Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2144 Critical: java-1.8.0-oracle security update 25 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: java-1.8.0-oracle Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Read-only Data Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-2973 CVE-2018-2964 CVE-2018-2952 CVE-2018-2941 CVE-2018-2940 Reference: ASB-2018.0169 ESB-2018.2131 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2253 https://access.redhat.com/errata/RHSA-2018:2256 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.8.0-oracle security update Advisory ID: RHSA-2018:2253-01 Product: Oracle Java for Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:2253 Issue date: 2018-07-24 CVE Names: CVE-2018-2940 CVE-2018-2941 CVE-2018-2952 CVE-2018-2964 CVE-2018-2973 ===================================================================== 1. Summary: An update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Oracle Java for Red Hat Enterprise Linux Client (v. 7) - x86_64 Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7) - x86_64 Oracle Java for Red Hat Enterprise Linux Server (v. 7) - x86_64 Oracle Java for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 8 to version 8 Update 181. Security Fix(es): * Oracle JDK: unspecified vulnerability fixed in 7u191, 8u181, and 10.0.2 (JavaFX) (CVE-2018-2941) * Oracle JDK: unspecified vulnerability fixed in 8u181 and 10.0.2 (Deployment) (CVE-2018-2964) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Oracle Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) 1602142 - CVE-2018-2964 Oracle JDK: unspecified vulnerability fixed in 8u181 and 10.0.2 (Deployment) 1602143 - CVE-2018-2941 Oracle JDK: unspecified vulnerability fixed in 7u191, 8u181, and 10.0.2 (JavaFX) 1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) 1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) 6. Package List: Oracle Java for Red Hat Enterprise Linux Client (v. 7): x86_64: java-1.8.0-oracle-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-jdbc-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-plugin-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el7.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7): x86_64: java-1.8.0-oracle-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el7.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Server (v. 7): x86_64: java-1.8.0-oracle-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-jdbc-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-plugin-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el7.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Workstation (v. 7): x86_64: java-1.8.0-oracle-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-jdbc-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-plugin-1.8.0.181-1jpp.2.el7.x86_64.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-2940 https://access.redhat.com/security/cve/CVE-2018-2941 https://access.redhat.com/security/cve/CVE-2018-2952 https://access.redhat.com/security/cve/CVE-2018-2964 https://access.redhat.com/security/cve/CVE-2018-2973 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW1eWoNzjgjWX9erEAQh/6Q//YC8tpdEq1e8Mkt5GiRCe1PHex5KB8RKZ NNqG3xpqwT0mvUKAiNezHjjo66fWuMO1glPAaBXLsfuIKT92dE/Ri4YhVedXE4cM o5T6pTJoWU/tU7Xo3AkkQ5TSc5M6zr34i4Lt3Og8P5IA2QASna3Ug+kHIR8rJLMK a4RBJ3WdOjh9C/41GUSU1iAlzf5OAoBZbQO3sMm9uQZiWLN/ZMnEBpTmvFY3FMV4 W9MDdfkg+2vCu9XmnPuCfQb6+sNsxCWBiGb/kNyTuu5ubYeqDwSXPPh8jkKfoY/0 ZQm63fqtClRhkBWCHwltMI5G7zp4VBq18ECAt9U6WrzwibT1ibDqBdUVvIUh6l2/ QalDzES57Nu0H5eD4M4tkxoSJBJvRKr1u74Q7F7PGTubppf/ZdbfiU/9bnTFkx60 /4jSJs+BffVQSHXk1U0EQU5JEX8eazIBwcsMKAekOQdA1WRHR4gykC2DHckgyXEK QBlRik79N95NGD/shmT4aKYPCsVZcX+FjCjgHqslBvUT+qQ0hSZh9wIp0KL/VaIE Juk4A2dOFoFEMkuJ2YXco4E9j30VTPljK1+BopFK5LV2EGJVhbdtY5/wn0A6zDw1 BHI7VSOsSiX+MGRl/WrPeWzOac/BsSnk2KWE/j/tc2cb/k54LpCVQ8MUiC0GZ725 WPWp4YPhV6I= =AaA9 - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.8.0-oracle security update Advisory ID: RHSA-2018:2256-01 Product: Oracle Java for Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:2256 Issue date: 2018-07-24 CVE Names: CVE-2018-2940 CVE-2018-2941 CVE-2018-2952 CVE-2018-2964 CVE-2018-2973 ===================================================================== 1. Summary: An update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Oracle Java for Red Hat Enterprise Linux Desktop 6 - i386, x86_64 Oracle Java for Red Hat Enterprise Linux HPC Node 6 - x86_64 Oracle Java for Red Hat Enterprise Linux Server 6 - i386, x86_64 Oracle Java for Red Hat Enterprise Linux Workstation 6 - i386, x86_64 3. Description: Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 8 to version 8 Update 181. Security Fix(es): * Oracle JDK: unspecified vulnerability fixed in 7u191, 8u181, and 10.0.2 (JavaFX) (CVE-2018-2941) * Oracle JDK: unspecified vulnerability fixed in 8u181 and 10.0.2 (Deployment) (CVE-2018-2964) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Oracle Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) 1602142 - CVE-2018-2964 Oracle JDK: unspecified vulnerability fixed in 8u181 and 10.0.2 (Deployment) 1602143 - CVE-2018-2941 Oracle JDK: unspecified vulnerability fixed in 7u191, 8u181, and 10.0.2 (JavaFX) 1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) 1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) 6. Package List: Oracle Java for Red Hat Enterprise Linux Desktop 6: i386: java-1.8.0-oracle-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-jdbc-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-plugin-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el6.i686.rpm x86_64: java-1.8.0-oracle-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-jdbc-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-plugin-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el6.x86_64.rpm Oracle Java for Red Hat Enterprise Linux HPC Node 6: x86_64: java-1.8.0-oracle-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-jdbc-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-plugin-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el6.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Server 6: i386: java-1.8.0-oracle-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-jdbc-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-plugin-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el6.i686.rpm x86_64: java-1.8.0-oracle-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-jdbc-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-plugin-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el6.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Workstation 6: i386: java-1.8.0-oracle-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-jdbc-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-plugin-1.8.0.181-1jpp.2.el6.i686.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el6.i686.rpm x86_64: java-1.8.0-oracle-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-devel-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-javafx-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-jdbc-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-plugin-1.8.0.181-1jpp.2.el6.x86_64.rpm java-1.8.0-oracle-src-1.8.0.181-1jpp.2.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-2940 https://access.redhat.com/security/cve/CVE-2018-2941 https://access.redhat.com/security/cve/CVE-2018-2952 https://access.redhat.com/security/cve/CVE-2018-2964 https://access.redhat.com/security/cve/CVE-2018-2973 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW1eVvdzjgjWX9erEAQivCQ//YV3cgPc9loPIBkSB7F9ZDB/uQT54h5NM ce5/nnrzwrHFWuRStrMoGDDHTtcPWhN31lLvYWhP/mqQi79g6pjQrZ2ljUbqWBlX vHQ45wgbparwoC2Q60HBo9kDu+bb9Z9NtpbnRSjTa5OWgEpqG5V8J2H1eqKxwIUd MKGmKjjI1VfV833AX1H3dKWSlaEsKVZ+Q/+xBFHQ5duSIwp25VYepUlWIF5z0oTY fy2NJ+bud70X5maj/gkrogAlAOMiUR1lB1EO6B/P3y4fIVOCEO62j3VbL+3SGRf4 3TVSr00ngR3stoHX+Ia1/FG+cDYbzNekCHQAKKZcoX1D0TC7lqWHEBp9zL8oBfSI B1HUPut0Ge7QNapv30dQ/iTBKgfF7tobIiiFWKgG+hBu/tYksc9RaCXPaeHWBLxn QhrAJD89TdyZi0YHgF/FA7YskzDHMRep+PM2kk6Q+zOo6duJSfFCzJR3bA+cwnfz 1r9aI/8H0FADoH5BYa5rpdqKh9PePAha/7m1vfSzHuFx+U2phvpkwFWyJjA6otIT udTONlProb6hS2frTR2idzUF3AoNZNSXzm5r2YP3Og8+aTYUUmSZMuPEf2NmfmJE Hi1gbSKXOP6DSxBKHZ0qrFIR+rUeEHCuw2noi/ApAtIppNdPcuJdv/lycSarpFqm MilIlLGRdVc= =VUFb - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW1fbPmaOgq3Tt24GAQgdDxAAoRfdt5wd6sIqjNK9FUN5Ug19GVw0Mcj7 fJnY4wQ95qHm+PGLFmJMnTm7ulmBESFxGyqlDuriig7CRnip+uF3oT7kK3qX4/dP /aOyPDY7lQoFzgUvO26Zw/1KGtLg3XHp9OdXAvNur44ltSwqNQsTaIXc34ouLHgu T6pYD8l+PXsR5GGtU842I8i3CPtNvjC5vLbWzEivte3THcBuB2rgaBAiqkRTjYGc 9qOnht2/tXuw96+An+nuoKK2m8wM8LwE0kmVYaJ9hZkqfM224tNbFlvQrpQJlT+I bpoqczN6dJaapB6iKpzx4DbHeWIwksnPg3VchkCHtXmspyKpdr+LvVOxEr1Yp7lZ p2/QGuedajBTRjf5lad3l5RK2XAL+TsoslbKkVckEuQZ+g6PgzjpYSWNarjI2AB8 UQMCtYUx2DDVBj0L+TF3jWdIvkO9WJTKmiXzO9s6iq557UMF5UgL5kgge2PM1E0C mul+HgeVdZcOOsNXYfA3wgq71qzrzJpXdd7FO76HpWWyhgERle8UQ09ZnXN+gTdL FSZ5/d3/srkVb7LW9mUPGBs/Ew+PY2eoiD1JuvkMEw7cu381Z+blyiZCrNIJ5ZAI 0UjWORpDWJQSCsZCirnfO1AgWCLfimd75xiSOzVQcI2euG1M8DFJppuLIpndCy7e rJDDvCLABKw= =sVk2 -----END PGP SIGNATURE-----