108094

RHSA-2019:1163

RHSA-2019:1164

RHSA-2019:1165

RHSA-2019:1166

RHSA-2019:1238

RHSA-2019:1325

https://bugs.eclipse.org/bugs/show_bug.cgi?id=545588

The version of Java SDK installed on the remote AIX host is affected by multiple vulnerabilities in the following subcomponents :

  - A flaw exists in Libraries that allows an unauthenticated, remote    attacker to cause denial of service. (CVE-2019-2602)

  - A flaw exists in the RMI component that allows an unauthenticated,     remote attacker to cause unspecified integrity impact.
    (CVE-2019-2684)

  - Flaws exist in the 2D component that allows an unauthenticated,     remote attacker to take control of the system via unspecified     means. (CVE-2019-2697, CVE-2019-2698)

  - A flaw exists in Eclipse OpenJ9 that allows an unauthenticated,     remote attacker to cause denial of service. (CVE-2019-10245)

This update for java-1_8_0-ibm fixes the following issues :

Update to Java 8.0 Service Refresh 5 Fix Pack 35.

Security issues fixed :

CVE-2019-10245: Fixed Java bytecode verifier issue causing crashes (bsc#1134718).

CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729).

CVE-2019-2697: Fixed flaw inside the 2D component (bsc#1132734).

CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component:
Libraries) (bsc#1132728).

CVE-2019-2684: Fixed flaw was found in the RMI registry implementation (bsc#1132732).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for java-1.8.0-ibm is now available for Red Hat Satellite 5.8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR5-FP35.

Security Fix(es) :

* Oracle JDK: Unspecified vulnerability fixed in 7u221 and 8u211 (2D) (CVE-2019-2697)

* OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022) (CVE-2019-2698)

* OpenJDK: Slow conversion of BigDecimal to long (Libraries, 8211936) (CVE-2019-2602)

* OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453) (CVE-2019-2684)

* IBM JDK: Read beyond the end of bytecode array causing JVM crash (CVE-2019-10245)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This update for java-1_7_1-ibm fixes the following issues :

Update to Java 7.1 Service Refresh 4 Fix Pack 45.

Security issues fixed :

CVE-2019-10245: Fixed Java bytecode verifier issue causing crashes (bsc#1134718).

CVE-2019-2698: Fixed out of bounds access flaw in the 2D component (bsc#1132729).

CVE-2019-2697: Fixed flaw inside the 2D component (bsc#1132734).

CVE-2019-2602: Fixed flaw inside BigDecimal implementation (Component:
Libraries) (bsc#1132728).

CVE-2019-2684: Fixed flaw was found in the RMI registry implementation (bsc#1132732).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR5-FP35.

Security Fix(es) :

* IBM JDK: buffer overflow in jio_snprintf() and jio_vsnprintf() (CVE-2018-12547)

* IBM JDK: missing null check when accelerating Unsafe calls (CVE-2018-12549)

* Oracle JDK: Unspecified vulnerability fixed in 7u221 and 8u211 (2D) (CVE-2019-2697)

* OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022) (CVE-2019-2698)

* OpenJDK: memory disclosure in FileChannelImpl (Libraries, 8206290) (CVE-2019-2422)

* OpenJDK: Slow conversion of BigDecimal to long (Libraries, 8211936) (CVE-2019-2602)

* OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453) (CVE-2019-2684)

* IBM JDK: Read beyond the end of bytecode array causing JVM crash (CVE-2019-10245)

* libjpeg-turbo: Divide By Zero in alloc_sarray function in jmemmgr.c (CVE-2018-11212)

* Oracle JDK: unspecified vulnerability fixed in 8u201 (Deployment) (CVE-2019-2449)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 7 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 7 to version 7R1 SR4-FP45.

Security Fix(es) :

* Oracle JDK: Unspecified vulnerability fixed in 7u221 and 8u211 (2D) (CVE-2019-2697)

* OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022) (CVE-2019-2698)

* OpenJDK: Slow conversion of BigDecimal to long (Libraries, 8211936) (CVE-2019-2602)

* OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453) (CVE-2019-2684)

* IBM JDK: Read beyond the end of bytecode array causing JVM crash (CVE-2019-10245)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update for java-1.7.1-ibm is now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

IBM Java SE version 7 Release 1 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 7 to version 7R1 SR4-FP45.

Security Fix(es) :

* Oracle JDK: Unspecified vulnerability fixed in 7u221 and 8u211 (2D) (CVE-2019-2697)

* OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022) (CVE-2019-2698)

* OpenJDK: Slow conversion of BigDecimal to long (Libraries, 8211936) (CVE-2019-2602)

* OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453) (CVE-2019-2684)

* IBM JDK: Read beyond the end of bytecode array causing JVM crash (CVE-2019-10245)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR5-FP35.

Security Fix(es) :

* Oracle JDK: Unspecified vulnerability fixed in 7u221 and 8u211 (2D) (CVE-2019-2697)

* OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022) (CVE-2019-2698)

* OpenJDK: Slow conversion of BigDecimal to long (Libraries, 8211936) (CVE-2019-2602)

* OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453) (CVE-2019-2684)

* IBM JDK: Read beyond the end of bytecode array causing JVM crash (CVE-2019-10245)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR5-FP35.

Security Fix(es) :

* Oracle JDK: Unspecified vulnerability fixed in 7u221 and 8u211 (2D) (CVE-2019-2697)

* OpenJDK: Font layout engine out of bounds access setCurrGlyphID() (2D, 8219022) (CVE-2019-2698)

* OpenJDK: Slow conversion of BigDecimal to long (Libraries, 8211936) (CVE-2019-2602)

* OpenJDK: Incorrect skeleton selection in RMI registry server-side dispatch handling (RMI, 8218453) (CVE-2019-2684)

* IBM JDK: Read beyond the end of bytecode array causing JVM crash (CVE-2019-10245)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

ID	Name	Product	Family	Severity
126924	AIX Java Advisory : java_apr2019_advisory.asc (April 2019 CPU)	Nessus	AIX Local Security Checks	medium
126336	SUSE SLED15 / SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2019:1308-2)	Nessus	SuSE Local Security Checks	medium
126167	SUSE SLES12 Security Update : java-1_8_0-ibm (SUSE-SU-2019:1644-1)	Nessus	SuSE Local Security Checks	medium
125756	RHEL 6 : java-1.8.0-ibm (RHSA-2019:1325)	Nessus	Red Hat Local Security Checks	medium
125461	SUSE SLES12 Security Update : java-1_7_1-ibm (SUSE-SU-2019:1345-1)	Nessus	SuSE Local Security Checks	medium
125336	SUSE SLES11 Security Update : java-1_7_1-ibm (SUSE-SU-2019:14059-1)	Nessus	SuSE Local Security Checks	medium
125335	SUSE SLES15 Security Update : java-1_8_0-ibm (SUSE-SU-2019:1308-1)	Nessus	SuSE Local Security Checks	medium
125239	RHEL 8 : java-1.8.0-ibm (RHSA-2019:1238)	Nessus	Red Hat Local Security Checks	high
125015	RHEL 7 : java-1.7.1-ibm (RHSA-2019:1166)	Nessus	Red Hat Local Security Checks	medium
125014	RHEL 6 : java-1.7.1-ibm (RHSA-2019:1165)	Nessus	Red Hat Local Security Checks	medium
125013	RHEL 7 : java-1.8.0-ibm (RHSA-2019:1164)	Nessus	Red Hat Local Security Checks	medium
125012	RHEL 6 : java-1.8.0-ibm (RHSA-2019:1163)	Nessus	Red Hat Local Security Checks	medium

CVE-2019-10245

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins