USN-3179-1

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/notices/USN-3179-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3179-1.json

JSON Data

https://api.osv.dev/v1/vulns/USN-3179-1

Related

CVE-2016-2183
CVE-2016-5546
CVE-2016-5547
CVE-2016-5548
CVE-2016-5549
CVE-2016-5552
CVE-2017-3231
CVE-2017-3241
CVE-2017-3252
CVE-2017-3253
CVE-2017-3261
CVE-2017-3272
CVE-2017-3289
UBUNTU-CVE-2016-2183
UBUNTU-CVE-2016-5546
UBUNTU-CVE-2016-5547
UBUNTU-CVE-2016-5548
UBUNTU-CVE-2016-5549
UBUNTU-CVE-2016-5552
UBUNTU-CVE-2017-3231
UBUNTU-CVE-2017-3241
UBUNTU-CVE-2017-3252
UBUNTU-CVE-2017-3253
UBUNTU-CVE-2017-3261
UBUNTU-CVE-2017-3272
UBUNTU-CVE-2017-3289

Published

2017-01-25T21:05:13.122272Z

Modified

2017-01-25T21:05:13.122272Z

Summary

openjdk-8 vulnerabilities

Details

Karthik Bhargavan and Gaetan Leurent discovered that the DES and Triple DES ciphers were vulnerable to birthday attacks. A remote attacker could possibly use this flaw to obtain clear text data from long encrypted sessions. This update moves those algorithms to the legacy algorithm set and causes them to be used only if no non-legacy algorithms can be negotiated. (CVE-2016-2183)

It was discovered that OpenJDK accepted ECSDA signatures using non-canonical DER encoding. An attacker could use this to modify or expose sensitive data. (CVE-2016-5546)

It was discovered that OpenJDK did not properly verify object identifier (OID) length when reading Distinguished Encoding Rules (DER) records, as used in x.509 certificates and elsewhere. An attacker could use this to cause a denial of service (memory consumption). (CVE-2016-5547)

It was discovered that covert timing channel vulnerabilities existed in the DSA and ECDSA implementations in OpenJDK. A remote attacker could use this to expose sensitive information. (CVE-2016-5548, CVE-2016-5549)

It was discovered that the URLStreamHandler class in OpenJDK did not properly parse user information from a URL. A remote attacker could use this to expose sensitive information. (CVE-2016-5552)

It was discovered that the URLClassLoader class in OpenJDK did not properly check access control context when downloading class files. A remote attacker could use this to expose sensitive information. (CVE-2017-3231)

It was discovered that the Remote Method Invocation (RMI) implementation in OpenJDK performed deserialization of untrusted inputs. A remote attacker could use this to execute arbitrary code. (CVE-2017-3241)

It was discovered that the Java Authentication and Authorization Service (JAAS) component of OpenJDK did not properly perform user search LDAP queries. An attacker could use a specially constructed LDAP entry to expose or modify sensitive information. (CVE-2017-3252)

It was discovered that the PNGImageReader class in OpenJDK did not properly handle iTXt and zTXt chunks. An attacker could use this to cause a denial of service (memory consumption). (CVE-2017-3253)

It was discovered that integer overflows existed in the SocketInputStream and SocketOutputStream classes of OpenJDK. An attacker could use this to expose sensitive information. (CVE-2017-3261)

It was discovered that the atomic field updaters in the java.util.concurrent.atomic package in OpenJDK did not properly restrict access to protected field members. An attacker could use this to specially craft a Java application or applet that could bypass Java sandbox restrictions. (CVE-2017-3272)

It was discovered that a vulnerability existed in the class construction implementation in OpenJDK. An attacker could use this to specially craft a Java application or applet that could bypass Java sandbox restrictions. (CVE-2017-3289)

References

Affected packages

Ubuntu:16.04:LTS / openjdk-8

Package

Name: openjdk-8
Purl: pkg:deb/ubuntu/openjdk-8?arch=src?distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8u121-b13-0ubuntu1.16.04.2

Affected versions

Other

8u66-b01-5

8u72-b05-1ubuntu1

8u72-b05-5

8u72-b05-6

8u72-b15-1

8u72-b15-2ubuntu1

8u72-b15-2ubuntu3

8u72-b15-3ubuntu1

8u77-b03-1ubuntu2

8u77-b03-3ubuntu1

8u77-b03-3ubuntu2

8u77-b03-3ubuntu3

8u91-b14-0ubuntu4~16.*

8u91-b14-0ubuntu4~16.04.1

8u91-b14-3ubuntu1~16.*

8u91-b14-3ubuntu1~16.04.1

8u111-b14-2ubuntu0.*

8u111-b14-2ubuntu0.16.04.2

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "8u121-b13-0ubuntu1.16.04.2",
            "binary_name": "openjdk-8-dbg"
        },
        {
            "binary_version": "8u121-b13-0ubuntu1.16.04.2",
            "binary_name": "openjdk-8-demo"
        },
        {
            "binary_version": "8u121-b13-0ubuntu1.16.04.2",
            "binary_name": "openjdk-8-doc"
        },
        {
            "binary_version": "8u121-b13-0ubuntu1.16.04.2",
            "binary_name": "openjdk-8-jdk"
        },
        {
            "binary_version": "8u121-b13-0ubuntu1.16.04.2",
            "binary_name": "openjdk-8-jdk-headless"
        },
        {
            "binary_version": "8u121-b13-0ubuntu1.16.04.2",
            "binary_name": "openjdk-8-jre"
        },
        {
            "binary_version": "8u121-b13-0ubuntu1.16.04.2",
            "binary_name": "openjdk-8-jre-headless"
        },
        {
            "binary_version": "8u121-b13-0ubuntu1.16.04.2",
            "binary_name": "openjdk-8-jre-jamvm"
        },
        {
            "binary_version": "8u121-b13-0ubuntu1.16.04.2",
            "binary_name": "openjdk-8-jre-zero"
        },
        {
            "binary_version": "8u121-b13-0ubuntu1.16.04.2",
            "binary_name": "openjdk-8-source"
        }
    ]
}