According to the versions of the java-1.7.0-openjdk packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Multiple flaws were discovered in the RMI and Hotspot     components in OpenJDK. An untrusted Java application or     applet could use these flaws to completely bypass Java     sandbox restrictions. (CVE-2017-10285, CVE-2017-10346)

  - It was discovered that the Kerberos client     implementation in the Libraries component of OpenJDK     used the sname field from the plain text part rather     than encrypted part of the KDC reply message. A     man-in-the-middle attacker could possibly use this flaw     to impersonate Kerberos services to Java applications     acting as Kerberos clients. (CVE-2017-10388)

  - It was discovered that the Security component of     OpenJDK generated weak password-based encryption keys     used to protect private keys stored in key stores. This     made it easier to perform password guessing attacks to     decrypt stored keys if an attacker could gain access to     a key store. (CVE-2017-10356)

  - Multiple flaws were found in the Smart Card IO and     Security components in OpenJDK. An untrusted Java     application or applet could use these flaws to bypass     certain Java sandbox restrictions. (CVE-2017-10274,     CVE-2017-10193)

  - It was found that the FtpClient implementation in the     Networking component of OpenJDK did not set connect and     read timeouts by default. A malicious FTP server or a     man-in-the-middle attacker could use this flaw to block     execution of a Java application connecting to an FTP     server. (CVE-2017-10355)

  - It was found that the HttpURLConnection and     HttpsURLConnection classes in the Networking component     of OpenJDK failed to check for newline characters     embedded in URLs. An attacker able to make a Java     application perform an HTTP request using an attacker     provided URL could possibly inject additional headers     into the request. (CVE-2017-10295)

  - It was discovered that the Security component of     OpenJDK could fail to properly enforce restrictions     defined for processing of X.509 certificate chains. A     remote attacker could possibly use this flaw to make     Java accept certificate using one of the disabled     algorithms. (CVE-2017-10198)

  - It was discovered that multiple classes in the JAXP,     Serialization, Libraries, and JAX-WS components of     OpenJDK did not limit the amount of memory allocated     when creating object instances from the serialized     form. A specially-crafted input could cause a Java     application to use an excessive amount of memory when     deserialized. (CVE-2017-10349, CVE-2017-10357,     CVE-2017-10347, CVE-2017-10281, CVE-2017-10345,     CVE-2017-10348, CVE-2017-10350)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Detections

Analytics

EulerOS 2.0 SP2 : java-1.7.0-openjdk (EulerOS-SA-2017-1331)

medium Nessus Plugin ID 105312

No changelogs found