Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2145 Critical: java-1.7.0-oracle security update 25 July 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: java-1.7.0-oracle Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Read-only Data Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-2973 CVE-2018-2952 CVE-2018-2941 CVE-2018-2940 Reference: ASB-2018.0169 ESB-2018.2131 ESB-2018.2144 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2254 https://access.redhat.com/errata/RHSA-2018:2255 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-oracle security update Advisory ID: RHSA-2018:2254-01 Product: Oracle Java for Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:2254 Issue date: 2018-07-24 CVE Names: CVE-2018-2940 CVE-2018-2941 CVE-2018-2952 CVE-2018-2973 ===================================================================== 1. Summary: An update for java-1.7.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Oracle Java for Red Hat Enterprise Linux Client (v. 7) - x86_64 Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7) - x86_64 Oracle Java for Red Hat Enterprise Linux Server (v. 7) - x86_64 Oracle Java for Red Hat Enterprise Linux Workstation (v. 7) - x86_64 3. Description: Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 7 to version 7 Update 191. Security Fix(es): * Oracle JDK: unspecified vulnerability fixed in 7u191, 8u181, and 10.0.2 (JavaFX) (CVE-2018-2941) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Oracle Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) 1602143 - CVE-2018-2941 Oracle JDK: unspecified vulnerability fixed in 7u191, 8u181, and 10.0.2 (JavaFX) 1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) 1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) 6. Package List: Oracle Java for Red Hat Enterprise Linux Client (v. 7): x86_64: java-1.7.0-oracle-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.2.el7.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Compute Node (v. 7): x86_64: java-1.7.0-oracle-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.2.el7.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Server (v. 7): x86_64: java-1.7.0-oracle-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.2.el7.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Workstation (v. 7): x86_64: java-1.7.0-oracle-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.191-1jpp.2.el7.x86_64.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-2940 https://access.redhat.com/security/cve/CVE-2018-2941 https://access.redhat.com/security/cve/CVE-2018-2952 https://access.redhat.com/security/cve/CVE-2018-2973 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW1eVsdzjgjWX9erEAQiCQg/8CjqVZt+w7BT2MtqNdh2k9+pzbUylvybw +r+2xo31u8nZa8G7wtJxt8Lho6pJ4V2Bifl09jd7wM37UK8/TFIhJY94jMXv86g1 bKEmrUOxmNL1csJXj9G1bjZRCsJJOspduqOmBNRsCvq5XjW9AtreLM6cKnrQ2OZg 8Jivvp9xgnuFcv75Y2yWS1EeTGfpWNwWOnpqhyZPG1VpMRVJLwrEBGx06INJOSoo 0zcJ7kqUPiqKJxMB8ChVbfSBNtc9wtsxVMUiL6nuU/1TiaslwvUv9X9GxX1D2tew IBOO7r2qkeWkeq7rscko2yYLGTfgXmFSPghPS1dfNaj6A1xOPgw3vTrdP05HGLWt B3rtEkiRJ5LfVZB/CaxIhJGMriaYBegl9h+diWeCwH27extiDGVAwv42RL9OwnLF +Tnmss84si4G13o8SZA3pAG7A1GdEMXybpH0KBbOCM8FtQoTCDTdGDDdSHCJNuco nhoD0hOZS2unaelGKlSiy7kfKWQD0RYolCiA+WS69P9jXNxV1vfCuL0MP/Tj1EBT EamihVyHN0+Rooah4Z8NEbqxxyU413UBzjWf649ixC0UhriNw2YUgUntSybIG2zH gCHE64DN2rMPUXXhAMGbSBmOanL7iHkcXO87c7KmfF1t20t53athovmt6IGYj3vc QST86YXaU48= =AC2r - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: java-1.7.0-oracle security update Advisory ID: RHSA-2018:2255-01 Product: Oracle Java for Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2018:2255 Issue date: 2018-07-24 CVE Names: CVE-2018-2940 CVE-2018-2941 CVE-2018-2952 CVE-2018-2973 ===================================================================== 1. Summary: An update for java-1.7.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Oracle Java for Red Hat Enterprise Linux Desktop 6 - i386, x86_64 Oracle Java for Red Hat Enterprise Linux HPC Node 6 - x86_64 Oracle Java for Red Hat Enterprise Linux Server 6 - i386, x86_64 Oracle Java for Red Hat Enterprise Linux Workstation 6 - i386, x86_64 3. Description: Oracle Java SE version 7 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit. This update upgrades Oracle Java SE 7 to version 7 Update 191. Security Fix(es): * Oracle JDK: unspecified vulnerability fixed in 7u191, 8u181, and 10.0.2 (JavaFX) (CVE-2018-2941) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) (CVE-2018-2940) * OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) (CVE-2018-2952) * Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) (CVE-2018-2973) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 All running instances of Oracle Java must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547) 1602143 - CVE-2018-2941 Oracle JDK: unspecified vulnerability fixed in 7u191, 8u181, and 10.0.2 (JavaFX) 1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE) 1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries) 6. Package List: Oracle Java for Red Hat Enterprise Linux Desktop 6: i386: java-1.7.0-oracle-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-plugin-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.1.el6.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.1.el6.x86_64.rpm Oracle Java for Red Hat Enterprise Linux HPC Node 6: x86_64: java-1.7.0-oracle-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.1.el6.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Server 6: i386: java-1.7.0-oracle-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-plugin-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.1.el6.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.1.el6.x86_64.rpm Oracle Java for Red Hat Enterprise Linux Workstation 6: i386: java-1.7.0-oracle-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-jdbc-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-plugin-1.7.0.191-1jpp.1.el6.i686.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.1.el6.i686.rpm x86_64: java-1.7.0-oracle-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-devel-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-javafx-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-jdbc-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-plugin-1.7.0.191-1jpp.1.el6.x86_64.rpm java-1.7.0-oracle-src-1.7.0.191-1jpp.1.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-2940 https://access.redhat.com/security/cve/CVE-2018-2941 https://access.redhat.com/security/cve/CVE-2018-2952 https://access.redhat.com/security/cve/CVE-2018-2973 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW1eWq9zjgjWX9erEAQh7eA/+LKVHg4cd92TcLNYcuvKj+rvTi7GN5aw9 GJQG1xz3/0WV4gC8G+r5EmYEhM+43bA11CVybfZg+vkeRyQ+HcyILzCzN9InSdKP UvCfsBFG9OpXbe0jo6qALBqHsUc4aEfVBDk3eUfuvrxN659+KrTLO0EVONC53WcV L4MrH7NERN6BdRsyHl30uYthw71AIp7VJYFDVxK2gXa/2uwu7jQTJgQiYuRs0uvO VDs15Dm23A7Fn7OEfNjgbA6CTj0tUxWonOcSwlgPjfEYQBY8qo35tN2ssXoiQqgo q2BZnD5FtX9wJggjLtjQSRtMA0Y+juqa5/G2hCJD8vQtn1SDxtqyepM0XDTqD0wK LkOiGzabyQ3PEgo3K0+2m+RjRCziblja9zCBu692opJyOFplMjBuptwQcFOzmS4Y cc0OcF/A48D3KwQmIrNIUx76zs2lk+oo2liy4LbyauG43+YSsIyHNlu6ciN17oRB VPHlCxMQ9tcL6qlijih3v8dWrbHm/FPD4ftAWiowISjGkKIJvuDpS9VPQbtjYx5O nteG6KHEItE0DPVXc9kTb8VTT7juK028mHXkhvBKWKVnH09CkL67rF+kJUjquCJg vRqQbyUS6M6P9Eqq9n2GOpKMr/GifO3qCbCvTyJk6GtutfFE5CZcfl3aPIjl0Jww WqGc0dPkJN0= =A5xf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW1fbTGaOgq3Tt24GAQjOwRAAlj/0WYFFb1sNBS1YH9lOe8nkxBCNX7QK 5BM9Zr/lE/NtJCykmWAlZ7p+ofN+5r961CI1lXgoy5ItYNVc72cKgQMw2p6DShD3 d9GPXD2C6l2uc4yKAC43OECPimyXfphZenGa3TLATQDAX201Uu91/mYbxXV4sOsO bkflyY1Zi6YB4JmEB+mHgSetEfpHrzOc5iRqMyiVjxDOK67LTYXxmyt8Ra8rg1eX hiIsfc1SCiCsABEeRYP1Rs1Ttun6N5u7DQk1lIcwuZzi+BBW2cYsLsn4/47TU8/Y ayAEhxTNTSYXGgsDmyyvQueeItV2jRK0ndjnipjcFlGiUb+zj0bo/JYkigj7TvMt xZXfGkHZiAeMWkc9HaJjcRlcIOHGUKSOfgviITc0Ktw3Y8uDlCAyH46I8CCOD2Sp c7/xcM686qcVJTqlUnTSVWpJDv1FdhvO/CzgFt2PGVKJJAVmccKvSkEzXm+TolLC rcjZyXgcfs3cdZiGp24VmDnbL+u0Uy9f+5f1QUSGlI7A3dOSbbPASWE+8PLibeXZ cX9jY5MV3Az8oTgykt4qJSUin8B9EAmKpM48Lht2QmagpuaCgIY2PBYkXGQtCoVi Z2kRCprB/4sH9cxaHffBeOiSy0TTR7vBErAw5uviczeKLRaJZmBOTy0EwbxOLGUj FOUk7URJ2lc= =bdsF -----END PGP SIGNATURE-----