Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1213 OpenJDK 8 vulnerabilities 12 May 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: openjdk-8-jre Publisher: Ubuntu Operating System: Ubuntu Impact/Access: Increased Privileges -- Existing Account Modify Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-3544 CVE-2017-3539 CVE-2017-3533 CVE-2017-3526 CVE-2017-3511 CVE-2017-3509 Reference: ASB-2017.0056 ESB-2017.1185 ESB-2017.1166 ESB-2017.1160 ESB-2017.1157 ESB-2017.1154 Original Bulletin: http://www.ubuntu.com/usn/usn-3275-1 - --------------------------BEGIN INCLUDED TEXT-------------------- ========================================================================== Ubuntu Security Notice USN-3275-1 May 11, 2017 openjdk-8 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - - Ubuntu 17.04 - - Ubuntu 16.10 - - Ubuntu 16.04 LTS Summary: Several security issues were fixed in OpenJDK 8. Software Description: - - openjdk-8: Open Source Java implementation Details: It was discovered that OpenJDK improperly re-used cached NTLM connections in some situations. A remote attacker could possibly use this to cause a Java application to perform actions with the credentials of a different user. (CVE-2017-3509) It was discovered that an untrusted library search path flaw existed in the Java Cryptography Extension (JCE) component of OpenJDK. A local attacker could possibly use this to gain the privileges of a Java application. (CVE-2017-3511) It was discovered that the Java API for XML Processing (JAXP) component in OpenJDK did not properly enforce size limits when parsing XML documents. An attacker could use this to cause a denial of service (processor and memory consumption). (CVE-2017-3526) It was discovered that the FTP client implementation in OpenJDK did not properly sanitize user inputs. If a user was tricked into opening a specially crafted FTP URL, a remote attacker could use this to manipulate the FTP connection. (CVE-2017-3533) It was discovered that OpenJDK allowed MD5 to be used as an algorithm for JAR integrity verification. An attacker could possibly use this to modify the contents of a JAR file without detection. (CVE-2017-3539) It was discovered that the SMTP client implementation in OpenJDK did not properly sanitize sender and recipient addresses. A remote attacker could use this to specially craft email addresses and gain control of a Java application's SMTP connections. (CVE-2017-3544) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 17.04: openjdk-8-jre 8u131-b11-0ubuntu1.17.04.1 openjdk-8-jre-headless 8u131-b11-0ubuntu1.17.04.1 openjdk-8-jre-zero 8u131-b11-0ubuntu1.17.04.1 Ubuntu 16.10: openjdk-8-jre 8u131-b11-0ubuntu1.16.10.2 openjdk-8-jre-headless 8u131-b11-0ubuntu1.16.10.2 openjdk-8-jre-jamvm 8u131-b11-0ubuntu1.16.10.2 openjdk-8-jre-zero 8u131-b11-0ubuntu1.16.10.2 Ubuntu 16.04 LTS: openjdk-8-jre 8u131-b11-0ubuntu1.16.04.2 openjdk-8-jre-headless 8u131-b11-0ubuntu1.16.04.2 openjdk-8-jre-jamvm 8u131-b11-0ubuntu1.16.04.2 openjdk-8-jre-zero 8u131-b11-0ubuntu1.16.04.2 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3275-1 CVE-2017-3509, CVE-2017-3511, CVE-2017-3526, CVE-2017-3533, CVE-2017-3539, CVE-2017-3544 Package Information: https://launchpad.net/ubuntu/+source/openjdk-8/8u131-b11-0ubuntu1.17.04.1 https://launchpad.net/ubuntu/+source/openjdk-8/8u131-b11-0ubuntu1.16.10.2 https://launchpad.net/ubuntu/+source/openjdk-8/8u131-b11-0ubuntu1.16.04.2 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWRVh14x+lLeg9Ub1AQiCSA/5ATj6QgHAgBbrv9wojQiOdKBAdz6We5KU dixjLXLR8UtMfLYYDxj/sou5BpaW96Wur1uI0XmN/xS7hvYg0gAOQvfFUn1eP50E eAFeb2QPEjrNOxmJyh1r8YVysLDfKOmRFvchkWKwLZcY46PN1MXbBBkH5a4hJTeI XlKuoRG7mDT8jim7hoCtrJl1uPX91uIvunajE0yCuZUFIjvzxcpmg+daEP4eRzPS s5WepwLjPqL42FH9wpDna6XqBSy5vX2nwOsMssgDJZCOu+hxiYo2sBytT5DDRHmC aeCx1I2ghJZO9mVFgmwYLJZY+KWWUUrdVtuk4dFo3caaZPWJuIb8w32zqVzskjbU 96lxaGz/3SoGcxnmoQxGTQ++5gxs65SaBIKprupROoFrNKHi15ORQSCZvm4nC2jI T3AXBQ05813d2dfwWSK8AmcWf8FwBVWoKKD/LmcStqXcpl226WUj95X1/bS6SCAm 581WKqOhtF2GKm+3Oc23NiIACS9nRKHFJBnA0KQD8t/i2Mguy9xvNwPbWMQM1V75 rgrLGq6L4xf2YCnIiXQ+xDbH69g8s5hmDY1yko1IfguwSJPkUDALVCkCVxVeT0QE vpvk23h40tAvERjDHlBhqfHPmZXok7rCnl+cVndelvDWt//tlU1hWCXvplSLnbQu DsGbOIpms5A= =CXoT -----END PGP SIGNATURE-----