Amazon Linux AMI : java-1.8.0-openjdk (ALAS-2017-860)

Medium Nessus Plugin ID 101958

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.3

Synopsis

The remote Amazon Linux AMI host is missing a security update.

Description

Incorrect enforcement of certificate path restrictions :

It was discovered that the Security component of OpenJDK could fail to properly enforce restrictions defined for processing of X.509 certificate chains. A remote attacker could possibly use this flaw to make Java accept certificate using one of the disabled algorithms.
(CVE-2017-10198)

Insufficient access control checks in XML transformations (CVE-2017-10096)

Incorrect range checks in LambdaFormEditor (CVE-2017-10111)

Insufficient access control checks in AsynchronousChannelGroupImpl (CVE-2017-10090)

Incorrect key size constraint check (CVE-2017-10193)

Integer overflows in range check loop predicates (CVE-2017-10074)

PKCS#8 implementation timing attack :

A covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel. (CVE-2017-10135)

Incorrect handling of references in DGC :

It was discovered that the DCG implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. (CVE-2017-10102)

Insufficient access control checks in ImageWatched (CVE-2017-10110)

Unrestricted access to com.sun.org.apache.xml.internal.resolver (CVE-2017-10101)

DSA implementation timing attack :

A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel. (CVE-2017-10115)

Insufficient access control checks in ActivationID (CVE-2017-10107)

LDAPCertStore following referrals to non-LDAP URLs :

It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers. (CVE-2017-10116)

JAR verifier incorrect handling of missing digest (CVE-2017-10067)

Reading of unprocessed image data in JPEGImageReader :

It was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if it was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory.
(CVE-2017-10053)

Unbounded memory allocation in CodeSource deserialization (CVE-2017-10109)

Unbounded memory allocation in BasicAttribute deserialization (CVE-2017-10108)

Solution

Run 'yum update java-1.8.0-openjdk' to update your system.

See Also

https://alas.aws.amazon.com/ALAS-2017-860.html

Plugin Details

Severity: Medium

ID: 101958

File Name: ala_ALAS-2017-860.nasl

Version: 3.8

Type: local

Agent: unix

Published: 2017/07/26

Updated: 2019/07/10

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 7.3

CVSS v2.0

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:java-1.8.0-openjdk, p-cpe:/a:amazon:linux:java-1.8.0-openjdk-debuginfo, p-cpe:/a:amazon:linux:java-1.8.0-openjdk-demo, p-cpe:/a:amazon:linux:java-1.8.0-openjdk-devel, p-cpe:/a:amazon:linux:java-1.8.0-openjdk-headless, p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc, p-cpe:/a:amazon:linux:java-1.8.0-openjdk-javadoc-zip, p-cpe:/a:amazon:linux:java-1.8.0-openjdk-src, cpe:/o:amazon:linux

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Patch Publication Date: 2017/07/25

Vulnerability Publication Date: 2017/08/08

Reference Information

CVE: CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10111, CVE-2017-10115, CVE-2017-10116, CVE-2017-10135, CVE-2017-10193, CVE-2017-10198

ALAS: 2017-860