Lucene search

K
centosCentOS ProjectCESA-2016:0723
HistoryMay 09, 2016 - 3:12 p.m.

java security update

2016-05-0915:12:42
CentOS Project
lists.centos.org
62

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.073 Low

EPSS

Percentile

94.0%

CentOS Errata and Security Advisory CESA-2016:0723

The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime Environment
and the OpenJDK 6 Java Software Development Kit.

Security Fix(es):

  • Multiple flaws were discovered in the Serialization and Hotspot components in
    OpenJDK. An untrusted Java application or applet could use these flaws to
    completely bypass Java sandbox restrictions. (CVE-2016-0686, CVE-2016-0687)

  • It was discovered that the RMI server implementation in the JMX component in
    OpenJDK did not restrict which classes can be deserialized when deserializing
    authentication credentials. A remote, unauthenticated attacker able to connect
    to a JMX port could possibly use this flaw to trigger deserialization flaws.
    (CVE-2016-3427)

  • It was discovered that the JAXP component in OpenJDK failed to properly handle
    Unicode surrogate pairs used as part of the XML attribute values. Specially
    crafted XML input could cause a Java application to use an excessive amount of
    memory when parsed. (CVE-2016-3425)

  • It was discovered that the Security component in OpenJDK failed to check the
    digest algorithm strength when generating DSA signatures. The use of a digest
    weaker than the key strength could lead to the generation of signatures that
    were weaker than expected. (CVE-2016-0695)

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2016-May/084023.html
https://lists.centos.org/pipermail/centos-announce/2016-May/084024.html
https://lists.centos.org/pipermail/centos-announce/2016-May/084025.html

Affected packages:
java-1.6.0-openjdk
java-1.6.0-openjdk-demo
java-1.6.0-openjdk-devel
java-1.6.0-openjdk-javadoc
java-1.6.0-openjdk-src

Upstream details at:
https://access.redhat.com/errata/RHSA-2016:0723

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.073 Low

EPSS

Percentile

94.0%