java-1.8.0-openjdk-1.8.0.151-1.b12.AXS4

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment
and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

* Multiple flaws were discovered in the RMI and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-10285, CVE-2017-10346)

* It was discovered that the Kerberos client implementation in the Libraries component of OpenJDK used the sname field from the plain text part rather than encrypted part of the KDC reply message. A man-in-the-middle attacker could possibly use this flaw to impersonate Kerberos services to Java applications acting as Kerberos clients. (CVE-2017-10388)

* It was discovered that the Security component of OpenJDK generated weak password-based encryption keys used to protect private keys stored in key stores. This made it easier to perform password guessing attacks to decrypt stored keys if an attacker could gain access to a key store. (CVE-2017-10356)

* A flaw was found in the Smart Card IO component in OpenJDK. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions. (CVE-2017-10274)

* It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server. (CVE-2017-10355)

* It was found that the HttpURLConnection and HttpsURLConnection classes in the Networking component of OpenJDK failed to check for newline characters embedded in URLs. An attacker able to make a Java application perform an HTTP request using an attacker provided URL could possibly inject additional headers into the request. (CVE-2017-10295)

* It was discovered that multiple classes in the JAXP, Serialization, Libraries, and JAX-WS components of OpenJDK did not limit the amount of memory allocated when creating object instances from the serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized. (CVE-2017-10349, CVE-2017-10357, CVE-2017-10347, CVE-2017-10281, CVE-2017-10345, CVE-2017-10348, CVE-2017-10350)

Note: If the web browser plug-in provided by the icedtea-web package was
installed, the issues exposed via Java applets could have been exploited
without user interaction if a user visited a malicious website.

CVE-2017-10274
Vulnerability in the Java SE component of Oracle Java SE
(subcomponent: Smart Card IO). Supported versions that are affected
are Java SE: 6u161, 7u151, 8u144 and 9. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE. Successful attacks require
human interaction from a person other than the attacker. Successful
attacks of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all Java SE
accessible data as well as unauthorized access to critical data or
complete access to all Java SE accessible data. Note: This
vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes from
the internet) and rely on the Java sandbox for security. This
vulnerability does not apply to Java deployments, typically in
servers, that load and run only trusted code (e.g., code installed by
an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality and
Integrity impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).
CVE-2017-10281
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Serialization). Supported versions that
are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded, JRockit. Successful attacks of
this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded,
JRockit. Note: This vulnerability can be exploited through sandboxed
Java Web Start applications and sandboxed Java applets. It can also be
exploited by supplying data to APIs in the specified Component without
using sandboxed Java Web Start applications or sandboxed Java applets,
such as through a web service. CVSS 3.0 Base Score 5.3 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10285
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: RMI). Supported versions that are affected are
Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily
exploitable vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded.
Successful attacks require human interaction from a person other than
the attacker and while the vulnerability is in Java SE, Java SE
Embedded, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in takeover of
Java SE, Java SE Embedded. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted
code (e.g., code that comes from the internet) and rely on the Java
sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code
(e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6
(Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
CVE-2017-10295
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Networking). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java
SE, Java SE Embedded, JRockit, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to some of Java
SE, Java SE Embedded, JRockit accessible data. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 4.0 (Integrity impacts).
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N).
CVE-2017-10345
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Serialization). Supported versions that
are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded, JRockit. Successful attacks
require human interaction from a person other than the attacker.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE,
Java SE Embedded, JRockit. Note: This vulnerability can be exploited
through sandboxed Java Web Start applications and sandboxed Java
applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start
applications or sandboxed Java applets, such as through a web service.
CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
CVE-2017-10346
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Hotspot). Supported versions that are affected
are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via multiple protocols to compromise Java SE, Java SE
Embedded. Successful attacks require human interaction from a person
other than the attacker and while the vulnerability is in Java SE,
Java SE Embedded, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
takeover of Java SE, Java SE Embedded. Note: This vulnerability
applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability does not apply to
Java deployments, typically in servers, that load and run only trusted
code (e.g., code installed by an administrator). CVSS 3.0 Base Score
9.6 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
CVE-2017-10347
Vulnerability in the Java SE, JRockit component of Oracle Java SE
(subcomponent: Serialization). Supported versions that are affected
are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via multiple protocols to compromise Java SE, JRockit.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE,
JRockit. Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start applications or
sandboxed Java applets, that load and run untrusted code (e.g., code
that comes from the internet) and rely on the Java sandbox for
security. This vulnerability does not apply to Java deployments,
typically in servers, that load and run only trusted code (e.g., code
installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10348
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Libraries). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144. Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java
SE, Java SE Embedded. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability
applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability does not apply to
Java deployments, typically in servers, that load and run only trusted
code (e.g., code installed by an administrator). CVSS 3.0 Base Score
5.3 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10349
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: JAXP). Supported versions that are affected are
Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily
exploitable vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE,
Java SE Embedded. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted
code (e.g., code that comes from the internet) and rely on the Java
sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code
(e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3
(Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10350
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: JAX-WS). Supported versions that are affected
are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily
exploitable vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE,
Java SE Embedded. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted
code (e.g., code that comes from the internet) and rely on the Java
sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code
(e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3
(Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10355
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Networking). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded, JRockit. Successful attacks of
this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded,
JRockit. Note: This vulnerability can be exploited through sandboxed
Java Web Start applications and sandboxed Java applets. It can also be
exploited by supplying data to APIs in the specified Component without
using sandboxed Java Web Start applications or sandboxed Java applets,
such as through a web service. CVSS 3.0 Base Score 5.3 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10356
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Security). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Java
SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE
Embedded, JRockit. Successful attacks of this vulnerability can result
in unauthorized access to critical data or complete access to all Java
SE, Java SE Embedded, JRockit accessible data. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 6.2 (Confidentiality
impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2017-10357
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Serialization). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144. Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java
SE, Java SE Embedded. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability
applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability does not apply to
Java deployments, typically in servers, that load and run only trusted
code (e.g., code installed by an administrator). CVSS 3.0 Base Score
5.3 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10388
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Libraries). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144. Difficult to exploit vulnerability allows unauthenticated
attacker with network access via Kerberos to compromise Java SE, Java
SE Embedded. Successful attacks require human interaction from a
person other than the attacker. Successful attacks of this
vulnerability can result in takeover of Java SE, Java SE Embedded.
Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score 7.5
(Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).