AVG-380

Package jdk7-openjdk
Status Fixed
Severity Critical
Type multiple issues
Affected 7.u131_2.6.9-1
Fixed 7.u151_2.6.11-1
Current 7.u171_2.6.13-1 [extra]
Ticket None
Created Fri Aug 11 10:31:18 2017
Issue Severity Remote Type Description
CVE-2017-3544 Low Yes Content spoofing
A newline injection flaw was discovered in the SMTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this...
CVE-2017-3539 Low Yes Access restriction bypass
It was discovered that the Security component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This...
CVE-2017-3533 Medium Yes Access restriction bypass
A newline injection flaw was discovered in the FTP client implementation in the Networking component in OpenJDK. A remote attacker could possibly use this...
CVE-2017-3526 High Yes Denial of service
It was found that the JAXP component of OpenJDK failed to correctly enforce parse tree size limits when parsing XML document. An attacker able to make a...
CVE-2017-3511 High No Privilege escalation
An untrusted library search path flaw was found in the JCE component of OpenJDK. A local attacker could possibly use this flaw to cause a Java application...
CVE-2017-3509 Medium Yes Privilege escalation
It was discovered that the HTTP client implementation in the Networking component of OpenJDK could cache and re-use an NTLM authenticated connection in a...
CVE-2017-10176 Medium Yes Private key recovery
It was discovered that the Elliptic Curve (EC) cryptography implementation in the Security component of OpenJDK did not perform computations for certain...
CVE-2017-10135 Low Yes Private key recovery
A covert timing channel flaw was found in the PKCS#8 implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application...
CVE-2017-10118 Medium Yes Private key recovery
A covert timing channel flaw was found in the ECDSA implementation in the JCE component of OpenJDK.  A remote attacker able to make a Java application...
CVE-2017-10116 High Yes Privilege escalation
It was discovered that the LDAPCertStore class in the Security component of OpenJDK followed LDAP referrals to arbitrary URLs. A specially crafted LDAP...
CVE-2017-10115 Medium Yes Private key recovery
A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate...
CVE-2017-10111 Critical Yes Arbitrary code execution
It was discovered that the LambdaFormEditor class in the Libraries component of OpenJDK did not correctly perform bounds checks in the...
CVE-2017-10110 Critical Yes Access restriction bypass
It was discovered that the implementation of the ImageWatched class in the AWT component of OpenJDK failed to properly perform access control checks.  An...
CVE-2017-10109 Medium Yes Access restriction bypass
It was discovered that the implementation of the CodeSource class in OpenJDK did not limit the amount of memory allocated when creating object instance from...
CVE-2017-10108 Medium Yes Denial of service
It was discovered that the implementation of the BasicAttribute class in OpenJDK did not limit the amount of memory allocated when creating object instance...
CVE-2017-10107 Critical Yes Access restriction bypass
It was discovered that the implementation of the ActivationID class in the RMI component of OpenJDK failed to properly perform access control checks.  An...
CVE-2017-10102 Critical Yes Arbitrary code execution
It was discovered that the DCG (Distributed Garbage Collector) implementation in the RMI component of OpenJDK failed to correctly handle references.  A...
CVE-2017-10101 Critical Yes Access restriction bypass
It was discovered that the JAXP component of OpenJDK failed to restrict access to certain internal classes.  An untrusted Java application or applet could...
CVE-2017-10096 Critical Yes Access restriction bypass
It was discovered that the implementation of the TransformerException class in the JAXP component of OpenJDK failed to properly perform access control...
CVE-2017-10090 Critical Yes Access restriction bypass
It was discovered that the implementation of the AsynchronousChannelGroupImpl class in the java.nio.channels package of the Libraries component of OpenJDK...
CVE-2017-10089 Critical Yes Access restriction bypass
It was discovered that the implementation of the ServiceRegistry class in the ImageIO component of OpenJDK failed to properly perform access control checks....
CVE-2017-10087 Critical Yes Access restriction bypass
It was discovered that the implementation of the ThreadPoolExecutor class in the java.util.concurrent package of the Libraries component of OpenJDK failed...
CVE-2017-10081 Medium Yes Access restriction bypass
A flaw was found in the way the Hotspot component of OpenJDK processed extraneous brackets in function signatures.  An untrusted Java application or applet...
CVE-2017-10074 Critical Yes Arbitrary code execution
It was discovered that the Hotspot component of OpenJDK did not properly check for integer overflows when generating range check loop predicates.  An...
CVE-2017-10067 High Yes Authentication bypass
It was discovered that the JAR (Java ARchive) verifier in the Security component of OpenJDK did not correctly handle files inside archives with missing...
CVE-2017-10053 Low No Denial of service
It was discovered that the JPEGImageReader implementation in the 2D component of OpenJDK would, in certain cases, read all image data even if that was not...
Date Advisory Package Description
12 Aug 2017 ASA-201708-8 jdk7-openjdk multiple issues