what you don't know can hurt you

Ubuntu Security Notice USN-3975-1

Ubuntu Security Notice USN-3975-1
Posted May 14, 2019
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3975-1 - It was discovered that the BigDecimal implementation in OpenJDK performed excessive computation when given certain values. An attacker could use this to cause a denial of service. Corwin de Boor and Robert Xiao discovered that the RMI registry implementation in OpenJDK did not properly select the correct skeleton class in some situations. An attacker could use this to possibly escape Java sandbox restrictions. Various other issues were also addressed.

tags | advisory, java, denial of service, registry
systems | linux, ubuntu
advisories | CVE-2019-2602, CVE-2019-2684, CVE-2019-2697, CVE-2019-2698
MD5 | 521a7981d1b62cfdfcb3e98017ad5165

Ubuntu Security Notice USN-3975-1

Change Mirror Download
=========================================================================
Ubuntu Security Notice USN-3975-1
May 13, 2019

openjdk-8, openjdk-lts vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 19.04
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in OpenJDK.

Software Description:
- openjdk-lts: Open Source Java implementation
- openjdk-8: Open Source Java implementation

Details:

It was discovered that the BigDecimal implementation in OpenJDK performed
excessive computation when given certain values. An attacker could use this
to cause a denial of service (excessive CPU usage). (CVE-2019-2602)

Corwin de Boor and Robert Xiao discovered that the RMI registry
implementation in OpenJDK did not properly select the correct skeleton
class in some situations. An attacker could use this to possibly escape
Java sandbox restrictions. (CVE-2019-2684)

Mateusz Jurczyk discovered a vulnerability in the 2D component of
OpenJDK. An attacker could use this to possibly escape Java sandbox
restrictions. This issue only affected OpenJDK 8 in Ubuntu 16.04
LTS. (CVE-2019-2697)

Mateusz Jurczyk discovered a vulnerability in the font layout engine
of OpenJDK's 2D component. An attacker could use this to possibly
escape Java sandbox restrictions. This issue only affected OpenJDK 8
in Ubuntu 16.04 LTS. (CVE-2019-2698)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 19.04:
openjdk-11-jdk 11.0.3+7-1ubuntu2~19.04.1
openjdk-11-jdk-headless 11.0.3+7-1ubuntu2~19.04.1
openjdk-11-jre 11.0.3+7-1ubuntu2~19.04.1
openjdk-11-jre-headless 11.0.3+7-1ubuntu2~19.04.1

Ubuntu 18.10:
openjdk-11-jdk 11.0.3+7-1ubuntu2~18.10.1
openjdk-11-jdk-headless 11.0.3+7-1ubuntu2~18.10.1
openjdk-11-jre 11.0.3+7-1ubuntu2~18.10.1
openjdk-11-jre-headless 11.0.3+7-1ubuntu2~18.10.1

Ubuntu 18.04 LTS:
openjdk-11-jdk 11.0.3+7-1ubuntu2~18.04.1
openjdk-11-jdk-headless 11.0.3+7-1ubuntu2~18.04.1
openjdk-11-jre 11.0.3+7-1ubuntu2~18.04.1
openjdk-11-jre-headless 11.0.3+7-1ubuntu2~18.04.1

Ubuntu 16.04 LTS:
openjdk-8-jdk 8u212-b03-0ubuntu1.16.04.1
openjdk-8-jdk-headless 8u212-b03-0ubuntu1.16.04.1
openjdk-8-jre 8u212-b03-0ubuntu1.16.04.1
openjdk-8-jre-headless 8u212-b03-0ubuntu1.16.04.1
openjdk-8-jre-jamvm 8u212-b03-0ubuntu1.16.04.1

This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart any Java
applications or applets to make all the necessary changes.

References:
https://usn.ubuntu.com/usn/usn-3975-1
CVE-2019-2602, CVE-2019-2684, CVE-2019-2697, CVE-2019-2698

Package Information:
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.3+7-1ubuntu2~19.04.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.3+7-1ubuntu2~18.10.1
https://launchpad.net/ubuntu/+source/openjdk-lts/11.0.3+7-1ubuntu2~18.04.1
https://launchpad.net/ubuntu/+source/openjdk-8/8u212-b03-0ubuntu1.16.04.1

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    11 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    2 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    19 Files
  • 21
    Aug 21st
    17 Files
  • 22
    Aug 22nd
    9 Files
  • 23
    Aug 23rd
    3 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close