java-1.7.0-openjdk-1.7.0.161-2.6.12.0.0.1.el7.AXS7

エラータID: AXSA:2017-2478:04

Release date: 
Thursday, December 14, 2017 - 10:24
Subject: 
java-1.7.0-openjdk-1.7.0.161-2.6.12.0.0.1.el7.AXS7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

The java-1.7.0-openjdk packages provide the OpenJDK 7 Java Runtime Environment and the OpenJDK 7 Java Software Development Kit.

Security Fix(es):

* Multiple flaws were discovered in the RMI and Hotspot components in OpenJDK. An untrusted Java application or applet could use these flaws to completely bypass Java sandbox restrictions. (CVE-2017-10285, CVE-2017-10346)

* It was discovered that the Kerberos client implementation in the Libraries component of OpenJDK used the sname field from the plain text part rather than encrypted part of the KDC reply message. A man-in-the-middle attacker could possibly use this flaw to impersonate Kerberos services to Java applications acting as Kerberos clients. (CVE-2017-10388)

* It was discovered that the Security component of OpenJDK generated weak password-based encryption keys used to protect private keys stored in key stores. This made it easier to perform password guessing attacks to decrypt stored keys if an attacker could gain access to a key store. (CVE-2017-10356)

* Multiple flaws were found in the Smart Card IO and Security components in OpenJDK. An untrusted Java application or applet could use these flaws to bypass certain Java sandbox restrictions. (CVE-2017-10274, CVE-2017-10193)

* It was found that the FtpClient implementation in the Networking component of OpenJDK did not set connect and read timeouts by default. A malicious FTP server or a man-in-the-middle attacker could use this flaw to block execution of a Java application connecting to an FTP server. (CVE-2017-10355)

* It was found that the HttpURLConnection and HttpsURLConnection classes in the Networking component of OpenJDK failed to check for newline characters embedded in URLs. An attacker able to make a Java application perform an HTTP request using an attacker provided URL could possibly inject additional headers into the request. (CVE-2017-10295)

* It was discovered that the Security component of OpenJDK could fail to properly enforce restrictions defined for processing of X.509 certificate chains. A remote attacker could possibly use this flaw to make Java accept certificate using one of the disabled algorithms. (CVE-2017-10198)

* It was discovered that multiple classes in the JAXP, Serialization, Libraries, and JAX-WS components of OpenJDK did not limit the amount of memory allocated when creating object instances from the serialized form. A specially-crafted input could cause a Java application to use an excessive amount of memory when deserialized. (CVE-2017-10349, CVE-2017-10357, CVE-2017-10347, CVE-2017-10281, CVE-2017-10345, CVE-2017-10348, CVE-2017-10350)

Bug Fix(es):

* Previously, OpenJDK could not handle situations when the kernel blocked on a read even when polling the socket indicated that a read is possible. As a consequence, OpenJDK could hang indefinitely. With this update, OpenJDK polls with a timeout and performs a non-blocking read on success, and it no longer hangs in these situations. (BZ#1508357)

CVE-2017-10193
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Security). Supported versions that are affected
are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131.
Difficult to exploit vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise Java SE, Java
SE Embedded. Successful attacks require human interaction from a
person other than the attacker. Successful attacks of this
vulnerability can result in unauthorized read access to a subset of
Java SE, Java SE Embedded accessible data. Note: This vulnerability
applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability does not apply to
Java deployments, typically in servers, that load and run only trusted
code (e.g., code installed by an administrator). CVSS 3.0 Base Score
3.1 (Confidentiality impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).
CVE-2017-10198
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Security). Supported versions that are
affected are Java SE: 6u151, 7u141 and 8u131; Java SE Embedded: 8u131;
JRockit: R28.3.14. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded, JRockit. While the vulnerability
is in Java SE, Java SE Embedded, JRockit, attacks may significantly
impact additional products. Successful attacks of this vulnerability
can result in unauthorized access to critical data or complete access
to all Java SE, Java SE Embedded, JRockit accessible data. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 6.8 (Confidentiality
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).
CVE-2017-10274
Vulnerability in the Java SE component of Oracle Java SE
(subcomponent: Smart Card IO). Supported versions that are affected
are Java SE: 6u161, 7u151, 8u144 and 9. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE. Successful attacks require
human interaction from a person other than the attacker. Successful
attacks of this vulnerability can result in unauthorized creation,
deletion or modification access to critical data or all Java SE
accessible data as well as unauthorized access to critical data or
complete access to all Java SE accessible data. Note: This
vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes from
the internet) and rely on the Java sandbox for security. This
vulnerability does not apply to Java deployments, typically in
servers, that load and run only trusted code (e.g., code installed by
an administrator). CVSS 3.0 Base Score 6.8 (Confidentiality and
Integrity impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N).
CVE-2017-10281
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Serialization). Supported versions that
are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded, JRockit. Successful attacks of
this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded,
JRockit. Note: This vulnerability can be exploited through sandboxed
Java Web Start applications and sandboxed Java applets. It can also be
exploited by supplying data to APIs in the specified Component without
using sandboxed Java Web Start applications or sandboxed Java applets,
such as through a web service. CVSS 3.0 Base Score 5.3 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10285
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: RMI). Supported versions that are affected are
Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily
exploitable vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded.
Successful attacks require human interaction from a person other than
the attacker and while the vulnerability is in Java SE, Java SE
Embedded, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in takeover of
Java SE, Java SE Embedded. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted
code (e.g., code that comes from the internet) and rely on the Java
sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code
(e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6
(Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
CVE-2017-10295
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Networking). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java
SE, Java SE Embedded, JRockit, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to some of Java
SE, Java SE Embedded, JRockit accessible data. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 4.0 (Integrity impacts).
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N).
CVE-2017-10345
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Serialization). Supported versions that
are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144; JRockit: R28.3.15. Difficult to exploit vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded, JRockit. Successful attacks
require human interaction from a person other than the attacker.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE,
Java SE Embedded, JRockit. Note: This vulnerability can be exploited
through sandboxed Java Web Start applications and sandboxed Java
applets. It can also be exploited by supplying data to APIs in the
specified Component without using sandboxed Java Web Start
applications or sandboxed Java applets, such as through a web service.
CVSS 3.0 Base Score 3.1 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L).
CVE-2017-10346
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Hotspot). Supported versions that are affected
are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via multiple protocols to compromise Java SE, Java SE
Embedded. Successful attacks require human interaction from a person
other than the attacker and while the vulnerability is in Java SE,
Java SE Embedded, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
takeover of Java SE, Java SE Embedded. Note: This vulnerability
applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability does not apply to
Java deployments, typically in servers, that load and run only trusted
code (e.g., code installed by an administrator). CVSS 3.0 Base Score
9.6 (Confidentiality, Integrity and Availability impacts). CVSS
Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
CVE-2017-10347
Vulnerability in the Java SE, JRockit component of Oracle Java SE
(subcomponent: Serialization). Supported versions that are affected
are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via multiple protocols to compromise Java SE, JRockit.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE,
JRockit. Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start applications or
sandboxed Java applets, that load and run untrusted code (e.g., code
that comes from the internet) and rely on the Java sandbox for
security. This vulnerability does not apply to Java deployments,
typically in servers, that load and run only trusted code (e.g., code
installed by an administrator). CVSS 3.0 Base Score 5.3 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10348
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Libraries). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144. Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java
SE, Java SE Embedded. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability
applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability does not apply to
Java deployments, typically in servers, that load and run only trusted
code (e.g., code installed by an administrator). CVSS 3.0 Base Score
5.3 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10349
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: JAXP). Supported versions that are affected are
Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily
exploitable vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE,
Java SE Embedded. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted
code (e.g., code that comes from the internet) and rely on the Java
sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code
(e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3
(Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10350
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: JAX-WS). Supported versions that are affected
are Java SE: 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily
exploitable vulnerability allows unauthenticated attacker with network
access via multiple protocols to compromise Java SE, Java SE Embedded.
Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Java SE,
Java SE Embedded. Note: This vulnerability applies to Java
deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted
code (e.g., code that comes from the internet) and rely on the Java
sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code
(e.g., code installed by an administrator). CVSS 3.0 Base Score 5.3
(Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10355
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Networking). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows
unauthenticated attacker with network access via multiple protocols to
compromise Java SE, Java SE Embedded, JRockit. Successful attacks of
this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded,
JRockit. Note: This vulnerability can be exploited through sandboxed
Java Web Start applications and sandboxed Java applets. It can also be
exploited by supplying data to APIs in the specified Component without
using sandboxed Java Web Start applications or sandboxed Java applets,
such as through a web service. CVSS 3.0 Base Score 5.3 (Availability
impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10356
Vulnerability in the Java SE, Java SE Embedded, JRockit component of
Oracle Java SE (subcomponent: Security). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144; JRockit: R28.3.15. Easily exploitable vulnerability allows
unauthenticated attacker with logon to the infrastructure where Java
SE, Java SE Embedded, JRockit executes to compromise Java SE, Java SE
Embedded, JRockit. Successful attacks of this vulnerability can result
in unauthorized access to critical data or complete access to all Java
SE, Java SE Embedded, JRockit accessible data. Note: This
vulnerability can be exploited through sandboxed Java Web Start
applications and sandboxed Java applets. It can also be exploited by
supplying data to APIs in the specified Component without using
sandboxed Java Web Start applications or sandboxed Java applets, such
as through a web service. CVSS 3.0 Base Score 6.2 (Confidentiality
impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
CVE-2017-10357
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Serialization). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144. Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Java
SE, Java SE Embedded. Successful attacks of this vulnerability can
result in unauthorized ability to cause a partial denial of service
(partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability
applies to Java deployments, typically in clients running sandboxed
Java Web Start applications or sandboxed Java applets, that load and
run untrusted code (e.g., code that comes from the internet) and rely
on the Java sandbox for security. This vulnerability does not apply to
Java deployments, typically in servers, that load and run only trusted
code (e.g., code installed by an administrator). CVSS 3.0 Base Score
5.3 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
CVE-2017-10388
Vulnerability in the Java SE, Java SE Embedded component of Oracle
Java SE (subcomponent: Libraries). Supported versions that are
affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded:
8u144. Difficult to exploit vulnerability allows unauthenticated
attacker with network access via Kerberos to compromise Java SE, Java
SE Embedded. Successful attacks require human interaction from a
person other than the attacker. Successful attacks of this
vulnerability can result in takeover of Java SE, Java SE Embedded.
Note: Applies to the Java SE Kerberos client. CVSS 3.0 Base Score 7.5
(Confidentiality, Integrity and Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. java-1.7.0-openjdk-1.7.0.161-2.6.12.0.0.1.el7.AXS7.src.rpm
    MD5: 4ce4d0cf53a80294e50986bc400b68d9
    SHA-256: 22c732de0f4628937bfd1cb1a2ddfeaf043b9de5dfb2ffbbe9bf4d0f913fb21c
    Size: 39.18 MB

Asianux Server 7 for x86_64
  1. java-1.7.0-openjdk-1.7.0.161-2.6.12.0.0.1.el7.AXS7.x86_64.rpm
    MD5: 458613257d78992bb724c7f6a2f5b4e8
    SHA-256: 1527b92440e4ca5d0eecb1457386a45fefca58f39fb73451701d62e22062b166
    Size: 232.64 kB
  2. java-1.7.0-openjdk-devel-1.7.0.161-2.6.12.0.0.1.el7.AXS7.x86_64.rpm
    MD5: 7e6564b50bc5ddeb50ac49a4c9cd99df
    SHA-256: 4ded4d42862dfb168b3b564010439c4a897111ea70d648bef2683a27afb481f2
    Size: 9.15 MB
  3. java-1.7.0-openjdk-headless-1.7.0.161-2.6.12.0.0.1.el7.AXS7.x86_64.rpm
    MD5: 6569a0450686462f87c5ce778277f3e4
    SHA-256: 3a5a9da2cae5cc0e251df75316f599cdccc8177bbf03c89c1e2f85a973261f43
    Size: 25.50 MB