Alpine: multiple openjdk8 packages: security update to 8.111.14-r1 (deprecated)

critical Tenable Cloud Security Plugin ID 400930

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot).
Supported versions that are affected are Java SE: 7u121 and 8u112; Java SE Embedded: 8u111. Easily
exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other
than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly
impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE,
Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not
apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed
by an administrator). CVSS v3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts).
(CVE-2017-3289)

- The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and
products, have a birthday bound of approximately four billion blocks, which makes it easier for remote
attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as
demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. (CVE-2016-2183)

- Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent:
Libraries). Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded:
8u111; JRockit: R28.3.12. Easily exploitable vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or modification access to critical data or all
Java SE, Java SE Embedded, JRockit accessible data. Note: Applies to client and server deployment of Java.
This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java
applets. It can also be exploited by supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS v3.0
Base Score 7.5 (Integrity impacts). (CVE-2016-5546)

- Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent:
Libraries). Supported versions that are affected are Java SE: 7u121 and 8u112; Java SE Embedded: 8u111;
JRockit: R28.3.12. Easily exploitable vulnerability allows unauthenticated attacker with network access
via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this
vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of
Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This
vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets.
It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java
Web Start applications or sandboxed Java applets, such as through a web service. CVSS v3.0 Base Score 5.3
(Availability impacts). (CVE-2016-5547)

- Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries).
Supported versions that are affected are Java SE: 6u131, 7u121 and 8u112; Java SE Embedded: 8u111. Easily
exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other
than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical
data or complete access to all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies
to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java
sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that
load and run only trusted code (e.g., code installed by an administrator). CVSS v3.0 Base Score 6.5
(Confidentiality impacts). (CVE-2016-5548)

See Also

https://git.alpinelinux.org/aports/commit/?id=51235b6d75fcf6e3cea97c71c2f89d79fb0f7d48

https://git.alpinelinux.org/aports/commit/?id=8e7189a1617d04d056d6936f4924d8ea7b647dc0

Plugin Details

Severity: Critical

ID: 400930

Version: Revision 1.25

Type: Local

Published: 8/16/2023

Updated: 5/30/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7

Percentile: 98.31

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2017-3289

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/6/2017

Vulnerability Publication Date: 6/1/2016

Reference Information

CVE: CVE-2016-2183, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3260, CVE-2017-3261, CVE-2017-3272, CVE-2017-3289

BID: 92630, 95488, 95498, 95506, 95509, 95512, 95521, 95525, 95530, 95533, 95559, 95563, 95566, 95576