Subject: [ASA-201708-8] jdk7-openjdk: multiple issues Arch Linux Security Advisory ASA-201708-8 ========================================= Severity: Critical Date : 2017-08-12 CVE-ID : CVE-2017-3509 CVE-2017-3511 CVE-2017-3526 CVE-2017-3533 CVE-2017-3539 CVE-2017-3544 CVE-2017-10053 CVE-2017-10067 CVE-2017-10074 CVE-2017-10081 CVE-2017-10087 CVE-2017-10089 CVE-2017-10090 CVE-2017-10096 CVE-2017-10101 CVE-2017-10102 CVE-2017-10107 CVE-2017-10108 CVE-2017-10109 CVE-2017-10110 CVE-2017-10111 CVE-2017-10115 CVE-2017-10116 CVE-2017-10118 CVE-2017-10135 CVE-2017-10176 Package : jdk7-openjdk Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-380 Summary ======= The package jdk7-openjdk before version 7.u151_2.6.11-1 is vulnerable to multiple issues including access restriction bypass, arbitrary code execution, authentication bypass, denial of service, privilege escalation, private key recovery and content spoofing. Resolution ========== Upgrade to 7.u151_2.6.11-1. # pacman -Syu "jdk7-openjdk>=7.u151_2.6.11-1" The problems have been fixed upstream in version 7.u151_2.6.11. Workaround ========== None. Description =========== - CVE-2017-3509 (privilege escalation) It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re-use an NTLM authenticated connection in a different security context. A remote attacker could possibly use this flaw to make a Java application perform HTTP requests authenticated with credentials of a different user. - CVE-2017-3511 (privilege escalation) An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application using JCE to load an attacker-controlled library and hence escalate their privileges. - CVE-2017-3526 (denial of service) It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a Java application parse a specially crafted XML document could use this flaw to make it consume an excessive amount of CPU and memory. - CVE-2017-3533 (access restriction bypass) A newline injection flaw was discovered in the FTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this flaw to manipulate FTP connections established by a Java application. - CVE-2017-3539 (access restriction bypass) It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. - CVE-2017-3544 (content spoofing) A newline injection flaw was discovered in the SMTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this flaw to manipulate SMTP connections established by a Java application. - CVE-2017-10053 (denial of service) It was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if that was not used later. A specially crafted image could cause a Java application to temporarily use an excessive amount of CPU and memory. - CVE-2017-10067 (authentication bypass) It was discovered that the JAR (Java ARchive) verifier in the Security component of OpenJDK did not correctly handle files inside archives with missing digest. An attacker could possibly use this flaw to manipulate content of a singed JAR, bypassing intended verification. - CVE-2017-10074 (arbitrary code execution) It was discovered that the Hotspot component of OpenJDK did not properly check for integer overflows when generating range check loop predicates. An untrusted Java application or applet could use this flaw to corrupt JVM memory and cause it to crash or, possibly, execute arbitrary code, bypassing Java sandbox restrictions. - CVE-2017-10081 (access restriction bypass) A flaw was found in the way the Hotspot component of OpenJDK processed extraneous brackets in function signatures. An untrusted Java application or applet could use this flaw to bypass Java certain sandbox restrictions. - CVE-2017-10087 (access restriction bypass) It was discovered that the implementation of the ThreadPoolExecutor class in the java.util.concurrent package of the Libraries component of OpenJDK failed to properly perform access control checks. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2017-10089 (access restriction bypass) It was discovered that the implementation of the ServiceRegistry class in the ImageIO component of OpenJDK failed to properly perform access control checks. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2017-10090 (access restriction bypass) It was discovered that the implementation of the AsynchronousChannelGroupImpl class in the java.nio.channels package of the Libraries component of OpenJDK failed to properly perform access control checks. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2017-10096 (access restriction bypass) It was discovered that the implementation of the TransformerException class in the JAXP component of OpenJDK failed to properly perform access control checks, related to handling of the DTM exceptions. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2017-10101 (access restriction bypass) It was discovered that the JAXP component of OpenJDK failed to restrict access to certain internal classes. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2017-10102 (arbitrary code execution) It was discovered that the DCG (Distributed Garbage Collector) implementation in the RMI component of OpenJDK failed to correctly handle references. A remote attacker could possibly use this flaw to execute arbitrary code with the privileges of RMI registry or a Java RMI application. - CVE-2017-10107 (access restriction bypass) It was discovered that the implementation of the ActivationID class in the RMI component of OpenJDK failed to properly perform access control checks. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2017-10108 (denial of service) It was discovered that the implementation of the BasicAttribute class in OpenJDK did not limit the amount of memory allocated when creating object instance from a serialized form. A specially-crafted serialized input stream could cause JVM to consume an excessive amount of memory. - CVE-2017-10109 (access restriction bypass) It was discovered that the implementation of the CodeSource class in OpenJDK did not limit the amount of memory allocated when creating object instance from a serialized form. An untrusted Java application or applet could use this flaw to cause JVM to allocate an excessive amount of memory, bypassing certain Java sandbox restrictions. - CVE-2017-10110 (access restriction bypass) It was discovered that the implementation of the ImageWatched class in the AWT component of OpenJDK failed to properly perform access control checks. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. - CVE-2017-10111 (arbitrary code execution) It was discovered that the LambdaFormEditor class in the Libraries component of OpenJDK did not correctly perform bounds checks in the permuteArgumentsForm() function. An untrusted Java application or applet could use this flaw to corrupt JVM memory and cause it to crash or, possibly, execute arbitrary code, bypassing Java sandbox restrictions. The problem is triggered when using MethodHandle.permuteArguments(). - CVE-2017-10115 (private key recovery) A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel. - CVE-2017-10116 (privilege escalation) It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP referral URL could cause LDAPCertStore to communicate with non-LDAP servers. - CVE-2017-10118 (private key recovery) A covert timing channel flaw was found in the ECDSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate ECDSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel. - CVE-2017-10135 (private key recovery) A covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application repeatedly compare PKCS#8 key against an attacker controlled value could possibly use this flaw to determine the key via a timing side channel. - CVE-2017-10176 (private key recovery) It was discovered that the Elliptic Curve (EC) cryptography implementation in the Security component of OpenJDK did not perform computations for certain points correctly. An attacker able to interact with a Java application using EC cryptography could possibly use this flaw to obtain information about the used key. Impact ====== A remote attacker can bypass access restrictions, crash the program, access sensitive information and execute arbitrary code on the affected host. References ========== http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/bea5b22daf5d http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/af0e709d28f9 http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/756b7a2f20cc http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/81ddd5fc5a4e http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/1f2ff3f1882a http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/f672cb804684 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/686e47e14565 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/c729ab3b13ae http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/rev/37ba410ffd43 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/09eae0bade20 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/e95a13de2d36 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d7bd49ad8f0a http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/51631f9fa8d8 http://hg.openjdk.java.net/jdk8u/jdk8u/jaxp/rev/510b8c8dfdd6 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/b3e7354e6ae8 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/070e24b47ae0 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/97ea41335486 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/936085d9aff0 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/56e0ab47dbec http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/78a83e6e0fe8 http://hg.openjdk.java.net/jdk9/dev/jdk/rev/9003926e4a8a http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/3c8ea47635b6 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/73dd1557f0ef http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/996632997de8 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/079cd6c5de27 http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/d99101781d7e https://security.archlinux.org/CVE-2017-3509 https://security.archlinux.org/CVE-2017-3511 https://security.archlinux.org/CVE-2017-3526 https://security.archlinux.org/CVE-2017-3533 https://security.archlinux.org/CVE-2017-3539 https://security.archlinux.org/CVE-2017-3544 https://security.archlinux.org/CVE-2017-10053 https://security.archlinux.org/CVE-2017-10067 https://security.archlinux.org/CVE-2017-10074 https://security.archlinux.org/CVE-2017-10081 https://security.archlinux.org/CVE-2017-10087 https://security.archlinux.org/CVE-2017-10089 https://security.archlinux.org/CVE-2017-10090 https://security.archlinux.org/CVE-2017-10096 https://security.archlinux.org/CVE-2017-10101 https://security.archlinux.org/CVE-2017-10102 https://security.archlinux.org/CVE-2017-10107 https://security.archlinux.org/CVE-2017-10108 https://security.archlinux.org/CVE-2017-10109 https://security.archlinux.org/CVE-2017-10110 https://security.archlinux.org/CVE-2017-10111 https://security.archlinux.org/CVE-2017-10115 https://security.archlinux.org/CVE-2017-10116 https://security.archlinux.org/CVE-2017-10118 https://security.archlinux.org/CVE-2017-10135 https://security.archlinux.org/CVE-2017-10176