Lucene search

K
amazonAmazonALAS-2016-693
HistoryApr 27, 2016 - 4:15 p.m.

Critical: java-1.7.0-openjdk

2016-04-2716:15:00
alas.aws.amazon.com
38

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.073 Low

EPSS

Percentile

94.0%

Issue Overview:

It was discovered that the ObjectInputStream class in the Serialization component of OpenJDK failed to properly ensure thread consistency when deserializing serialized input. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions. (CVE-2016-0686)

It was discovered that the Hotspot component of OpenJDK did not properly handle byte types. An untrusted Java application or applet could use this flaw to corrupt Java virtual machine memory and possibly execute arbitrary code, bypassing Java sandbox restrictions. (CVE-2016-0687)

It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws. (CVE-2016-3427)

It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed. (CVE-2016-3425)

It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected. (CVE-2016-0695)

Affected Packages:

java-1.7.0-openjdk

Issue Correction:
Run yum update java-1.7.0-openjdk to update your system.

New Packages:

i686:  
    java-1.7.0-openjdk-demo-1.7.0.101-2.6.6.1.67.amzn1.i686  
    java-1.7.0-openjdk-debuginfo-1.7.0.101-2.6.6.1.67.amzn1.i686  
    java-1.7.0-openjdk-devel-1.7.0.101-2.6.6.1.67.amzn1.i686  
    java-1.7.0-openjdk-src-1.7.0.101-2.6.6.1.67.amzn1.i686  
    java-1.7.0-openjdk-1.7.0.101-2.6.6.1.67.amzn1.i686  
  
noarch:  
    java-1.7.0-openjdk-javadoc-1.7.0.101-2.6.6.1.67.amzn1.noarch  
  
src:  
    java-1.7.0-openjdk-1.7.0.101-2.6.6.1.67.amzn1.src  
  
x86_64:  
    java-1.7.0-openjdk-1.7.0.101-2.6.6.1.67.amzn1.x86_64  
    java-1.7.0-openjdk-debuginfo-1.7.0.101-2.6.6.1.67.amzn1.x86_64  
    java-1.7.0-openjdk-devel-1.7.0.101-2.6.6.1.67.amzn1.x86_64  
    java-1.7.0-openjdk-src-1.7.0.101-2.6.6.1.67.amzn1.x86_64  
    java-1.7.0-openjdk-demo-1.7.0.101-2.6.6.1.67.amzn1.x86_64  

Additional References

Red Hat: CVE-2016-0686, CVE-2016-0687, CVE-2016-0695, CVE-2016-3425, CVE-2016-3427

Mitre: CVE-2016-0686, CVE-2016-0687, CVE-2016-0695, CVE-2016-3425, CVE-2016-3427

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.073 Low

EPSS

Percentile

94.0%