[arch-security] [ASA-201510-16] jre7-openjdk: multiple issues

Fri Oct 23 15:22:36 UTC 2015

Arch Linux Security Advisory ASA-201510-16
==========================================

Severity: Critical
Date    : 2015-10-23
CVE-ID  : CVE-2015-4734 CVE-2015-4803 CVE-2015-4805 CVE-2015-4806
          CVE-2015-4810 CVE-2015-4835 CVE-2015-4840 CVE-2015-4842
          CVE-2015-4843 CVE-2015-4844 CVE-2015-4860 CVE-2015-4871
          CVE-2015-4872 CVE-2015-4881 CVE-2015-4882 CVE-2015-4883
          CVE-2015-4893 CVE-2015-4902 CVE-2015-4903 CVE-2015-4911
Package : jre7-openjdk
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package jre7-openjdk before version 7.u91_2.6.2-1 is vulnerable to
multiple issues including but not limited to arbitrary code execution,
sandbox bypass, information disclosure and denial of service.

Resolution
==========

Upgrade to 7.u91_2.6.2-1.

# pacman -Syu "jre7-openjdk>=7.u91_2.6.2-1"

The problems have been fixed upstream in version 7.u91.

Workaround
==========

None.

Description
===========

- CVE-2015-4734 (information disclosure)

It was discovered that the JGSS component of OpenJDK did not properly
hide Kerberos realm information from all error exceptions when running
under Security Manager.  An untrusted Java application or applet could
use this flaw to obtain certain information about the Kerberos
configuration on the host where they were executed, bypassing certain
Java sandbox restrictions.

- CVE-2015-4803 (denial of service)

It was discovered that the JAXP component of OpenJDK did not use
efficient data structures to store data from parsed XML documents. A
specially-crafted XML input could cause a Java application using JAXP to
use an excessive amount of CPU time by e.g. triggering hash collisions.

- CVE-2015-4805 (arbitrary code execution)

It was discovered that the ObjectStreamClass in the Serialization
component of OpenJDK failed to ensure that the object is fully
initialized before allowing calls of certain methods. An untrusted Java
application or applet could use this flaw to bypass Java sandbox
restrictions to execute code.

- CVE-2015-4806 (improper input validation)

A vulnerability has been discovered leading to HttpURLConnection header
restriction bypass, allowing remote attackers to affect confidentiality
and integrity via unknown vectors related to Libraries.

- CVE-2015-4810 (arbitrary code execution)

An unspecified vulnerability has been discovered that allows local users
to affect confidentiality, integrity, and availability via unknown
vectors related to Deployment.

- CVE-2015-4835 (arbitrary code execution)

It was discovered that the StubGenerator class in the CORBA component of
OpenJDK failed to generate code with all needed permission checks
related to object (de-)serialization. An untursted Java application or
applet could use this flaw to bypass Java sandbox restrictions and
execute arbitrary code.

- CVE-2015-4840 (information disclosure)

It was discovered that the 2D component of OpenJDK could perform out of
bounds access and possibly disclose portions of the Java Virtual Machine
memory when processing specially crafted color profiles. The issue was
caused by having bundled lcms2 code use fast floor() implementation.  An
untrusted Java application or applet could use this flaw to bypass
certain Java sandbox restrictions.

- CVE-2015-4842 (information disclosure)

An information disclosure flaw was found in the JAXP component of
OpenJDK.  An untrusted Java application or applet could use this flaw to
get information about user home directory location (the content of the
"user.dir" system property), hence bypassing certain Java sandbox
restrictions.

- CVE-2015-4843 (arbitrary code execution)

Multiple integer overflow issues were found in the implementation of
Buffers in the java.nio (Non-blocking I/O) packages in the Libraries
component of OpenJDK.  These could lead to out of bounds buffer access
and Java Virtual Machine memory corruption. An untursted Java
application or applet could use these flaws to run arbitrary code with
the Java Virtual Machine privileges or bypass Java sandbox restrictions.

- CVE-2015-4844 (arbitrary code execution)

It was discovered that ICU Layout Engine was missing multiple boundary
and error return checks. These could lead to buffer overflows and memory
corruption. A specially crafted font file could cause an application
using ICU to parse untrusted fonts to crash and, possibly, execute
arbitrary code.

- CVE-2015-4860 (sandbox bypass)

It was discovered that the DGCImpl (for RMI distributed
garbage-collection - DGC) class in the RMI component of OpenJDK failed
to use restricted access control context when processing untrusted
input. An untrusted Java application or applet could use this flaw to
bypass Java sandbox restrictions.

- CVE-2015-4871 (unknown)

An unspecified vulnerability has been discovered that allows remote
attackers to affect confidentiality and integrity via unknown vectors
related to Libraries.

- CVE-2015-4872 (security policy bypass)

It was discovered that the AlgorithmChecker class in the Security
component of OpenJDK failed to properly check if a certificate satisfies
all defined constraints in certain cases. This could cause a Java
application to accept an X.509 certificate which does not meet
requirements of the policy defined in the java.security file.

- CVE-2015-4881 (sandbox bypass)

It was discovered that the IIOPInputStream class in the CORBA component
of OpenJDK failed to properly check object and field types during object
deserialization. An untrusted Java application or applet could use this
flaw to bypass Java sandbox restrictions.

- CVE-2015-4882 (denial of service)

A flaw was found in the way the IIOPInputStream class in the CORBA
component of OpenJDK performed deserialization of String objects. An
untrusted Java application or applet could use this flaw to crash the
Java Virtual Machine.

- CVE-2015-4883 (sandbox bypass)

It was discovered that the DGCClient (for RMI distributed
garbage-collection - DGC) class in the RMI component of OpenJDK failed
to use restricted access control context when handling JRMP (Java Remote
Method Protocol) messages. An untrusted Java application or applet could
use this flaw to bypass Java sandbox restrictions.

- CVE-2015-4893 (denial of service)

It was discovered that the JAXP component of OpenJDK did not enforce the
maximum XML name limit (jdk.xml.MaxXMLNameLimit) when parsing XML files.
A specially crafted XML document could cause a Java application using
JAXP to consume an excessive amount of memory and CPU time when parsed.

- CVE-2015-4902 (unknown)

An unspecified vulnerability has been discovered that allows remote
attackers to affect integrity via unknown vectors related to Deployment.

- CVE-2015-4903 (sandbox bypass)

It was discovered that the RemoteObjectInvocationHandler class in the
RMI component of OpenJDK did not check if object proxy is an instance of
a proxy class and that it uses correct invocation handler. An untrusted
Java application or applet could use this flaw to bypass certain Java
sandbox restrictions by gaining access to data that should by protected
by the sandbox.

- CVE-2015-4911 (denial of service)

It was discovered that the StAX XML parser in the JAXP component of
OpenJDK could do certain DTD processing even when DTD support was
disabled via the javax.xml.stream.supportDTD system property. A
specially crafted XML document could cause a Java application using JAXP
to consume an excessive amount of memory and CPU time when parsed.

Impact
======

A remote attacker is able to execute arbitrary code, gain access to
sensitive information, bypass sandbox restrictions or perform a denial
of service attack via multiple vectors.

References
==========

http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2015-October/033972.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixJAVA
https://access.redhat.com/security/cve/CVE-2015-4734
https://access.redhat.com/security/cve/CVE-2015-4803
https://access.redhat.com/security/cve/CVE-2015-4805
https://access.redhat.com/security/cve/CVE-2015-4806
https://access.redhat.com/security/cve/CVE-2015-4810
https://access.redhat.com/security/cve/CVE-2015-4835
https://access.redhat.com/security/cve/CVE-2015-4840
https://access.redhat.com/security/cve/CVE-2015-4842
https://access.redhat.com/security/cve/CVE-2015-4843
https://access.redhat.com/security/cve/CVE-2015-4844
https://access.redhat.com/security/cve/CVE-2015-4860
https://access.redhat.com/security/cve/CVE-2015-4871
https://access.redhat.com/security/cve/CVE-2015-4872
https://access.redhat.com/security/cve/CVE-2015-4881
https://access.redhat.com/security/cve/CVE-2015-4882
https://access.redhat.com/security/cve/CVE-2015-4883
https://access.redhat.com/security/cve/CVE-2015-4893
https://access.redhat.com/security/cve/CVE-2015-4902
https://access.redhat.com/security/cve/CVE-2015-4903
https://access.redhat.com/security/cve/CVE-2015-4911

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20151023/22a7cdad/attachment.asc>