java-1.8.0-openjdk-1.8.0.212.b04-0.AXS4
エラータID: AXSA:2019-3838:02
リリース日:
2019/04/17 Wednesday - 18:36
題名:
java-1.8.0-openjdk-1.8.0.212.b04-0.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Enhancement]
- Oracle Java SE は、新しい元号、令和(REIWA)へ対応しました。
[Security Fix]
- Oracle Java SE のコンポーネント (サブコンポーネント:Libraries) には、
ネットワークアクセス可能な認証されていない攻撃者が、停止を引き起こしたり、
頻繁に再現可能なクラッシュ(DoS攻撃)ができる脆弱性があります。(CVE-2019-2602)
- Oracle Java SE のコンポーネント (サブコンポーネント:RMI) には、ネットワー
クアクセス可能な認証されていない攻撃者が、不正にデータアクセスすることが可能な
脆弱性があります。(CVE-2019-2684)
- Oracle Java SE のコンポーネント (サブコンポーネント:2D) には、ネットワーク
アクセス可能な認証されていない攻撃者が、Java SE を乗っ取ることができる脆弱性が
あります。(CVE-2019-2698)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2019-2602
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2019-2684
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2019-2698
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
追加情報:
N/A
ダウンロード:
SRPMS
- java-1.8.0-openjdk-1.8.0.212.b04-0.AXS4.src.rpm
MD5: ac6db8b6ee67fb6b9c4f15906944a3e4
SHA-256: a176b01a3f93c310b8e3220272790ecc3c5b7f9f1748562b52c8b8bcf0a090ec
Size: 53.54 MB
Asianux Server 4 for x86
- java-1.8.0-openjdk-1.8.0.212.b04-0.AXS4.i686.rpm
MD5: e1ca2035b2ca73e247e258b637da2821
SHA-256: acdb851480f9c692ce258b03547cc798c79ad8b941d2c89951b1ae4a2925606c
Size: 213.91 kB - java-1.8.0-openjdk-devel-1.8.0.212.b04-0.AXS4.i686.rpm
MD5: 0cb3e9829df926d350528a5bc587a477
SHA-256: 6caf8991eac725ebcb8dff3a0f09d84cc8d41fcabb641822f8e4f6cd93432692
Size: 10.09 MB - java-1.8.0-openjdk-headless-1.8.0.212.b04-0.AXS4.i686.rpm
MD5: cd6c2c0b67cc1a7cb29a7556361b281c
SHA-256: 2e3d753b45657371d2a5c2868d8c5dd7f7fb3bc0cb37c6040c01368c66d26dc0
Size: 31.53 MB
Asianux Server 4 for x86_64
- java-1.8.0-openjdk-1.8.0.212.b04-0.AXS4.x86_64.rpm
MD5: 549d56b2c475ea6c9961f2e25430421b
SHA-256: 26e5b37d34f8578e4cbcad75c698145c9b3cfa2def85415927aa132973f9ce98
Size: 227.02 kB - java-1.8.0-openjdk-devel-1.8.0.212.b04-0.AXS4.x86_64.rpm
MD5: f26665a7f19d22a564864e79045d30c2
SHA-256: 266439679d2e759b32d93b1c963bce351af64ef97cd510ee944e7a8c49034ccb
Size: 10.09 MB - java-1.8.0-openjdk-headless-1.8.0.212.b04-0.AXS4.x86_64.rpm
MD5: 398052cb27c5833b2ad303ae39c146c2
SHA-256: 976f200d5e5927bc1ce22a528b6245787ff0243835f8f8ef4095dc0e7b3cf851
Size: 32.15 MB
English