Fedora 31 : 1:java-1.8.0-openjdk (2020-508df53719)

medium Nessus Plugin ID 139101

Language:

New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Fedora host is missing a security update.

Description

# July 2020 OpenJDK security update for OpenJDK 8.

Full release notes: https://bitly.com/oj8u262

## New features

- [JDK-8223147](https://bugs.openjdk.java.net/browse/JDK-8 223147): JFR Backport

## Security fixes

- JDK-8028431, CVE-2020-14579: NullPointerException in DerValue.equals(DerValue)

- JDK-8028591, CVE-2020-14578: NegativeArraySizeException in sun.security.util.DerInputStream.getUnalignedBitString()

- JDK-8230613: Better ASCII conversions

- JDK-8231800: Better listing of arrays

- JDK-8232014: Expand DTD support

- JDK-8233255: Better Swing Buttons

- JDK-8234032: Improve basic calendar services

- JDK-8234042: Better factory production of certificates

- JDK-8234418: Better parsing with CertificateFactory

- JDK-8234836: Improve serialization handling

- JDK-8236191: Enhance OID processing

- JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior

- JDK-8237592, CVE-2020-14577: Enhance certificate verification

- JDK-8238002, CVE-2020-14581: Better matrix operations

- JDK-8238804: Enhance key handling process

- JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable

- JDK-8238843: Enhanced font handing

- JDK-8238920, CVE-2020-14583: Better Buffer support

- JDK-8238925: Enhance WAV file playback

- JDK-8240119, CVE-2020-14593: Less Affine Transformations

- JDK-8240482: Improved WAV file playback

- JDK-8241379: Update JCEKS support

- JDK-8241522: Manifest improved jar headers redux

- JDK-8242136, CVE-2020-14621: Better XML namespace handling

## [JDK-8240687](https://bugs.openjdk.java.net/browse/JDK-8240687):
JDK Flight Recorder Integrated to OpenJDK 8u

OpenJDK 8u now contains the backport of JEP 328: Flight Recorder (https://openjdk.java.net/jeps/328) from later versions of OpenJDK.

JFR is a low-overhead framework to collect and provide data helpful to troubleshoot the performance of the OpenJDK runtime and of Java applications. It consists of a new API to define custom events under the jdk.jfr namespace and a JMX interface to interact with the framework. The recording can also be initiated with the application startup using the -XX:+FlightRecorder flag or via jcmd. JFR replaces the +XX:EnableTracing feature introduced in JEP 167, providing a more efficient way to retrieve the same information. For compatibility reasons, +XX:EnableTracing is still accepted, however no data will be printed.

While JFR is not built by default upstream, it is included in Fedora binaries for supported architectures (x86_64, AArch64 & PowerPC 64)

## [JDK-8205622](https://bugs.openjdk.java.net/browse/JDK-8205622):
JFR Start Failure After AppCDS Archive Created with JFR StartFlightRecording

JFR will be disabled with a warning message if it is enabled during CDS dumping. The user will see the following warning message :

OpenJDK 64-Bit Server VM warning: JFR will be disabled during CDS dumping

if JFR is enabled during CDS dumping such as in the following command line :

$ java -Xshare:dump -XX:StartFlightRecording=dumponexit=true

## [JDK-8244167](https://bugs.openjdk.java.net/browse/JDK-8244167):
Removal of Comodo Root CA Certificate

The following expired Comodo root CA certificate was removed from the `cacerts` keystore: + alias name 'addtrustclass1ca [jdk]'

Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE

## [JDK-8244166](https://bugs.openjdk.java.net/browse/JDK-8244166):
Removal of DocuSign Root CA Certificate

The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: + alias name 'keynectisrootca [jdk]'

Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR

## [JDK-8240191](https://bugs.openjdk.java.net/browse/JDK-8240191):
Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database

The SunPKCS11 security provider can now be initialized with NSS when FIPS-enabled external modules are configured in the Security Modules Database (NSSDB). Prior to this change, the SunPKCS11 provider would throw a RuntimeException with the message: 'FIPS flag set for non-internal module' when such a library was configured for NSS in non-FIPS mode.

This change allows the JDK to work properly with recent NSS releases on GNU/Linux operating systems when the system-wide FIPS policy is turned on.

Further information can be found in [JDK-8238555](https://bugs.openjdk.java.net/browse/JDK-8238555).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected 1:java-1.8.0-openjdk package.

See Also

https://bodhi.fedoraproject.org/updates/FEDORA-2020-508df53719

https://bugs.openjdk.java.net/browse/JDK-8205622

https://bugs.openjdk.java.net/browse/JDK-8223147

https://bugs.openjdk.java.net/browse/JDK-8238555

https://bugs.openjdk.java.net/browse/JDK-8240191

https://bugs.openjdk.java.net/browse/JDK-8240687

https://bugs.openjdk.java.net/browse/JDK-8244166

https://bugs.openjdk.java.net/browse/JDK-8244167

https://openjdk.java.net/jeps/328

Plugin Details

Severity: Medium

ID: 139101

File Name: fedora_2020-508df53719.nasl

Version: 1.2

Type: local

Agent: unix

Published: 7/30/2020

Updated: 8/3/2020

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2020-14556

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:1:java-1.8.0-openjdk, cpe:/o:fedoraproject:fedora:31

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/28/2020

Vulnerability Publication Date: 7/15/2020

Reference Information

CVE: CVE-2020-14556, CVE-2020-14577, CVE-2020-14578, CVE-2020-14579, CVE-2020-14581, CVE-2020-14583, CVE-2020-14593, CVE-2020-14621