Fedora 32 : 1:java-11-openjdk (2020-5d0b4a2b5b)

medium Nessus Plugin ID 138917

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Fedora host is missing a security update.

Description

# July 2020 OpenJDK security update for OpenJDK 11 Full release notes:
https://bitly.com/openjdk1108

## Security fixes

- JDK-8230613: Better ASCII conversions

- JDK-8231800: Better listing of arrays

- JDK-8232014: Expand DTD support

- JDK-8233234: Better Zip Naming

- JDK-8233239, CVE-2020-14562: Enhance TIFF support

- JDK-8233255: Better Swing Buttons

- JDK-8234032: Improve basic calendar services

- JDK-8234042: Better factory production of certificates

- JDK-8234418: Better parsing with CertificateFactory

- JDK-8234836: Improve serialization handling

- JDK-8236191: Enhance OID processing

- JDK-8236867, CVE-2020-14573: Enhance Graal interface handling

- JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior

- JDK-8237592, CVE-2020-14577: Enhance certificate verification

- JDK-8238002, CVE-2020-14581: Better matrix operations

- JDK-8238013: Enhance String writing

- JDK-8238804: Enhance key handling process

- JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable

- JDK-8238843: Enhanced font handing

- JDK-8238920, CVE-2020-14583: Better Buffer support

- JDK-8238925: Enhance WAV file playback

- JDK-8240119, CVE-2020-14593: Less Affine Transformations

- JDK-8240482: Improved WAV file playback

- JDK-8241379: Update JCEKS support

- JDK-8241522: Manifest improved jar headers redux

- JDK-8242136, CVE-2020-14621: Better XML namespace handling

## [JDK-8244167](https://bugs.openjdk.java.net/browse/JDK-8244167):
Removal of Comodo Root CA Certificate

The following expired Comodo root CA certificate was removed from the `cacerts` keystore: + alias name 'addtrustclass1ca [jdk]'

Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE

## [JDK-8244166](https://bugs.openjdk.java.net/browse/JDK-8244166):
Removal of DocuSign Root CA Certificate

The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: + alias name 'keynectisrootca [jdk]'

Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

## [JDK-8240191](https://bugs.openjdk.java.net/browse/JDK-8240191):
Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database

The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a RuntimeException with the message: 'FIPS flag set for non-internal module' when such a library was configured for NSS in non-FIPS mode.

This change allows the JDK to work properly with recent NSS releases in GNU/Linux operating systems when the system-wide FIPS policy is turned on.

Further information can be found in [JDK-8238555](https://bugs.openjdk.java.net/browse/JDK-8238555).

## [JDK-8245077](https://bugs.openjdk.java.net/browse/JDK-8245077):
Default SSLEngine Should Create in Server Role

In JDK 11 and later, `javax.net.ssl.SSLEngine` by default used client mode when handshaking. As a result, the set of default enabled protocols may differ to what is expected. `SSLEngine` would usually be used in server mode. From this JDK release onwards, `SSLEngine` will default to server mode. The `javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may be used to configure the mode.

## [JDK-8242147](https://bugs.openjdk.java.net/browse/JDK-8242147):
New System Properties to Configure the TLS Signature Schemes

Two new System Properties are added to customize the TLS signature schemes in JDK. `jdk.tls.client.SignatureSchemes` is added for TLS client side, and `jdk.tls.server.SignatureSchemes` is added for server side.

Each System Property contains a comma-separated list of supported signature scheme names specifying the signature schemes that could be used for the TLS connections.

The names are described in the 'Signature Schemes' section of the

*Java Security Standard Algorithm Names Specification*.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected 1:java-11-openjdk package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2020-5d0b4a2b5b

https://bugs.openjdk.java.net/browse/JDK-8240191

https://bugs.openjdk.java.net/browse/JDK-8242147

https://bugs.openjdk.java.net/browse/JDK-8244166

https://bugs.openjdk.java.net/browse/JDK-8244167

https://bugs.openjdk.java.net/browse/JDK-8245077

Plugin Details

Severity: Medium

ID: 138917

File Name: fedora_2020-5d0b4a2b5b.nasl

Version: 1.2

Type: local

Agent: unix

Published: 7/27/2020

Updated: 7/30/2020

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2020-14556

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:1:java-11-openjdk, cpe:/o:fedoraproject:fedora:32

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/24/2020

Vulnerability Publication Date: 7/15/2020

Reference Information

CVE: CVE-2020-14556, CVE-2020-14562, CVE-2020-14573, CVE-2020-14577, CVE-2020-14581, CVE-2020-14583, CVE-2020-14593, CVE-2020-14621