Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2017-860)
Medium Nessus Plugin ID 101958
SynopsisThe remote Amazon Linux AMI host is missing a security update.
DescriptionIncorrect enforcement of certificate path restrictions :
It was discovered that the Security component of OpenJDK could fail to properly enforce restrictions defined for processing of X.509 certificate chains. A remote attacker could possibly use this flaw to make Java accept certificate using one of the disabled algorithms.
Insufficient access control checks in XML transformations (CVE-2017-10096)
Incorrect range checks in LambdaFormEditor (CVE-2017-10111)
Insufficient access control checks in AsynchronousChannelGroupImpl (CVE-2017-10090)
Incorrect key size constraint check (CVE-2017-10193)
Integer overflows in range check loop predicates (CVE-2017-10074)
PKCS#8 implementation timing attack :
A covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel. (CVE-2017-10135)
Incorrect handling of references in DGC :
It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-10102)
Insufficient access control checks in ImageWatched (CVE-2017-10110)
Unrestricted access to com.sun.org.apache.xml.internal.resolver (CVE-2017-10101)
DSA implementation timing attack :
A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2017-10115)
Insufficient access control checks in ActivationID (CVE-2017-10107)
LDAPCertStore following referrals to non-LDAP URLs :
It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers. (CVE-2017-10116)
JAR verifier incorrect handling of missing digest (CVE-2017-10067)
Reading of unprocessed image data in JPEGImageReader :
It was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if it was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory.
Unbounded memory allocation in CodeSource deserialization (CVE-2017-10109)
Unbounded memory allocation in BasicAttribute deserialization (CVE-2017-10108)
SolutionRun 'yum update java-1.8.0-openjdk' to update your system.