USN-4337-1

See a problem?
Source
https://ubuntu.com/security/notices/USN-4337-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4337-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-4337-1
Related
Published
2020-04-22T15:32:45.588246Z
Modified
2020-04-22T15:32:45.588246Z
Summary
openjdk-8, openjdk-lts vulnerabilities
Details

It was discovered that OpenJDK incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service while processing a specially crafted regular expression. (CVE-2020-2754, CVE-2020-2755)

It was discovered that OpenJDK incorrectly handled class descriptors and catching exceptions during object stream deserialization. An attacker could possibly use this issue to cause a denial of service while processing a specially crafted serialized input. (CVE-2020-2756, CVE-2020-2757)

Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and Robert Merget discovered that OpenJDK incorrectly handled certificate messages during TLS handshake. An attacker could possibly use this issue to bypass certificate verification and insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2767)

It was discovered that OpenJDK incorrectly handled exceptions thrown by unmarshalKeyInfo() and unmarshalXMLSignature(). An attacker could possibly use this issue to cause a denial of service while reading key info or XML signature data from XML input. (CVE-2020-2773)

Peter Dettman discovered that OpenJDK incorrectly handled SSLParameters in setAlgorithmConstraints(). An attacker could possibly use this issue to override the defined systems security policy and lead to the use of weak crypto algorithms that should be disabled. This issue only affected OpenJDK 11. (CVE-2020-2778)

Simone Bordet discovered that OpenJDK incorrectly re-used single null TLS sessions for new TLS connections. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2020-2781)

Dan Amodio discovered that OpenJDK did not restrict the use of CR and LF characters in values for HTTP headers. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2020-2800)

Nils Emmerich discovered that OpenJDK incorrectly checked boundaries or argument types. An attacker could possibly use this issue to bypass sandbox restrictions causing unspecified impact. (CVE-2020-2803, CVE-2020-2805)

It was discovered that OpenJDK incorrectly handled application data packets during TLS handshake. An attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2816)

It was discovered that OpenJDK incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-2830)

References

Affected packages

Ubuntu:16.04:LTS / openjdk-8

Package

Name
openjdk-8
Purl
pkg:deb/ubuntu/openjdk-8@8u252-b09-1~16.04?arch=src?distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8u252-b09-1~16.04

Affected versions

Other

8u66-b01-5
8u72-b05-1ubuntu1
8u72-b05-5
8u72-b05-6
8u72-b15-1
8u72-b15-2ubuntu1
8u72-b15-2ubuntu3
8u72-b15-3ubuntu1
8u77-b03-1ubuntu2
8u77-b03-3ubuntu1
8u77-b03-3ubuntu2
8u77-b03-3ubuntu3

8u91-b14-0ubuntu4~16.*

8u91-b14-0ubuntu4~16.04.1

8u91-b14-3ubuntu1~16.*

8u91-b14-3ubuntu1~16.04.1

8u111-b14-2ubuntu0.*

8u111-b14-2ubuntu0.16.04.2

8u121-b13-0ubuntu1.*

8u121-b13-0ubuntu1.16.04.2

8u131-b11-0ubuntu1.*

8u131-b11-0ubuntu1.16.04.2

8u131-b11-2ubuntu1.*

8u131-b11-2ubuntu1.16.04.2
8u131-b11-2ubuntu1.16.04.3

8u151-b12-0ubuntu0.*

8u151-b12-0ubuntu0.16.04.2

8u162-b12-0ubuntu0.*

8u162-b12-0ubuntu0.16.04.2

8u171-b11-0ubuntu0.*

8u171-b11-0ubuntu0.16.04.1

8u181-b13-0ubuntu0.*

8u181-b13-0ubuntu0.16.04.1

8u181-b13-1ubuntu0.*

8u181-b13-1ubuntu0.16.04.1

8u191-b12-0ubuntu0.*

8u191-b12-0ubuntu0.16.04.1

8u191-b12-2ubuntu0.*

8u191-b12-2ubuntu0.16.04.1

8u212-b03-0ubuntu1.*

8u212-b03-0ubuntu1.16.04.1

8u222-b10-1ubuntu1~16.*

8u222-b10-1ubuntu1~16.04.1

8u232-b09-0ubuntu1~16.*

8u232-b09-0ubuntu1~16.04.1

8u242-b08-0ubuntu3~16.*

8u242-b08-0ubuntu3~16.04

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "openjdk-8-jre-jamvm": "8u252-b09-1~16.04",
            "openjdk-8-doc": "8u252-b09-1~16.04",
            "openjdk-8-dbg": "8u252-b09-1~16.04",
            "openjdk-8-jdk-headless": "8u252-b09-1~16.04",
            "openjdk-8-demo": "8u252-b09-1~16.04",
            "openjdk-8-jre-zero": "8u252-b09-1~16.04",
            "openjdk-8-jre-dbgsym": "8u252-b09-1~16.04",
            "openjdk-8-source": "8u252-b09-1~16.04",
            "openjdk-8-jre-headless": "8u252-b09-1~16.04",
            "openjdk-8-jre-headless-dbgsym": "8u252-b09-1~16.04",
            "openjdk-8-jdk": "8u252-b09-1~16.04",
            "openjdk-8-jre": "8u252-b09-1~16.04",
            "openjdk-8-demo-dbgsym": "8u252-b09-1~16.04"
        }
    ]
}

Ubuntu:18.04:LTS / openjdk-8

Package

Name
openjdk-8
Purl
pkg:deb/ubuntu/openjdk-8@8u252-b09-1~18.04?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8u252-b09-1~18.04

Affected versions

Other

8u144-b01-2
8u151-b12-1
8u162-b12-1

8u171-b11-0ubuntu0.*

8u171-b11-0ubuntu0.18.04.1

8u181-b13-0ubuntu0.*

8u181-b13-0ubuntu0.18.04.1

8u181-b13-1ubuntu0.*

8u181-b13-1ubuntu0.18.04.1

8u191-b12-0ubuntu0.*

8u191-b12-0ubuntu0.18.04.1

8u191-b12-2ubuntu0.*

8u191-b12-2ubuntu0.18.04.1

8u212-b03-0ubuntu1.*

8u212-b03-0ubuntu1.18.04.1

8u222-b10-1ubuntu1~18.*

8u222-b10-1ubuntu1~18.04.1

8u232-b09-0ubuntu1~18.*

8u232-b09-0ubuntu1~18.04.1

8u242-b08-0ubuntu3~18.*

8u242-b08-0ubuntu3~18.04

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "openjdk-8-dbg": "8u252-b09-1~18.04",
            "openjdk-8-jdk-headless": "8u252-b09-1~18.04",
            "openjdk-8-demo": "8u252-b09-1~18.04",
            "openjdk-8-jre-zero": "8u252-b09-1~18.04",
            "openjdk-8-jre-headless": "8u252-b09-1~18.04",
            "openjdk-8-source": "8u252-b09-1~18.04",
            "openjdk-8-jdk": "8u252-b09-1~18.04",
            "openjdk-8-jre": "8u252-b09-1~18.04",
            "openjdk-8-doc": "8u252-b09-1~18.04"
        }
    ]
}

Ubuntu:18.04:LTS / openjdk-lts

Package

Name
openjdk-lts
Purl
pkg:deb/ubuntu/openjdk-lts@11.0.7+10-2ubuntu2~18.04?arch=src?distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
11.0.7+10-2ubuntu2~18.04

Affected versions

9.*

9.0.4+12-2ubuntu4
9.0.4+12-4ubuntu1

Other

10~46-4ubuntu1
10~46-5ubuntu1

10.*

10.0.1+10-1ubuntu2
10.0.1+10-3ubuntu1
10.0.2+13-1ubuntu0.18.04.1
10.0.2+13-1ubuntu0.18.04.2
10.0.2+13-1ubuntu0.18.04.3
10.0.2+13-1ubuntu0.18.04.4

11.*

11.0.2+9-3ubuntu1~18.04.3
11.0.3+7-1ubuntu2~18.04.1
11.0.4+11-1ubuntu2~18.04.3
11.0.5+10-0ubuntu1.1~18.04
11.0.6+10-1ubuntu1~18.04.1

Ecosystem specific 

{
    "availability": "No subscription required",
    "binaries": [
        {
            "openjdk-11-dbg": "11.0.7+10-2ubuntu2~18.04",
            "openjdk-11-demo": "11.0.7+10-2ubuntu2~18.04",
            "openjdk-11-source": "11.0.7+10-2ubuntu2~18.04",
            "openjdk-11-jdk": "11.0.7+10-2ubuntu2~18.04",
            "openjdk-11-doc": "11.0.7+10-2ubuntu2~18.04",
            "openjdk-11-jdk-headless": "11.0.7+10-2ubuntu2~18.04",
            "openjdk-11-jre-zero": "11.0.7+10-2ubuntu2~18.04",
            "openjdk-11-jre": "11.0.7+10-2ubuntu2~18.04",
            "openjdk-11-jre-headless": "11.0.7+10-2ubuntu2~18.04"
        }
    ]
}