java-1.7.0-openjdk-1.7.0.221-2.6.18.0.0.1.el7.AXS7
エラータID: AXSA:2019-3860:03
リリース日:
2019/04/26 Friday - 09:39
題名:
java-1.7.0-openjdk-1.7.0.221-2.6.18.0.0.1.el7.AXS7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Enhancement]
- Oracle Java SE は、新しい元号、令和 (REIWA) へ対応しました。
[Security Fix]
- Oracle Java SE のコンポーネント (サブコンポーネント:Libraries) には、
ネットワークアクセス可能な認証されていない攻撃者が、停止を引き起こしたり、
頻繁に再現可能なクラッシュ(DoS攻撃)ができる脆弱性があります。(CVE-2019-2602)
- Oracle Java SE のコンポーネント (サブコンポーネント:RMI) には、
ネットワークアクセス可能な認証されていない攻撃者が、不正にデータアクセスすることが
可能な脆弱性があります。(CVE-2019-2684)
- Oracle Java SE のコンポーネント (サブコンポーネント:2D) には、
ネットワークアクセス可能な認証されていない攻撃者が、Java SE を
乗っ取ることができる脆弱性があります。(CVE-2019-2698)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2019-2602
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Libraries). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java SE, Java SE Embedded. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.0 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
CVE-2019-2684
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
CVE-2019-2698
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 7u211 and 8u202. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in takeover of Java SE. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
追加情報:
N/A
ダウンロード:
SRPMS
- java-1.7.0-openjdk-1.7.0.221-2.6.18.0.0.1.el7.AXS7.src.rpm
MD5: a556527f2635eb6d1df73b4804f1ef29
SHA-256: 68176fbed18cfa736fdfa656bb3f9df2f20a39c2f695e0adac2d703f1073d5c0
Size: 39.36 MB
Asianux Server 7 for x86_64
- java-1.7.0-openjdk-1.7.0.221-2.6.18.0.0.1.el7.AXS7.x86_64.rpm
MD5: a64dae048cae64b00d943c9c3d505ace
SHA-256: c6860a50a1e6bfd8ddd549f2022bc43249d3863d414b43a4b003f083466d179c
Size: 241.56 kB - java-1.7.0-openjdk-devel-1.7.0.221-2.6.18.0.0.1.el7.AXS7.x86_64.rpm
MD5: 22a0a6eba62d5c37805ee4ebc3627ecc
SHA-256: c28810c7a7219342eb8a986a0f26836879c4e123fb91948f0aad20489fc5e6d0
Size: 9.22 MB - java-1.7.0-openjdk-headless-1.7.0.221-2.6.18.0.0.1.el7.AXS7.x86_64.rpm
MD5: 9237be141e0a1f6aa7db2bb26b2d2a41
SHA-256: fd93f5dddf4206160a0e7ca1c633ac480f1d65f9a28bd31e65cdc849df6dbf47
Size: 25.66 MB