Arch Linux Security Advisory ASA-201507-16 ========================================== Severity: Critical Date : 2015-07-22 CVE-ID : CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621 CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4000 CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749 CVE-2015-4760 Package : jre7-openjdk Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package jre7-openjdk before version 7.u85_2.6.1-1 is vulnerable to multiple issues including remote code execution. Resolution ========== Upgrade to 7.u85_2.6.1-1. # pacman -Syu "jre7-openjdk>=7.u85_2.6.1-1" The problem has been fixed upstream in version 7.u85 of OpenJDK and 2.6.1 of IcedTea. Workaround ========== None. Description =========== - CVE-2015-2590 (deserialization issue in ObjectInputStream.readSerialData()): ObjectInputStream's readSerialData() could, in certain cases, incorrectly perform deserialization of data from serialized input. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2015-2601 (non-constant time comparisons in crypto code): It was discovered that the JCE component in OpenJDK failed to use constant time comparisons in multiple cases. An attacker could possibly use these flaws to disclose sensitive information by measuring the time used to perform operations using these non-constant time comparisons. - CVE-2015-2613 (NSS / JCE: missing EC parameter validation in ECDH_Derive()): It was discovered that the Elliptic Curve (EC) cryptography code as used in Mozilla NSS (Network Security Services) library and OpenJDK JCE (Java Cryptography Extension) component failed to properly validate EC parameters as used in ECDH_Derive() function, which performs ECDH (Elliptic Curve Diffie-Hellman) key derivation. A remote attacker could use this flaw to disclose sensitive information. - CVE-2015-2621 (incorrect code permission checks in RMIConnectionImpl): It was discovered that the RMIConnectionImpl class in the JMX component of OpenJDK failed to properly check code permissions when creating repository class loaders. An untrusted Java application or applet could use this flaw to read information access to which should be restricted by the Java sandbox, partially bypassing sandbox restrictions. - CVE-2015-2625 (name for reverse DNS lookup used in certificate identity check): A flaw was found in the way the JSSE component in OpenJDK performed X.509 certificate identify verification when establishing TLS/SSL connection to a host identified using IP address. In certain cases, it would incorrectly use a host name obtained after performing reverse DNS lookup of the specified IP address rather than the original IP address for the identity check, possibly leading to having a certificate issued for different identity to be accepted as valid. This issue is know to affect cases when SSLSocketFactory.createSocket() is called with certain InetAddress instances. It is not known to affect cases when target host IP is passed to createSocket() as string, or when IP is used in URL used for HttpsURLConnection. With this patch, reverse DNS lookup is no longer performed. The fix also adds new system property jdk.tls.trustNameService that can be used to allow the DNS lookup to be performed and hence have its result used during identity check. - CVE-2015-2628 (IIOPInputStream type confusion vulnerability): It was discovered that the IIOPInputStream class in the CORBA component in OpenJDK failed to properly check object field types. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2015-2632 (integer overflow in LETableReference verifyLength()): An integer overflow flaw, leading to out-of-bounds read, was found in the LETableReference's verifyLength() method. A specially crafted file could cause an application using ICU to parse untrusted font files to perform an invalid memory access, leading to crash and possibly disclosure of portion of application memory. ICU code is embedded the 2D component in OpenJDK and used by FontManager. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. - CVE-2015-2808 (prohibit RC4 cipher suites): It was discovered that the Invariance Weakness of the RC4 stream cipher could be used to recover plaintext from a TLS connection, when RC4 encryption is used. "The Invariance Weakness is an L-shape key pattern in RC4 keys, which once it exists in an RC4 key, preserves part of the state permutation intact throughout the initialization process. This intact part includes the least significant bits of the permutation, when processed by the PRGA algorithm, determines the least significant bits of the allegedly pseudo-random output stream along a long prefix of the stream." This can lead to significant leakage of plaintext bytes from the ciphertext. - CVE-2015-4000 (make jdk8 mode the default for jdk.tls.ephemeralDHKeySize): Prevent logjam attack TLS connections using Diffie-Hellman key exchange protocol were found to be vulnerable to an attack, in which a man-in-the-middle attacker could downgrade vulnerable TLS connections to 512-bit export-grade cryptography. The attack affects any server that supports DHE_EXPORT ciphers. - CVE-2015-4731 (improper permission checks in MBeanServerInvocationHandler): It was discovered that the JMX component in OpenJDK failed to properly handle MBean connection proxy classes. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2015-4732 (insufficient context checks during object deserialization): It was discovered that the Libraries component of OpenJDK failed to check current context / thread while performing object deserialization, possibly leading to incorrect input deserialization. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2015-4733 (RemoteObjectInvocationHandler allows calling finalize()): It was discovered that the RemoteObjectInvocationHandler class in the RMI component of OpenJDK did not prevent calls to the finalize() method. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2015-4748 (incorrect OCSP nextUpdate checking): A flaw was found in the way the Libraries component of OpenJDK verified OCSP (Online Certificate Status Protocol) response. An OCSP response with no nextUpdate date specified was incorrectly handled as having unlimited validity. This could allow a Java application to accept a revoked X.509 certificate as valid if it was presented with an OCSP response generated before certificate revocation. - CVE-2015-4749 (DnsClient fails to release request information after error): It was discovered that the DnsClient client class in the JNDI (Java Naming and Directory Interface) component in OpenJDK failed to properly remove information about an outgoing DNS request from the list of outstanding DNS requests when certain errors occurred during DNS resolution. An attacker able to trigger such DNS errors could cause a Java application using JNDI to consume memory and possibly block further DNS resolution (after exhausting all DNS transaction ids). - CVE-2015-4760 (missing boundary checks in layout engine): It was discovered that ICU Layout Engine was missing multiple boundary checks. These could lead to buffer overflows and JVM memory corruption. A specially crafted file could cause an application using ICU to parse untrusted font files to crash and, possibly, execute arbitrary code. ICU code is embedded the 2D component in OpenJDK and used by FontManager. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. Impact ====== A remote attacker can execute arbitrary code on an affected host. References ========== http://blog.fuseyism.com/index.php/2015/07/21/security-icedtea-2-6-1-for-ope... http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update... https://access.redhat.com/security/cve/CVE-2015-2590 https://access.redhat.com/security/cve/CVE-2015-2601 https://access.redhat.com/security/cve/CVE-2015-2613 https://access.redhat.com/security/cve/CVE-2015-2621 https://access.redhat.com/security/cve/CVE-2015-2625 https://access.redhat.com/security/cve/CVE-2015-2628 https://access.redhat.com/security/cve/CVE-2015-2632 https://access.redhat.com/security/cve/CVE-2015-2808 https://access.redhat.com/security/cve/CVE-2015-4000 https://access.redhat.com/security/cve/CVE-2015-4731 https://access.redhat.com/security/cve/CVE-2015-4732 https://access.redhat.com/security/cve/CVE-2015-4733 https://access.redhat.com/security/cve/CVE-2015-4748 https://access.redhat.com/security/cve/CVE-2015-4749 https://access.redhat.com/security/cve/CVE-2015-4760