java-1.7.0-openjdk-1.7.0.221-2.6.18.0.AXS4
エラータID: AXSA:2019-3843:02
リリース日:
2019/04/22 Monday - 17:21
題名:
java-1.7.0-openjdk-1.7.0.221-2.6.18.0.AXS4
影響のあるチャネル:
Asianux Server 4 for x86_64
Asianux Server 4 for x86
Severity:
High
Description:
以下項目について対処しました。
[Enhancement]
- Oracle Java SE は、新しい元号、令和(REIWA)へ対応しました。
[Security Fix]
- Oracle Java SE のコンポーネント (サブコンポーネント:Libraries) には、
ネットワークアクセス可能な認証されていない攻撃者が、停止を引き起こしたり、
頻繁に再現可能なクラッシュ(DoS攻撃)ができる脆弱性があります。(CVE-2019-2602)
- Oracle Java SE のコンポーネント (サブコンポーネント:RMI) には、ネットワー
クアクセス可能な認証されていない攻撃者が、不正にデータアクセスすることが可能な
脆弱性があります。(CVE-2019-2684)
- Oracle Java SE のコンポーネント (サブコンポーネント:2D) には、ネットワーク
アクセス可能な認証されていない攻撃者が、Java SE を乗っ取ることができる脆弱性が
あります。(CVE-2019-2698)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2019-2602
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2019-2684
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2019-2698
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
追加情報:
N/A
ダウンロード:
SRPMS
- java-1.7.0-openjdk-1.7.0.221-2.6.18.0.AXS4.src.rpm
MD5: c48933cb5ead1bf1fcb4705cb6ae51ec
SHA-256: 7f50896b07768310415dc5e33fc6e7605dbe1b33ab72ca0fdb432ea369b2b45f
Size: 39.46 MB
Asianux Server 4 for x86
- java-1.7.0-openjdk-1.7.0.221-2.6.18.0.AXS4.i686.rpm
MD5: 9d52f6d1012d6a8586f548294749cbde
SHA-256: b3b5379165a7848c5a4bf12a856cdf1af39aa9133f274f01286cc26864976613
Size: 27.78 MB - java-1.7.0-openjdk-devel-1.7.0.221-2.6.18.0.AXS4.i686.rpm
MD5: 6d2f1b3516e418357107cf72a13bd80a
SHA-256: 8ca1cd25d2d44a09a893d3c370242725389c0a1ce38065f44fbb27d84df60677
Size: 9.48 MB
Asianux Server 4 for x86_64
- java-1.7.0-openjdk-1.7.0.221-2.6.18.0.AXS4.x86_64.rpm
MD5: d94be422d3ee32532026b3841ce94874
SHA-256: d3d16022dc37fe2cc2a911056fc125bd217f735b5bcd29101e7968ab2a32c1ba
Size: 26.54 MB - java-1.7.0-openjdk-devel-1.7.0.221-2.6.18.0.AXS4.x86_64.rpm
MD5: 44134ff79d94484ed03b59dcc68b72f1
SHA-256: 35c4240324f34d27906b42aad60914e34a9a0da7d60e47a2324ccce7fab19692
Size: 9.48 MB