Critical: java-1.8.0-openjdk security update

Synopsis

Critical: java-1.8.0-openjdk security update

Type/Severity

Security Advisory: Critical

Topic

An update for java-1.8.0-openjdk is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime Environment and the OpenJDK 8 Java Software Development Kit.

Security Fix(es):

• OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814)
  
• OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794)
  
• OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795)
  
• OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796)
  
• OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797)
  
• OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798)
  
• OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799)
  
• OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800)
  
• OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815)
  
• OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790)
  

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Note: If the web browser plug-in provided by the icedtea-web package was installed, the issues exposed via Java applets could have been exploited without user interaction if a user visited a malicious website.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of OpenJDK Java must be restarted for this update to take effect.

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 7.6 x86_64
• Red Hat Enterprise Linux Server - Extended Update Support 7.5 x86_64
• Red Hat Enterprise Linux Server - AUS 7.6 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.6 s390x
• Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 7.5 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.6 ppc64
• Red Hat Enterprise Linux for Power, big endian - Extended Update Support 7.5 ppc64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux EUS Compute Node 7.6 x86_64
• Red Hat Enterprise Linux EUS Compute Node 7.5 x86_64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.6 ppc64le
• Red Hat Enterprise Linux for Power, little endian - Extended Update Support 7.5 ppc64le
• Red Hat Enterprise Linux Server - TUS 7.6 x86_64
• Red Hat Enterprise Linux for ARM 64 7 aarch64
• Red Hat Enterprise Linux for Power 9 7 ppc64le
• Red Hat Enterprise Linux Server (for IBM Power LE) - Update Services for SAP Solutions 7.6 ppc64le
• Red Hat Enterprise Linux Server - Update Services for SAP Solutions 7.6 x86_64
• Red Hat Enterprise Linux for IBM System z (Structure A) 7 s390x

Fixes

• BZ - 1567121 - CVE-2018-2814 OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025)
• BZ - 1567126 - CVE-2018-2794 OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997)
• BZ - 1567351 - CVE-2018-2795 OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977)
• BZ - 1567537 - CVE-2018-2815 OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757)
• BZ - 1567542 - CVE-2018-2799 OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993)
• BZ - 1567543 - CVE-2018-2798 OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989)
• BZ - 1567545 - CVE-2018-2797 OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985)
• BZ - 1567546 - CVE-2018-2796 OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981)
• BZ - 1568163 - CVE-2018-2800 OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833)
• BZ - 1568515 - CVE-2018-2790 OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969)

CVEs

• CVE-2018-2790
• CVE-2018-2794
• CVE-2018-2795
• CVE-2018-2796
• CVE-2018-2797
• CVE-2018-2798
• CVE-2018-2799
• CVE-2018-2800
• CVE-2018-2814
• CVE-2018-2815

References

• https://access.redhat.com/security/updates/classification/#critical