of Oracle Java SE in the     Scripting subcomponent could allow an unauthenticated,     remote attacker with network access via multiple     protocols to compromise Java SE, Java SE Embedded,     JRockit. (CVE-2018-3183)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the Security     subcomponent could allow an unauthenticated, remote     attacker with network access via multiple protocols to     compromise Java SE, Java SE Embedded. (CVE-2018-3136)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the     Serviceability subcomponent could allow a low privileged     attacker with logon to the infrastructure where Java SE,     Java SE Embedded executes to compromise Java SE, Java SE     Embedded. (CVE-2018-3211)

  - An unspecified vulnerability in the Java SE component of     Oracle Java SE in the Sound subcomponent could allow an     unauthenticated, remote attacker with network access via     multiple protocols to compromise Java SE.
    (CVE-2018-3157)

  - An unspecified vulnerability in the Java SE component of     Oracle Java SE in the Utility subcomponent could allow     an unauthenticated, remote attacker with network access     via multiple protocols to compromise Java SE.
    (CVE-2018-3150)

Please consult the CVRF details for the applicable CVEs for additional information.

Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle (formerly Sun) Java SE or Java for Business installed on the remote host is prior to 11 Update 1, 8 Update 191, 7 Update 201, or 6 Update 211. It is, therefore, affected by multiple vulnerabilities :

  - An unspecified vulnerability in the Java SE Embedded     component of Oracle Java SE in the Deployment (libpng)     subcomponent could allow an unauthenticated, remote     attacker with network access via HTTP to compromise     Java SE. (CVE-2018-13785)  
  - An unspecified vulnerability in the Java SE Embedded     component of Oracle Java SE in the Hotspot subcomponent     that could allow an unauthenticated, remote attacker     with network access via multiple protocols to compromise     Java SE (CVE-2018-3169)

  - An unspecified vulnerability in the Java SE component of     Oracle Java SE in the JavaFX subcomponent could allow an     unauthenticated, remote attacker with network access via     multiple protocols to compromise Java SE.
    (CVE-2018-3209)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded, and JRockit component of Oracle Java SE in     the JNDI subcomponent could allow an unauthenticated,     remote attacker with network access via multiple     protocols to compromise Java SE, Java SE Embedded, and     JRockit. (CVE-2018-3149)     
  - An unspecified vulnerability in the Java SE, Java SE     Embedded, JRockit component of Oracle Java SE in the     JSSE subcomponent could allow an unauthenticated,     remote attacker with network access via SSL/TLS to     compromise Java SE, Java SE Embedded, or JRockit.
    (CVE-2018-3180)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the Networking     subcomponent could allow an unauthenticated, remote     attacker with network access via multiple protocols to     compromise Java SE or Java SE Embedded. (CVE-2018-3139)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded, JRockit component of Oracle Java SE in the     Scripting subcomponent could allow an unauthenticated,     remote attacker with network access via multiple     protocols to compromise Java SE, Java SE Embedded, or     JRockit. (CVE-2018-3183)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the Security     subcomponent could allow an unauthenticated, remote     attacker with network access via multiple protocols to     compromise Java SE, Java SE Embedded. (CVE-2018-3136)

  - An unspecified vulnerability in the Java SE, Java SE     Embedded component of Oracle Java SE in the     Serviceability subcomponent could allow a low privileged     attacker with logon to the infrastructure where Java SE,     Java SE Embedded executes to compromise Java SE, Java SE     Embedded. (CVE-2018-3211)

  - An unspecified vulnerability in the Java SE component of     Oracle Java SE in the Sound subcomponent could allow an     unauthenticated, remote attacker with network access via     multiple protocols to compromise Java SE.
    (CVE-2018-3157)

  - An unspecified vulnerability in the Java SE component of     Oracle Java SE in the Utility subcomponent could allow an     unauthenticated, remote attacker with network access via     multiple protocols to compromise Java SE.
    (CVE-2018-3150)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
136109	Photon OS 1.0: Openjdk11 PHSA-2020-1.0-0290	Nessus	PhotonOS Local Security Checks	critical
136100	Photon OS 3.0: Openjdk11 PHSA-2020-3.0-0084	Nessus	PhotonOS Local Security Checks	critical
127959	GLSA-201908-10 : Oracle JDK/JRE: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
700659	Oracle Java SE 6 < Update 211 / 7 < Update 201 / 8 < Update 191 / 11 < Update 1 Multiple Vulnerabilities (October 2018 CPU)	Nessus Network Monitor	Web Clients	medium
123345	openSUSE Security Update : java-11-openjdk (openSUSE-2019-818)	Nessus	SuSE Local Security Checks	critical
119209	Scientific Linux Security Update : java-11-openjdk on SL7.x x86_64 (20181107)	Nessus	Scientific Linux Local Security Checks	critical
119048	CentOS 7 : java-11-openjdk (CESA-2018:3521)	Nessus	CentOS Local Security Checks	critical
118849	Oracle Linux 7 : java-11-openjdk (ELSA-2018-3521)	Nessus	Oracle Linux Local Security Checks	critical
118815	RHEL 7 : java-11-openjdk (RHSA-2018:3521)	Nessus	Red Hat Local Security Checks	critical
118568	Ubuntu 16.04 LTS / 18.04 LTS / 18.10 : OpenJDK vulnerabilities (USN-3804-1)	Nessus	Ubuntu Local Security Checks	critical
118228	Oracle Java SE Multiple Vulnerabilities (October 2018 CPU)	Nessus	Windows	critical
118227	Oracle Java SE Multiple Vulnerabilities (October 2018 CPU) (Unix)	Nessus	Misc.	critical
118221	openSUSE Security Update : java-11-openjdk (openSUSE-2018-1205)	Nessus	SuSE Local Security Checks	critical

CVE-2018-3150

low

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

critical

critical

critical

medium

critical

critical

critical

critical

critical

critical

critical

critical

critical