USN-4257-1

Source
https://ubuntu.com/security/notices/USN-4257-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4257-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-4257-1
Related
Published
2020-01-28T20:03:55.238196Z
Modified
2020-01-28T20:03:55.238196Z
Summary
openjdk-8, openjdk-lts vulnerabilities
Details

It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583)

It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An unauthenticated remote attacker with network access via Kerberos could possibly use this issue to insert, modify or obtain sensitive information. (CVE-2020-2590)

It was discovered that OpenJDK incorrectly validated URLs. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2020-2593)

It was discovered that OpenJDK Security component still used MD5 algorithm. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2020-2601)

It was discovered that OpenJDK incorrectly handled the application of serialization filters. An attacker could possibly use this issue to bypass the intended filter during serialization. (CVE-2020-2604)

Bo Zhang and Long Kuan discovered that OpenJDK incorrectly handled X.509 certificates. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-2654)

Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and Robert Merget discovered that OpenJDK incorrectly handled CertificateVerify TLS handshake messages. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2655)

It was discovered that OpenJDK incorrectly enforced the limit of datagram sockets that can be created by a code running within a Java sandbox. An attacker could possibly use this issue to bypass the sandbox restrictions causing a denial of service. This issue only affected OpenJDK 8. (CVE-2020-2659)

References

Affected packages

Ubuntu:16.04:LTS / openjdk-8

Package

Name
openjdk-8
Purl
pkg:deb/ubuntu/openjdk-8?arch=src?distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8u242-b08-0ubuntu3~16.04

Affected versions

Other

8u66-b01-5
8u72-b05-1ubuntu1
8u72-b05-5
8u72-b05-6
8u72-b15-1
8u72-b15-2ubuntu1
8u72-b15-2ubuntu3
8u72-b15-3ubuntu1
8u77-b03-1ubuntu2
8u77-b03-3ubuntu1
8u77-b03-3ubuntu2
8u77-b03-3ubuntu3

8u91-b14-0ubuntu4~16.*

8u91-b14-0ubuntu4~16.04.1

8u91-b14-3ubuntu1~16.*

8u91-b14-3ubuntu1~16.04.1

8u111-b14-2ubuntu0.*

8u111-b14-2ubuntu0.16.04.2

8u121-b13-0ubuntu1.*

8u121-b13-0ubuntu1.16.04.2

8u131-b11-0ubuntu1.*

8u131-b11-0ubuntu1.16.04.2

8u131-b11-2ubuntu1.*

8u131-b11-2ubuntu1.16.04.2
8u131-b11-2ubuntu1.16.04.3

8u151-b12-0ubuntu0.*

8u151-b12-0ubuntu0.16.04.2

8u162-b12-0ubuntu0.*

8u162-b12-0ubuntu0.16.04.2

8u171-b11-0ubuntu0.*

8u171-b11-0ubuntu0.16.04.1

8u181-b13-0ubuntu0.*

8u181-b13-0ubuntu0.16.04.1

8u181-b13-1ubuntu0.*

8u181-b13-1ubuntu0.16.04.1

8u191-b12-0ubuntu0.*

8u191-b12-0ubuntu0.16.04.1

8u191-b12-2ubuntu0.*

8u191-b12-2ubuntu0.16.04.1

8u212-b03-0ubuntu1.*

8u212-b03-0ubuntu1.16.04.1

8u222-b10-1ubuntu1~16.*

8u222-b10-1ubuntu1~16.04.1

8u232-b09-0ubuntu1~16.*

8u232-b09-0ubuntu1~16.04.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-dbg"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-demo"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-demo-dbgsym"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-doc"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-jdk"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-jdk-headless"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-jre"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-jre-dbgsym"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-jre-headless"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-jre-headless-dbgsym"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-jre-jamvm"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-jre-zero"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~16.04",
            "binary_name": "openjdk-8-source"
        }
    ]
}

Ubuntu:18.04:LTS / openjdk-8

Package

Name
openjdk-8
Purl
pkg:deb/ubuntu/openjdk-8?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8u242-b08-0ubuntu3~18.04

Affected versions

Other

8u144-b01-2
8u151-b12-1
8u162-b12-1

8u171-b11-0ubuntu0.*

8u171-b11-0ubuntu0.18.04.1

8u181-b13-0ubuntu0.*

8u181-b13-0ubuntu0.18.04.1

8u181-b13-1ubuntu0.*

8u181-b13-1ubuntu0.18.04.1

8u191-b12-0ubuntu0.*

8u191-b12-0ubuntu0.18.04.1

8u191-b12-2ubuntu0.*

8u191-b12-2ubuntu0.18.04.1

8u212-b03-0ubuntu1.*

8u212-b03-0ubuntu1.18.04.1

8u222-b10-1ubuntu1~18.*

8u222-b10-1ubuntu1~18.04.1

8u232-b09-0ubuntu1~18.*

8u232-b09-0ubuntu1~18.04.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "8u242-b08-0ubuntu3~18.04",
            "binary_name": "openjdk-8-dbg"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~18.04",
            "binary_name": "openjdk-8-demo"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~18.04",
            "binary_name": "openjdk-8-doc"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~18.04",
            "binary_name": "openjdk-8-jdk"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~18.04",
            "binary_name": "openjdk-8-jdk-headless"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~18.04",
            "binary_name": "openjdk-8-jre"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~18.04",
            "binary_name": "openjdk-8-jre-headless"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~18.04",
            "binary_name": "openjdk-8-jre-zero"
        },
        {
            "binary_version": "8u242-b08-0ubuntu3~18.04",
            "binary_name": "openjdk-8-source"
        }
    ]
}

Ubuntu:18.04:LTS / openjdk-lts

Package

Name
openjdk-lts
Purl
pkg:deb/ubuntu/openjdk-lts?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
11.0.6+10-1ubuntu1~18.04.1

Affected versions

9.*

9.0.4+12-2ubuntu4
9.0.4+12-4ubuntu1

Other

10~46-4ubuntu1
10~46-5ubuntu1

10.*

10.0.1+10-1ubuntu2
10.0.1+10-3ubuntu1
10.0.2+13-1ubuntu0.18.04.1
10.0.2+13-1ubuntu0.18.04.2
10.0.2+13-1ubuntu0.18.04.3
10.0.2+13-1ubuntu0.18.04.4

11.*

11.0.2+9-3ubuntu1~18.04.3
11.0.3+7-1ubuntu2~18.04.1
11.0.4+11-1ubuntu2~18.04.3
11.0.5+10-0ubuntu1.1~18.04

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "11.0.6+10-1ubuntu1~18.04.1",
            "binary_name": "openjdk-11-dbg"
        },
        {
            "binary_version": "11.0.6+10-1ubuntu1~18.04.1",
            "binary_name": "openjdk-11-demo"
        },
        {
            "binary_version": "11.0.6+10-1ubuntu1~18.04.1",
            "binary_name": "openjdk-11-doc"
        },
        {
            "binary_version": "11.0.6+10-1ubuntu1~18.04.1",
            "binary_name": "openjdk-11-jdk"
        },
        {
            "binary_version": "11.0.6+10-1ubuntu1~18.04.1",
            "binary_name": "openjdk-11-jdk-headless"
        },
        {
            "binary_version": "11.0.6+10-1ubuntu1~18.04.1",
            "binary_name": "openjdk-11-jre"
        },
        {
            "binary_version": "11.0.6+10-1ubuntu1~18.04.1",
            "binary_name": "openjdk-11-jre-headless"
        },
        {
            "binary_version": "11.0.6+10-1ubuntu1~18.04.1",
            "binary_name": "openjdk-11-jre-zero"
        },
        {
            "binary_version": "11.0.6+10-1ubuntu1~18.04.1",
            "binary_name": "openjdk-11-source"
        }
    ]
}