Lucene search

K
amazonAmazonALAS-2016-700
HistoryMay 11, 2016 - 11:00 a.m.

Critical: java-1.6.0-openjdk

2016-05-1111:00:00
alas.aws.amazon.com
26

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.073 Low

EPSS

Percentile

94.0%

Issue Overview:

Multiple flaws were discovered in the Serialization and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2016-0686, CVE-2016-0687)

It was discovered that the RMI server implementation in the JMX component in OpenJDK did not restrict which classes can be deserialized when deserializing authentication credentials. A remote, unauthenticated attacker able to connect to a JMX port could possibly use this flaw to trigger deserialization flaws. (CVE-2016-3427)

It was discovered that the JAXP component in OpenJDK failed to properly handle Unicode surrogate pairs used as part of the XML attribute values. Specially crafted XML input could cause a Java application to use an excessive amount of memory when parsed. (CVE-2016-3425)

It was discovered that the Security component in OpenJDK failed to check the digest algorithm strength when generating DSA signatures. The use of a digest weaker than the key strength could lead to the generation of signatures that were weaker than expected. (CVE-2016-0695)

Affected Packages:

java-1.6.0-openjdk

Issue Correction:
Run yum update java-1.6.0-openjdk to update your system.

New Packages:

i686:  
    java-1.6.0-openjdk-devel-1.6.0.39-1.13.11.1.74.amzn1.i686  
    java-1.6.0-openjdk-debuginfo-1.6.0.39-1.13.11.1.74.amzn1.i686  
    java-1.6.0-openjdk-demo-1.6.0.39-1.13.11.1.74.amzn1.i686  
    java-1.6.0-openjdk-src-1.6.0.39-1.13.11.1.74.amzn1.i686  
    java-1.6.0-openjdk-1.6.0.39-1.13.11.1.74.amzn1.i686  
    java-1.6.0-openjdk-javadoc-1.6.0.39-1.13.11.1.74.amzn1.i686  
  
src:  
    java-1.6.0-openjdk-1.6.0.39-1.13.11.1.74.amzn1.src  
  
x86_64:  
    java-1.6.0-openjdk-src-1.6.0.39-1.13.11.1.74.amzn1.x86_64  
    java-1.6.0-openjdk-javadoc-1.6.0.39-1.13.11.1.74.amzn1.x86_64  
    java-1.6.0-openjdk-demo-1.6.0.39-1.13.11.1.74.amzn1.x86_64  
    java-1.6.0-openjdk-debuginfo-1.6.0.39-1.13.11.1.74.amzn1.x86_64  
    java-1.6.0-openjdk-devel-1.6.0.39-1.13.11.1.74.amzn1.x86_64  
    java-1.6.0-openjdk-1.6.0.39-1.13.11.1.74.amzn1.x86_64  

Additional References

Red Hat: CVE-2016-0686, CVE-2016-0687, CVE-2016-0695, CVE-2016-3425, CVE-2016-3427

Mitre: CVE-2016-0686, CVE-2016-0687, CVE-2016-0695, CVE-2016-3425, CVE-2016-3427

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.073 Low

EPSS

Percentile

94.0%