Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0312 USN-4257-1: OpenJDK vulnerabilities 29 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenJDK Publisher: Ubuntu Operating System: Ubuntu Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-2659 CVE-2020-2655 CVE-2020-2654 CVE-2020-2604 CVE-2020-2601 CVE-2020-2593 CVE-2020-2590 CVE-2020-2583 Reference: ASB-2020.0028 ASB-2020.0027 ESB-2020.0300 ESB-2020.0293 Original Bulletin: https://usn.ubuntu.com/4257-1/ - --------------------------BEGIN INCLUDED TEXT-------------------- USN-4257-1: OpenJDK vulnerabilities 28 January 2020 openjdk-8, openjdk-lts vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: o Ubuntu 19.10 o Ubuntu 18.04 LTS o Ubuntu 16.04 LTS Summary Several security issues were fixed in OpenJDK. Software Description o openjdk-8 - Open Source Java implementation o openjdk-lts - Open Source Java implementation Details It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583) It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An unauthenticated remote attacker with network access via Kerberos could possibly use this issue to insert, modify or obtain sensitive information. (CVE-2020-2590) It was discovered that OpenJDK incorrectly validated URLs. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2020-2593) It was discovered that OpenJDK Security component still used MD5 algorithm. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2020-2601) It was discovered that OpenJDK incorrectly handled the application of serialization filters. An attacker could possibly use this issue to bypass the intended filter during serialization. (CVE-2020-2604) Bo Zhang and Long Kuan discovered that OpenJDK incorrectly handled X.509 certificates. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-2654) Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and Robert Merget discovered that OpenJDK incorrectly handled CertificateVerify TLS handshake messages. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2655) It was discovered that OpenJDK incorrectly enforced the limit of datagram sockets that can be created by a code running within a Java sandbox. An attacker could possibly use this issue to bypass the sandbox restrictions causing a denial of service. This issue only affected OpenJDK 8. (CVE-2020-2659) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 19.10 openjdk-11-jdk - 11.0.6+10-1ubuntu1~19.10.1 openjdk-11-jre - 11.0.6+10-1ubuntu1~19.10.1 openjdk-11-jre-headless - 11.0.6+10-1ubuntu1~19.10.1 openjdk-11-jre-zero - 11.0.6+10-1ubuntu1~19.10.1 openjdk-8-jdk - 8u242-b08-0ubuntu3~19.10 openjdk-8-jre - 8u242-b08-0ubuntu3~19.10 openjdk-8-jre-headless - 8u242-b08-0ubuntu3~19.10 openjdk-8-jre-zero - 8u242-b08-0ubuntu3~19.10 Ubuntu 18.04 LTS openjdk-11-jdk - 11.0.6+10-1ubuntu1~18.04.1 openjdk-11-jre - 11.0.6+10-1ubuntu1~18.04.1 openjdk-11-jre-headless - 11.0.6+10-1ubuntu1~18.04.1 openjdk-11-jre-zero - 11.0.6+10-1ubuntu1~18.04.1 openjdk-8-jdk - 8u242-b08-0ubuntu3~18.04 openjdk-8-jre - 8u242-b08-0ubuntu3~18.04 openjdk-8-jre-headless - 8u242-b08-0ubuntu3~18.04 openjdk-8-jre-zero - 8u242-b08-0ubuntu3~18.04 Ubuntu 16.04 LTS openjdk-8-jdk - 8u242-b08-0ubuntu3~16.04 openjdk-8-jre - 8u242-b08-0ubuntu3~16.04 openjdk-8-jre-headless - 8u242-b08-0ubuntu3~16.04 openjdk-8-jre-jamvm - 8u242-b08-0ubuntu3~16.04 openjdk-8-jre-zero - 8u242-b08-0ubuntu3~16.04 To update your system, please follow these instructions: https:// wiki.ubuntu.com/Security/Upgrades . This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes. References o CVE-2020-2583 o CVE-2020-2590 o CVE-2020-2593 o CVE-2020-2601 o CVE-2020-2604 o CVE-2020-2654 o CVE-2020-2655 o CVE-2020-2659 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXjEFRmaOgq3Tt24GAQjAlg//VWz1WZEI8hx/ADQtBLtZ4ADGDUJ1eNIz HoCMj8e25E5Hf1hGRlIxDeAd08jjBwxEH5SiGvu2Nnvyh7b+/dUtF66uH0GJL3bf UvwEYNm8uvkVaq3raog/7UOrl1RbWUJGt2VDwgUwtGrT3/dHHBY3YtvlcVhm6mQ+ VfQT6WOrmLCL7nhqxPL1ttDtTGc5/1VO+2fWpox1J09pghMoOg50xHIoQGQkmUeH WT9rAMgfpi91IkdvQY2wBsCMKLQUGi6lY5hXYpm18SdXiIS5obFzANVIufrlTUA2 8EGOA0lHDCoRU5cgPxSR1ZLIzsQpNqKeEMD8n24mbIbr3xhZCc+iB9BtLVXd1kYQ jSj0MlKYowWtaELZzYCLkuPoX1dtBLEUQ6poZl/4W0Rdc1qeZtvjaEC2j39wbv4K 1BRkEwnEMuGZF63fZwVs86l94PQfl3rcaV9StztqvsG0ttGNZ07NEEiMsBNBHozK BwTK7LcYLAnGbatfEPCoHnNLyjeIC9f/TnaobQPYcypzFA0NCBnOglTX4H3jPK8m j2TBAoNTylSLxjrXW6oZtuCJk458djB8ueoRovsjyiHadQQkLauGGAKarnyYLhJT D/5maiWDNZwfqvPF9jY526GXIcE00r6O7LsSJFScBBENMTr2n2t18bWNRhaG59+i M3eVRG+OKFI= =z2u1 -----END PGP SIGNATURE-----