Ubuntu Security Notice 3747-1 - It was discovered that OpenJDK did not properly validate types in some situations. An attacker could use this to construct a Java class that could possibly bypass sandbox restrictions. It was discovered that the PatternSyntaxException class in OpenJDK did not properly validate arguments passed to it. An attacker could use this to potentially construct a class that caused a denial of service. Various other issues were also addressed.
badf7418cc4dc5265e0b3440db9897b99af4a4d4c674bccb74a68933b0658bf9
==========================================================================
Ubuntu Security Notice USN-3747-1
August 21, 2018
openjdk-lts vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in OpenJDK 10.
Software Description:
- openjdk-lts: Java runtime based on OpenJDK (debugging symbols)
Details:
It was discovered that OpenJDK did not properly validate types in some
situations. An attacker could use this to construct a Java class that could
possibly bypass sandbox restrictions. (CVE-2018-2825, CVE-2018-2826)
It was discovered that the PatternSyntaxException class in OpenJDK did not
properly validate arguments passed to it. An attacker could use this to
potentially construct a class that caused a denial of service (excessive
memory consumption). (CVE-2018-2952)
Daniel Bleichenbacher discovered a vulnerability in the Galois/Counter Mode
(GCM) mode of operation for symmetric block ciphers in OpenJDK. An attacker
could use this to expose sensitive information. (CVE-2018-2972)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 18.04 LTS:
openjdk-11-jre 10.0.2+13-1ubuntu0.18.04.1
openjdk-11-jre-headless 10.0.2+13-1ubuntu0.18.04.1
openjdk-11-jre-zero 10.0.2+13-1ubuntu0.18.04.1
This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.
References:
https://usn.ubuntu.com/usn/usn-3747-1
CVE-2018-2825, CVE-2018-2826, CVE-2018-2952, CVE-2018-2972
Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/10.0.2+13-1ubuntu0.18.04.1