Arch Linux Security Advisory ASA-201510-20 ========================================== Severity: Critical Date : 2015-10-23 CVE-ID : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806 CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842 CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4868 CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883 CVE-2015-4893 CVE-2015-4901 CVE-2015-4902 CVE-2015-4903 CVE-2015-4906 CVE-2015-4908 CVE-2015-4911 CVE-2015-4916 Package : jre8-openjdk-headless Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package jre8-openjdk-headless before version 8.u65-1 is vulnerable to multiple issues including but not limited to arbitrary code execution, sandbox bypass, information disclosure and denial of service. Resolution ========== Upgrade to 8.u65-1. # pacman -Syu "jre8-openjdk-headless>=8.u65-1" The problems have been fixed upstream in version 8.u65. Workaround ========== None. Description =========== - CVE-2015-4734 (information disclosure) It was discovered that the JGSS component of OpenJDK did not properly hide Kerberos realm information from all error exceptions when running under Security Manager. An untrusted Java application or applet could use this flaw to obtain certain information about the Kerberos configuration on the host where they were executed, bypassing certain Java sandbox restrictions. - CVE-2015-4803 (denial of service) It was discovered that the JAXP component of OpenJDK did not use efficient data structures to store data from parsed XML documents. A specially-crafted XML input could cause a Java application using JAXP to use an excessive amount of CPU time by e.g. triggering hash collisions. - CVE-2015-4805 (arbitrary code execution) It was discovered that the ObjectStreamClass in the Serialization component of OpenJDK failed to ensure that the object is fully initialized before allowing calls of certain methods. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions to execute code. - CVE-2015-4806 (improper input validation) A vulnerability has been discovered leading to HttpURLConnection header restriction bypass, allowing remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. - CVE-2015-4810 (arbitrary code execution) An unspecified vulnerability has been discovered that allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. - CVE-2015-4835 (arbitrary code execution) It was discovered that the StubGenerator class in the CORBA component of OpenJDK failed to generate code with all needed permission checks related to object (de-)serialization. An untursted Java application or applet could use this flaw to bypass Java sandbox restrictions and execute arbitrary code. - CVE-2015-4840 (information disclosure) It was discovered that the 2D component of OpenJDK could perform out of bounds access and possibly disclose portions of the Java Virtual Machine memory when processing specially crafted color profiles. The issue was caused by having bundled lcms2 code use fast floor() implementation. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. - CVE-2015-4842 (information disclosure) An information disclosure flaw was found in the JAXP component of OpenJDK. An untrusted Java application or applet could use this flaw to get information about user home directory location (the content of the "user.dir" system property), hence bypassing certain Java sandbox restrictions. - CVE-2015-4843 (arbitrary code execution) Multiple integer overflow issues were found in the implementation of Buffers in the java.nio (Non-blocking I/O) packages in the Libraries component of OpenJDK. These could lead to out of bounds buffer access and Java Virtual Machine memory corruption. An untursted Java application or applet could use these flaws to run arbitrary code with the Java Virtual Machine privileges or bypass Java sandbox restrictions. - CVE-2015-4844 (arbitrary code execution) It was discovered that ICU Layout Engine was missing multiple boundary and error return checks. These could lead to buffer overflows and memory corruption. A specially crafted font file could cause an application using ICU to parse untrusted fonts to crash and, possibly, execute arbitrary code. - CVE-2015-4860 (sandbox bypass) It was discovered that the DGCImpl (for RMI distributed garbage-collection - DGC) class in the RMI component of OpenJDK failed to use restricted access control context when processing untrusted input. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2015-4868 (security policy bypass) A flaw was found in the way the Libraries component of OpenJDK handled certificate revocation lists (CRL). In certain cases, CRL checking code could fail to report that a certificate was revoked, causing the application to accept it as trusted. - CVE-2015-4872 (security policy bypass) It was discovered that the AlgorithmChecker class in the Security component of OpenJDK failed to properly check if a certificate satisfies all defined constraints in certain cases. This could cause a Java application to accept an X.509 certificate which does not meet requirements of the policy defined in the java.security file. - CVE-2015-4881 (sandbox bypass) It was discovered that the IIOPInputStream class in the CORBA component of OpenJDK failed to properly check object and field types during object deserialization. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2015-4882 (denial of service) A flaw was found in the way the IIOPInputStream class in the CORBA component of OpenJDK performed deserialization of String objects. An untrusted Java application or applet could use this flaw to crash the Java Virtual Machine. - CVE-2015-4883 (sandbox bypass) It was discovered that the DGCClient (for RMI distributed garbage-collection - DGC) class in the RMI component of OpenJDK failed to use restricted access control context when handling JRMP (Java Remote Method Protocol) messages. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2015-4893 (denial of service) It was discovered that the JAXP component of OpenJDK did not enforce the maximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files. A specially crafted XML document could cause a Java application using JAXP to consume an excessive amount of memory and CPU time when parsed. - CVE-2015-4901 (unknown) A unspecified vulnerability allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX. - CVE-2015-4902 (unknown) An unspecified vulnerability has been discovered that allows remote attackers to affect integrity via unknown vectors related to Deployment. - CVE-2015-4903 (sandbox bypass) It was discovered that the RemoteObjectInvocationHandler class in the RMI component of OpenJDK did not check if object proxy is an instance of a proxy class and that it uses correct invocation handler. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions by gaining access to data that should by protected by the sandbox. - CVE-2015-4906 (unknown) A unspecified vulnerability allows remote attackers to affect confidentiality via unknown vectors related to JavaFX. - CVE-2015-4908 (unknown) A unspecified vulnerability allows remote attackers to affect confidentiality via unknown vectors. - CVE-2015-4911 (denial of service) It was discovered that the StAX XML parser in the JAXP component of OpenJDK could do certain DTD processing even when DTD support was disabled via the javax.xml.stream.supportDTD system property. A specially crafted XML document could cause a Java application using JAXP to consume an excessive amount of memory and CPU time when parsed. - CVE-2015-4916 (unknown) A unspecified vulnerability allows remote attackers to affect confidentiality via unknown vectors. Impact ====== A remote attacker is able to execute arbitrary code, gain access to sensitive information, bypass sandbox restrictions or perform a denial of service attack via multiple vectors. References ========== http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#Ap... https://access.redhat.com/security/cve/CVE-2015-4734 https://access.redhat.com/security/cve/CVE-2015-4803 https://access.redhat.com/security/cve/CVE-2015-4805 https://access.redhat.com/security/cve/CVE-2015-4806 https://access.redhat.com/security/cve/CVE-2015-4810 https://access.redhat.com/security/cve/CVE-2015-4835 https://access.redhat.com/security/cve/CVE-2015-4840 https://access.redhat.com/security/cve/CVE-2015-4842 https://access.redhat.com/security/cve/CVE-2015-4843 https://access.redhat.com/security/cve/CVE-2015-4844 https://access.redhat.com/security/cve/CVE-2015-4860 https://access.redhat.com/security/cve/CVE-2015-4868 https://access.redhat.com/security/cve/CVE-2015-4872 https://access.redhat.com/security/cve/CVE-2015-4881 https://access.redhat.com/security/cve/CVE-2015-4882 https://access.redhat.com/security/cve/CVE-2015-4883 https://access.redhat.com/security/cve/CVE-2015-4893 https://access.redhat.com/security/cve/CVE-2015-4901 https://access.redhat.com/security/cve/CVE-2015-4902 https://access.redhat.com/security/cve/CVE-2015-4903 https://access.redhat.com/security/cve/CVE-2015-4906 https://access.redhat.com/security/cve/CVE-2015-4908 https://access.redhat.com/security/cve/CVE-2015-4911 https://access.redhat.com/security/cve/CVE-2015-4916