[arch-security] [ASA-201507-16] jre7-openjdk: multiple issues
Remi Gacogne
rgacogne at archlinux.org
Wed Jul 22 14:02:59 UTC 2015
Arch Linux Security Advisory ASA-201507-16
==========================================
Severity: Critical
Date : 2015-07-22
CVE-ID : CVE-2015-2590 CVE-2015-2601 CVE-2015-2613 CVE-2015-2621
CVE-2015-2625 CVE-2015-2628 CVE-2015-2632 CVE-2015-2808 CVE-2015-4000
CVE-2015-4731 CVE-2015-4732 CVE-2015-4733 CVE-2015-4748 CVE-2015-4749
CVE-2015-4760
Package : jre7-openjdk
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package jre7-openjdk before version 7.u85_2.6.1-1 is vulnerable to
multiple issues including remote code execution.
Resolution
==========
Upgrade to 7.u85_2.6.1-1.
# pacman -Syu "jre7-openjdk>=7.u85_2.6.1-1"
The problem has been fixed upstream in version 7.u85 of OpenJDK and
2.6.1 of IcedTea.
Workaround
==========
None.
Description
===========
- CVE-2015-2590 (deserialization issue in
ObjectInputStream.readSerialData()):
ObjectInputStream's readSerialData() could, in certain cases,
incorrectly perform deserialization of data from serialized input. An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions.
- CVE-2015-2601 (non-constant time comparisons in crypto code):
It was discovered that the JCE component in OpenJDK failed to use
constant time comparisons in multiple cases. An attacker could possibly
use these flaws to disclose sensitive information by measuring the time
used to perform operations using these non-constant time comparisons.
- CVE-2015-2613 (NSS / JCE: missing EC parameter validation in
ECDH_Derive()):
It was discovered that the Elliptic Curve (EC) cryptography code as used
in Mozilla NSS (Network Security Services) library and OpenJDK JCE (Java
Cryptography Extension) component failed to properly validate EC
parameters as used in ECDH_Derive() function, which performs ECDH
(Elliptic Curve Diffie-Hellman) key derivation. A remote attacker could
use this flaw to disclose sensitive information.
- CVE-2015-2621 (incorrect code permission checks in RMIConnectionImpl):
It was discovered that the RMIConnectionImpl class in the JMX component
of OpenJDK failed to properly check code permissions when creating
repository class loaders. An untrusted Java application or applet could
use this flaw to read information access to which should be restricted
by the Java sandbox, partially bypassing sandbox restrictions.
- CVE-2015-2625 (name for reverse DNS lookup used in certificate
identity check):
A flaw was found in the way the JSSE component in OpenJDK performed
X.509 certificate identify verification when establishing TLS/SSL
connection to a host identified using IP address. In certain cases, it
would incorrectly use a host name obtained after performing reverse DNS
lookup of the specified IP address rather than the original IP address
for the identity check, possibly leading to having a certificate issued
for different identity to be accepted as valid.
This issue is know to affect cases when SSLSocketFactory.createSocket()
is called with certain InetAddress instances. It is not known to affect
cases when target host IP is passed to createSocket() as string, or when
IP is used in URL used for HttpsURLConnection.
With this patch, reverse DNS lookup is no longer performed. The fix also
adds new system property jdk.tls.trustNameService that can be used to
allow the DNS lookup to be performed and hence have its result used
during identity check.
- CVE-2015-2628 (IIOPInputStream type confusion vulnerability):
It was discovered that the IIOPInputStream class in the CORBA component
in OpenJDK failed to properly check object field types. An untrusted
Java application or applet could use this flaw to bypass Java sandbox
restrictions.
- CVE-2015-2632 (integer overflow in LETableReference verifyLength()):
An integer overflow flaw, leading to out-of-bounds read, was found in
the LETableReference's verifyLength() method. A specially crafted file
could cause an application using ICU to parse untrusted font files to
perform an invalid memory access, leading to crash and possibly
disclosure of portion of application memory.
ICU code is embedded the 2D component in OpenJDK and used by
FontManager. An untrusted Java application or applet could use this flaw
to bypass certain Java sandbox restrictions.
- CVE-2015-2808 (prohibit RC4 cipher suites):
It was discovered that the Invariance Weakness of the RC4 stream cipher
could be used to recover plaintext from a TLS connection, when RC4
encryption is used.
"The Invariance Weakness is an L-shape key pattern in RC4 keys, which
once it exists in an RC4 key, preserves part of the state permutation
intact throughout the initialization process. This intact part includes
the least significant bits of the permutation, when processed by the
PRGA algorithm, determines the least significant bits of the allegedly
pseudo-random output stream along a long prefix of the stream."
This can lead to significant leakage of plaintext bytes from the ciphertext.
- CVE-2015-4000 (make jdk8 mode the default for jdk.tls.ephemeralDHKeySize):
Prevent logjam attack
TLS connections using Diffie-Hellman key exchange protocol were found to
be vulnerable to an attack, in which a man-in-the-middle attacker could
downgrade vulnerable TLS connections to 512-bit export-grade
cryptography. The attack affects any server that supports DHE_EXPORT
ciphers.
- CVE-2015-4731 (improper permission checks in
MBeanServerInvocationHandler):
It was discovered that the JMX component in OpenJDK failed to properly
handle MBean connection proxy classes. An untrusted Java application or
applet could use this flaw to bypass Java sandbox restrictions.
- CVE-2015-4732 (insufficient context checks during object deserialization):
It was discovered that the Libraries component of OpenJDK failed to
check current context / thread while performing object deserialization,
possibly leading to incorrect input deserialization. An untrusted Java
application or applet could use this flaw to bypass Java sandbox
restrictions.
- CVE-2015-4733 (RemoteObjectInvocationHandler allows calling finalize()):
It was discovered that the RemoteObjectInvocationHandler class in the
RMI component of OpenJDK did not prevent calls to the finalize() method.
An untrusted Java application or applet could use this flaw to bypass
Java sandbox restrictions.
- CVE-2015-4748 (incorrect OCSP nextUpdate checking):
A flaw was found in the way the Libraries component of OpenJDK verified
OCSP (Online Certificate Status Protocol) response. An OCSP response
with no nextUpdate date specified was incorrectly handled as having
unlimited validity. This could allow a Java application to accept a
revoked X.509 certificate as valid if it was presented with an OCSP
response generated before certificate revocation.
- CVE-2015-4749 (DnsClient fails to release request information after
error):
It was discovered that the DnsClient client class in the JNDI (Java
Naming and Directory Interface) component in OpenJDK failed to properly
remove information about an outgoing DNS request from the list of
outstanding DNS requests when certain errors occurred during DNS
resolution. An attacker able to trigger such DNS errors could cause a
Java application using JNDI to consume memory and possibly block further
DNS resolution (after exhausting all DNS transaction ids).
- CVE-2015-4760 (missing boundary checks in layout engine):
It was discovered that ICU Layout Engine was missing multiple boundary
checks. These could lead to buffer overflows and JVM memory corruption.
A specially crafted file could cause an application using ICU to parse
untrusted font files to crash and, possibly, execute arbitrary code.
ICU code is embedded the 2D component in OpenJDK and used by
FontManager. An untrusted Java application or applet could use this
flaw to bypass Java sandbox restrictions.
Impact
======
A remote attacker can execute arbitrary code on an affected host.
References
==========
http://blog.fuseyism.com/index.php/2015/07/21/security-icedtea-2-6-1-for-openjdk-7-released/
http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-trend-micro-discovers-new-java-zero-day-exploit/
https://access.redhat.com/security/cve/CVE-2015-2590
https://access.redhat.com/security/cve/CVE-2015-2601
https://access.redhat.com/security/cve/CVE-2015-2613
https://access.redhat.com/security/cve/CVE-2015-2621
https://access.redhat.com/security/cve/CVE-2015-2625
https://access.redhat.com/security/cve/CVE-2015-2628
https://access.redhat.com/security/cve/CVE-2015-2632
https://access.redhat.com/security/cve/CVE-2015-2808
https://access.redhat.com/security/cve/CVE-2015-4000
https://access.redhat.com/security/cve/CVE-2015-4731
https://access.redhat.com/security/cve/CVE-2015-4732
https://access.redhat.com/security/cve/CVE-2015-4733
https://access.redhat.com/security/cve/CVE-2015-4748
https://access.redhat.com/security/cve/CVE-2015-4749
https://access.redhat.com/security/cve/CVE-2015-4760
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150722/9a62ba79/attachment.asc>
More information about the arch-security
mailing list