[arch-security] [ASA-201708-8] jdk7-openjdk: multiple issues

Remi Gacogne rgacogne at archlinux.org
Mon Aug 14 16:29:43 UTC 2017


Arch Linux Security Advisory ASA-201708-8
=========================================

Severity: Critical
Date    : 2017-08-12
CVE-ID  : CVE-2017-10053 CVE-2017-10067 CVE-2017-10074 CVE-2017-10081
          CVE-2017-10087 CVE-2017-10089 CVE-2017-10090 CVE-2017-10096
          CVE-2017-10101 CVE-2017-10102 CVE-2017-10107 CVE-2017-10108
          CVE-2017-10109 CVE-2017-10110 CVE-2017-10111 CVE-2017-10115
          CVE-2017-10116 CVE-2017-10118 CVE-2017-10135 CVE-2017-10176
          CVE-2017-3509 CVE-2017-3511 CVE-2017-3526 CVE-2017-3533
          CVE-2017-3539 CVE-2017-3544
Package : jdk7-openjdk
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-380

Summary
=======

The package jdk7-openjdk before version 7.u151_2.6.11-1 is vulnerable
to multiple issues including access restriction bypass, arbitrary code
execution, authentication bypass, denial of service, privilege
escalation, private key recovery and content spoofing.

Resolution
==========

Upgrade to 7.u151_2.6.11-1.

# pacman -Syu "jdk7-openjdk>=7.u151_2.6.11-1"

The problems have been fixed upstream in version 7.u151_2.6.11.

Workaround
==========

None.

Description
===========

- CVE-2017-10053 (denial of service)

It was discovered that the JPEGImageReader implementation in the 2D
component of OpenJDK would, in certain cases, read all image data even
if that was not used later.  A specially crafted image could cause a
Java application to temporarily use an excessive amount of CPU and
memory.

- CVE-2017-10067 (authentication bypass)

It was discovered that the JAR (Java ARchive) verifier in the Security
component of OpenJDK did not correctly handle files inside archives
with missing digest.  An attacker could possibly use this flaw to
manipulate content of a singed JAR, bypassing intended verification.

- CVE-2017-10074 (arbitrary code execution)

It was discovered that the Hotspot component of OpenJDK did not
properly check for integer overflows when generating range check loop
predicates.  An untrusted Java application or applet could use this
flaw to corrupt JVM memory and cause it to crash or, possibly, execute
arbitrary code, bypassing Java sandbox restrictions.

- CVE-2017-10081 (access restriction bypass)

A flaw was found in the way the Hotspot component of OpenJDK processed
extraneous brackets in function signatures.  An untrusted Java
application or applet could use this flaw to bypass Java certain
sandbox restrictions.

- CVE-2017-10087 (access restriction bypass)

It was discovered that the implementation of the ThreadPoolExecutor
class in the java.util.concurrent package of the Libraries component of
OpenJDK failed to properly perform access control checks.  An untrusted
Java application or applet could use this flaw to bypass Java sandbox
restrictions.

- CVE-2017-10089 (access restriction bypass)

It was discovered that the implementation of the ServiceRegistry class
in the ImageIO component of OpenJDK failed to properly perform access
control checks.  An untrusted Java application or applet could use this
flaw to bypass Java sandbox restrictions.

- CVE-2017-10090 (access restriction bypass)

It was discovered that the implementation of the
AsynchronousChannelGroupImpl class in the java.nio.channels package of
the Libraries component of OpenJDK failed to properly perform access
control checks.  An untrusted Java application or applet could use this
flaw to bypass Java sandbox restrictions.

- CVE-2017-10096 (access restriction bypass)

It was discovered that the implementation of the TransformerException
class in the JAXP component of OpenJDK failed to properly perform
access control checks, related to handling of the DTM exceptions.  An
untrusted Java application or applet could use this flaw to bypass Java
sandbox restrictions.

- CVE-2017-10101 (access restriction bypass)

It was discovered that the JAXP component of OpenJDK failed to restrict
access to certain internal classes.  An untrusted Java application or
applet could use this flaw to bypass Java sandbox restrictions.

- CVE-2017-10102 (arbitrary code execution)

It was discovered that the DCG (Distributed Garbage Collector)
implementation in the RMI component of OpenJDK failed to correctly
handle references.  A remote attacker could possibly use this flaw to
execute arbitrary code with the privileges of RMI registry or a Java
RMI application.

- CVE-2017-10107 (access restriction bypass)

It was discovered that the implementation of the ActivationID class in
the RMI component of OpenJDK failed to properly perform access control
checks.  An untrusted Java application or applet could use this flaw to
bypass Java sandbox restrictions.

- CVE-2017-10108 (denial of service)

It was discovered that the implementation of the BasicAttribute class
in OpenJDK did not limit the amount of memory allocated when creating
object instance from a serialized form.  A specially-crafted serialized
input stream could cause JVM to consume an excessive amount of memory.

- CVE-2017-10109 (access restriction bypass)

It was discovered that the implementation of the CodeSource class in
OpenJDK did not limit the amount of memory allocated when creating
object instance from a serialized form.  An untrusted Java application
or applet could use this flaw to cause JVM to allocate an excessive
amount of memory, bypassing certain Java sandbox restrictions.

- CVE-2017-10110 (access restriction bypass)

It was discovered that the implementation of the ImageWatched class in
the AWT component of OpenJDK failed to properly perform access control
checks.  An untrusted Java application or applet could use this flaw to
bypass Java sandbox restrictions.

- CVE-2017-10111 (arbitrary code execution)

It was discovered that the LambdaFormEditor class in the Libraries
component of OpenJDK did not correctly perform bounds checks in the
permuteArgumentsForm() function.  An untrusted Java application or
applet could use this flaw to corrupt JVM memory and cause it to crash
or, possibly, execute arbitrary code, bypassing Java sandbox
restrictions.  The problem is triggered when using
MethodHandle.permuteArguments().

- CVE-2017-10115 (private key recovery)

A covert timing channel flaw was found in the DSA implementation in the
JCE component of OpenJDK. A remote attacker able to make a Java
application generate DSA signatures on demand could possibly use this
flaw to extract certain information about the used key via a timing
side channel.

- CVE-2017-10116 (privilege escalation)

It was discovered that the LDAPCertStore class in the Security
component of OpenJDK followed LDAP referrals to arbitrary URLs. A
specially crafted LDAP referral URL could cause LDAPCertStore to
communicate with non-LDAP servers.

- CVE-2017-10118 (private key recovery)

A covert timing channel flaw was found in the ECDSA implementation in
the JCE component of OpenJDK.  A remote attacker able to make a Java
application generate ECDSA signatures on demand could possibly use this
flaw to extract certain information about the used key via a timing
side channel.

- CVE-2017-10135 (private key recovery)

A covert timing channel flaw was found in the PKCS#8 implementation in
the JCE component of OpenJDK. A remote attacker able to make a Java
application repeatedly compare PKCS#8 key against an attacker
controlled value could possibly use this flaw to determine the key via
a timing side channel.

- CVE-2017-10176 (private key recovery)

It was discovered that the Elliptic Curve (EC) cryptography
implementation in the Security component of OpenJDK did not perform
computations for certain points correctly.  An attacker able to
interact with a Java application using EC cryptography could possibly
use this flaw to obtain information about the used key.

- CVE-2017-3509 (privilege escalation)

It was discovered that the HTTP client implementation in the Networking
component of OpenJDK could cache and re-use an NTLM authenticated
connection in a different security context. A remote attacker could
possibly use this flaw to make a Java application perform HTTP requests
authenticated with credentials of a different user.

- CVE-2017-3511 (privilege escalation)

An untrusted library search path flaw was found in the JCE component of
OpenJDK. A local attacker could possibly use this flaw to cause a Java
application using JCE to load an attacker-controlled library and hence
escalate their privileges.

- CVE-2017-3526 (denial of service)

It was found that the JAXP component of OpenJDK failed to correctly
enforce parse tree size limits when parsing XML document. An attacker
able to make a Java application parse a specially crafted XML document
could use this flaw to make it consume an excessive amount of CPU and
memory.

- CVE-2017-3533 (access restriction bypass)

A newline injection flaw was discovered in the FTP client
implementation in the Networking component in OpenJDK. A remote
attacker could possibly use this flaw to manipulate FTP connections
established by a Java application.

- CVE-2017-3539 (access restriction bypass)

It was discovered that the Security component of OpenJDK did not allow
users to restrict the set of algorithms allowed for Jar integrity
verification. This flaw could allow an attacker to modify content of
the Jar file that used weak signing key or hash algorithm.

- CVE-2017-3544 (content spoofing)

A newline injection flaw was discovered in the SMTP client
implementation in the Networking component in OpenJDK. A remote
attacker could possibly use this flaw to manipulate SMTP connections
established by a Java application.

Impact
======

A remote attacker can bypass access restrictions, crash the program,
access sensitive information and execute arbitrary code on the affected
host.

References
==========

http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/686e47e14565
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c729ab3b13ae
http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/rev/37ba410ffd43
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/09eae0bade20
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/e95a13de2d36
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d7bd49ad8f0a
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/51631f9fa8d8
http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/510b8c8dfdd6
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/b3e7354e6ae8
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/070e24b47ae0
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/97ea41335486
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/936085d9aff0
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/56e0ab47dbec
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/78a83e6e0fe8
http://hg.openjdk.java.net/jdk9/dev/jdk/rev/9003926e4a8a
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/3c8ea47635b6
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/73dd1557f0ef
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/996632997de8
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/079cd6c5de27
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d99101781d7e
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/bea5b22daf5d
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/af0e709d28f9
http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/756b7a2f20cc
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/81ddd5fc5a4e
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1f2ff3f1882a
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f672cb804684
https://security.archlinux.org/CVE-2017-10053
https://security.archlinux.org/CVE-2017-10067
https://security.archlinux.org/CVE-2017-10074
https://security.archlinux.org/CVE-2017-10081
https://security.archlinux.org/CVE-2017-10087
https://security.archlinux.org/CVE-2017-10089
https://security.archlinux.org/CVE-2017-10090
https://security.archlinux.org/CVE-2017-10096
https://security.archlinux.org/CVE-2017-10101
https://security.archlinux.org/CVE-2017-10102
https://security.archlinux.org/CVE-2017-10107
https://security.archlinux.org/CVE-2017-10108
https://security.archlinux.org/CVE-2017-10109
https://security.archlinux.org/CVE-2017-10110
https://security.archlinux.org/CVE-2017-10111
https://security.archlinux.org/CVE-2017-10115
https://security.archlinux.org/CVE-2017-10116
https://security.archlinux.org/CVE-2017-10118
https://security.archlinux.org/CVE-2017-10135
https://security.archlinux.org/CVE-2017-10176
https://security.archlinux.org/CVE-2017-3509
https://security.archlinux.org/CVE-2017-3511
https://security.archlinux.org/CVE-2017-3526
https://security.archlinux.org/CVE-2017-3533
https://security.archlinux.org/CVE-2017-3539
https://security.archlinux.org/CVE-2017-3544

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20170814/3093e792/attachment.asc>


More information about the arch-security mailing list