openSUSE Security Update : java-1_8_0-openjdk (openSUSE-2018-1138)

Medium Nessus Plugin ID 117986

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for java-1_8_0-openjdk to the jdk8u181 (icedtea 3.9.0)
release fixes the following issues :

These security issues were fixed :

- CVE-2018-2938: Difficult to exploit vulnerability
allowed unauthenticated attacker with network access via
multiple protocols to compromise Java SE. Successful
attacks of this vulnerability can result in takeover of
Java SE (bsc#1101644).

- CVE-2018-2940: Vulnerability in subcomponent: Libraries.
Easily exploitable vulnerability allowed unauthenticated
attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded. Successful attacks
require human interaction from a person other than the
attacker. Successful attacks of this vulnerability can
result in unauthorized read access to a subset of Java
SE, Java SE Embedded accessible data (bsc#1101645)

- CVE-2018-2952: Vulnerability in subcomponent:
Concurrency. Difficult to exploit vulnerability allowed
unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE
Embedded, JRockit. Successful attacks of this
vulnerability can result in unauthorized ability to
cause a partial denial of service (partial DOS) of Java
SE, Java SE Embedded, JRockit (bsc#1101651)

- CVE-2018-2973: Vulnerability in subcomponent: JSSE.
Difficult to exploit vulnerability allowed
unauthenticated attacker with network access via SSL/TLS
to compromise Java SE, Java SE Embedded. Successful
attacks of this vulnerability can result in unauthorized
creation, deletion or modification access to critical
data or all Java SE, Java SE Embedded accessible data
(bsc#1101656)

These non-security issues were fixed :

- Improve desktop file usage

- Better Internet address support

- speculative traps break when classes are redefined

- sun/security/pkcs11/ec/ReadCertificates.java fails
intermittently

- Clean up code that saves the previous versions of
redefined classes

- Prevent SIGSEGV in
ReceiverTypeData::clean_weak_klass_links

- RedefineClasses() tests fail
assert(((Metadata*)obj)->is_valid()) failed: obj is
valid

- NMT is not enabled if NMT option is specified after
class path specifiers

- EndEntityChecker should not process custom extensions
after PKIX validation

- SupportedDSAParamGen.java failed with timeout

- Montgomery multiply intrinsic should use correct name

- When determining the ciphersuite lists, there is no
debug output for disabled suites.

- sun/security/mscapi/SignedObjectChain.java fails on
Windows

- On Windows Swing changes keyboard layout on a window
activation

- IfNode::range_check_trap_proj() should handler dying
subgraph with single if proj

- Even better Internet address support

- Newlines in JAXB string values of SOAP-requests are
escaped to ' '

- TestFlushableGZIPOutputStream failing with
IndexOutOfBoundsException

- Unable to use JDWP API in JDK 8 to debug JDK 9 VM

- Hotspot crash on Cassandra 3.11.1 startup with libnuma
2.0.3

- Performance drop with Java JDK 1.8.0_162-b32

- Upgrade time-zone data to tzdata2018d

- Fix potential crash in BufImg_SetupICM

- JDK 8u181 l10n resource file update

- Remove debug print statements from RMI fix

- (tz) Upgrade time-zone data to tzdata2018e

- ObjectInputStream filterCheck method throws
NullPointerException

- adjust reflective access checks

- Fixed builds on s390 (bsc#1106812)

This update was imported from the SUSE:SLE-15:Update update project.

Solution

Update the affected java-1_8_0-openjdk packages.

See Also

https://bugzilla.opensuse.org/show_bug.cgi?id=1101644

https://bugzilla.opensuse.org/show_bug.cgi?id=1101645

https://bugzilla.opensuse.org/show_bug.cgi?id=1101651

https://bugzilla.opensuse.org/show_bug.cgi?id=1101656

https://bugzilla.opensuse.org/show_bug.cgi?id=1106812

Plugin Details

Severity: Medium

ID: 117986

File Name: openSUSE-2018-1138.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2018/10/09

Modified: 2018/10/09

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:java-1_8_0-openjdk, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-accessibility, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-debugsource, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-demo-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-devel-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-headless-debuginfo, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-javadoc, p-cpe:/a:novell:opensuse:java-1_8_0-openjdk-src, cpe:/o:novell:opensuse:15.0

Patch Publication Date: 2018/10/06

Reference Information

CVE: CVE-2018-2938, CVE-2018-2940, CVE-2018-2952, CVE-2018-2973