java-1.8.0-openjdk-1.8.0.262.b10-0.el7
エラータID: AXSA:2020-221:11
以下項目について対処しました。
[Security Fix]
- Java SE の Libraries コンポーネントには、ネットワークアクセスを通じて、
認証されていない攻撃者が JavaSE のデータの更新、挿入、削除が可能な
悪用困難な脆弱性があります。(CVE-2020-14556)
- Java SE の JSSE コンポーネントには、TLSによるネットワークアクセスを通じて、
認証されていない攻撃者が JavaSE のデータの読み込みが可能な悪用困難な脆弱性があります。
(CVE-2020-14577)
- Java SE の Libraries コンポーネントには、ネットワークアクセスを通じて、
認証されていない攻撃者が Java SE の部分的なサービス拒否を引き起こす
悪用困難な脆弱性があります。(CVE-2020-14578)
- Java SE の Libraries コンポーネントには、ネットワークアクセスを通じて、
認証されていない攻撃者が Java SE の部分的なサービス拒否を引き起こす
悪用困難な脆弱性があります。(CVE-2020-14579)
- Java SE の Libraries コンポーネントには、ネットワークアクセスを通じて、
認証されていない攻撃者なよる Java SE ののっ取りを許してしまう悪用困難な脆弱性が
あります。(CVE-2020-14583)
- Java SE の 2D コンポーネントには、ネットワークアクセスを通じて、
認証されていない攻撃者が Java SE のクリティカルなデータの作成、削除、
改変することを許してしまう悪用が容易な脆弱性があります。(CVE-2020-14593)
- Java SE の JAXP コンポーネントには、ネットワークアクセスを通じて、
認証されていない攻撃者が Java SE のデータの更新、挿入、削除をすることを
許してしまう脆弱性があります。(CVE-2020-14621)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
パッケージをアップデートしてください。
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JSSE). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261 and 8u251; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: 2D). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N).
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JAXP). Supported versions that are affected are Java SE: 7u261, 8u251, 11.0.7 and 14.0.1; Java SE Embedded: 8u251. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. CVSS 3.1 Base Score 5.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
N/A
SRPMS
- java-1.8.0-openjdk-1.8.0.262.b10-0.el7.src.rpm
MD5: d4762c0f2960abc360d72bf2327c4bec
SHA-256: ba65b8aca3544b75f609340accd2c2b0ae7dbc29af864a9b2c11dfebcdc86682
Size: 55.12 MB
Asianux Server 7 for x86_64
- java-1.8.0-openjdk-1.8.0.262.b10-0.el7.x86_64.rpm
MD5: aac16ccd1d9f57cd71f408a6c9bd3b45
SHA-256: e8d8688071e5fea4b3e132641dcbab16a7a9272da8e23b11350917405df07198
Size: 297.92 kB - java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7.x86_64.rpm
MD5: 5bef930dfe80a3e8c812eb69f36392e9
SHA-256: 486ad3386fe4aac6d141da1bde92af7619a2888dac6d5f92dc364ffb9613bf81
Size: 9.81 MB - java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7.x86_64.rpm
MD5: cab8dc6527be85cfb8d9870b5a634b78
SHA-256: b1ccc3fe6b63a7fd8c2f8751b232845ee1fc46b5738bf7a30e832b888ca61e64
Size: 32.72 MB - java-1.8.0-openjdk-1.8.0.262.b10-0.el7.i686.rpm
MD5: 7a22d7a7765e2284365a5bcb7db0d400
SHA-256: a9f46df01218e9ff37c125e0d83d8cc72735cf9767b9b4e8450bab160158f8af
Size: 297.57 kB - java-1.8.0-openjdk-devel-1.8.0.262.b10-0.el7.i686.rpm
MD5: 8b82a87e3e18bb5ad8b64b64ebfa94af
SHA-256: 8cb3b45cda0133d3dbde4b73b718f5bfd6bdd9fc729a9c2dc3725dbb5acfd585
Size: 9.81 MB - java-1.8.0-openjdk-headless-1.8.0.262.b10-0.el7.i686.rpm
MD5: 6727d9323b0cdac2fd146e4308d10da9
SHA-256: 8ce26b562216b306f16eaa5ad2d9787f3cddb2861af0c6637343a9998e84f973
Size: 32.03 MB