SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Sun
(Red Hat Issues Fix for Oracle Java SE) OpenSSL Flaws Let Remote Users Deny Service and Decrypt TLS Sessions in Certain Cases
SecurityTracker Alert ID:  1041580
SecurityTracker URL:  http://securitytracker.com/id/1041580
CVE Reference:   CVE-2016-0705   (Links to External Site)
Date:  Aug 28 2018
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in OpenSSL. A remote user can decrypt TLS sessions in certain cases. A remote user can cause denial of service conditions on the target system. Oracle Java SE is affected.

A remote user can decrypt TLS sessions in certain cases by using a server that supports SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle [CVE-2016-0800]. This attack is known as a DROWN attack.

Systems with a private key used on another server for any protocol that allows SSLv2 connections are affected.

Systems running versions prior to 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf (released on March 19, 2015) can be exploited more readily.

The original advisory is available at:

https://drownattack.com/drown-attack-paper.pdf

Nimrod Aviram, Sebastian Schinzel, Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni, Emilia Kasper, Shaanan Cohney, Susanne Engels, Christof Paar, and Yuval Shavitt reported this vulnerability.

A remote user can create a specially crafted private DSA key that, when processed by OpenSSL, will trigger a double free memory error and cause denial of service conditions [CVE-2016-0705].

Adam Langley (Google/BoringSSL) reported this vulnerability.

A remote user can supply a specially crafted username value to the target SRP server to trigger a memory leak [CVE-2016-0798].

Emilia Kasper of the OpenSSL development team reported this vulnerability.

A user can create specially crafted data (e.g., configuration file) that, when processed by OpenSSL, will trigger a null pointer dereference in the BN_hex2bn/BN_dec2bn() functions [CVE-2016-0797].

Guido Vranken reported this vulnerability.

A user can create specially crafted data that, when processed by OpenSSL, will trigger a memory error in BIO_*printf() functions [CVE-2016-0799].

Guido Vranken reported this vulnerability.

A local user can conduct a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture to potentially recover RSA keys [CVE-2016-0702].

Yuval Yarom, the University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania, reported this vulnerability.

The SSLv2 's2_srvr.c' code does not ensure that a clear-key-length value is 0 for non-export ciphers. As a result, clear-key bytes can displace encrypted-key bytes, which can be exploited to conduct a key recovery attack [CVE-2016-0703].

Versions 1.0.2, 1.0.1l, 1.0.0q, and 0.9.8ze and prior versions are affected.

David Adrian and J. Alex Halderman of the University of Michigan reported this vulnerability.

The Bleichenbacher protection for export cipher suites in 's2_srvr.c' overwrites bytes incorrectly in the master-key, which may provide a Bleichenbacher oracle that can be used to decrypt sessions [CVE-2016-0704].

Versions 1.0.2, 1.0.1l, 1.0.0q, and 0.9.8ze and all prior versions are affected.

David Adrian and J. Alex Halderman of the University of Michigan reported this vulnerability.

A remote user can trigger an out-of-bounds memory write error in doapr_outch() in 'crypto/bio/b_print.c' to potentially execute arbitrary code on the target system [CVE-2016-2842].

Guido Vranken reported this vulnerability.

Impact:   A remote user can decrypt TLS sessions in certain cases.

A remote user can cause denial of service conditions.

A remote user can execute arbitrary code on the target system.

Solution:   Red Hat has issued a fix for CVE-2016-0705 for Oracle Java SE for java-1.8.0-ibm.

The Red Hat advisory is available at:

https://access.redhat.com/errata/RHSA-2018:2575

Vendor URL:  access.redhat.com/errata/RHSA-2018:2575 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  6

Message History:   This archive entry is a follow-up to the message listed below.
Mar 1 2016 OpenSSL Flaws Let Remote Users Deny Service and Decrypt TLS Sessions in Certain Cases



 Source Message Contents

Subject:  [RHSA-2018:2575-01] Important: java-1.8.0-ibm security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: java-1.8.0-ibm security update
Advisory ID:       RHSA-2018:2575-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2575
Issue date:        2018-08-28
CVE Names:         CVE-2016-0705 CVE-2017-3732 CVE-2017-3736 
                   CVE-2018-1517 CVE-2018-1656 CVE-2018-2940 
                   CVE-2018-2952 CVE-2018-2973 CVE-2018-12539 
=====================================================================

1. Summary:

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux
6 Supplementary.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, x86_64

3. Description:

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM
Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR5-FP20.

Security Fix(es):

* IBM JDK: privilege escalation via insufficiently restricted access to
Attach API (CVE-2018-12539)

* openssl: BN_mod_exp may produce incorrect results on x86_64
(CVE-2017-3732)

* openssl: bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)

* IBM JDK: DoS in the java.math component (CVE-2018-1517)

* IBM JDK: path traversal flaw in the Diagnostic Tooling Framework
(CVE-2018-1656)

* Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and
10.0.2 (Libraries) (CVE-2018-2940)

* OpenJDK: insufficient index validation in PatternSyntaxException
getMessage() (Concurrency, 8199547) (CVE-2018-2952)

* Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and
10.0.2 (JSSE) (CVE-2018-2973)

* OpenSSL: Double-free in DSA code (CVE-2016-0705)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

Red Hat would like to thank the OpenSSL project for reporting
CVE-2016-0705. Upstream acknowledges Adam Langley (Google/BoringSSL) as the
original reporter of CVE-2016-0705.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of IBM Java must be restarted for this update to take
effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1310596 - CVE-2016-0705 OpenSSL: Double-free in DSA code
1416856 - CVE-2017-3732 openssl: BN_mod_exp may produce incorrect results on x86_64
1509169 - CVE-2017-3736 openssl: bn_sqrx8x_internal carry bug on x86_64
1600925 - CVE-2018-2952 OpenJDK: insufficient index validation in PatternSyntaxException getMessage() (Concurrency, 8199547)
1602145 - CVE-2018-2973 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (JSSE)
1602146 - CVE-2018-2940 Oracle JDK: unspecified vulnerability fixed in 6u201, 7u191, 8u181, and 10.0.2 (Libraries)
1618767 - CVE-2018-12539 IBM JDK: privilege escalation via insufficiently restricted access to Attach API
1618869 - CVE-2018-1656 IBM JDK: path traversal flaw in the Diagnostic Tooling Framework
1618871 - CVE-2018-1517 IBM JDK: DoS in the java.math component

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.i686.rpm

x86_64:
java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

x86_64:
java-1.8.0-ibm-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.i686.rpm

ppc64:
java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.ppc64.rpm

s390x:
java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.s390x.rpm

x86_64:
java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.i686.rpm

x86_64:
java-1.8.0-ibm-jdbc-1.8.0.5.20-1jpp.1.el6_10.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-0705
https://access.redhat.com/security/cve/CVE-2017-3732
https://access.redhat.com/security/cve/CVE-2017-3736
https://access.redhat.com/security/cve/CVE-2018-1517
https://access.redhat.com/security/cve/CVE-2018-1656
https://access.redhat.com/security/cve/CVE-2018-2940
https://access.redhat.com/security/cve/CVE-2018-2952
https://access.redhat.com/security/cve/CVE-2018-2973
https://access.redhat.com/security/cve/CVE-2018-12539
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW4WgLdzjgjWX9erEAQixyw//d2pemlb2TNR2kW3WlrxY0KBjUBM+PS4i
bQ8+SoNsct2XtVFq0oOfwAmYMn++pAY37yvvhUdefe5sAcUldDcJtLIgXbtISSXe
V5EdrLvQbv/rSxikOfccFzNI8GwJTgGiLpq8n9exHcSsY5cZevzukgRr6b+yQbnj
mcYEC3TB/CnulDac/Pt0VsS9AoFhwuX958/+EQdpMq1yOGqog6eM8U6x2btA4YSi
mcVD2hom6GuYMKq0oWDPWPry5hJePvbPM6GZw8pYdRvA1eKjp24M3mkWkkIEFw6U
aZCW6YXJuwMMJ4IYbF1Aofm3ab+R1VZXmPvzMHXRhVcRyZLvBzo1fZaw7ISX1ibV
FimDRrXLIJDudoS80DMVmbgQTL37U6pGAe6gV2JLtvtEZl02Sxq5PeRfuMME4qeP
rT+xyz0zjyIqTpxhAzAQJ28ZCrWDvRycCT5ZLwaPfxZ0+4cY1l58TMfYpdwIKJSC
M8HQccrNxQ8S/kSKexIT18mSQcMwOhDza6gV4hSiOQgI/xHW3sic78a7/74JnSBT
DgZuicAq73IWdYu67B04UzsZNsySSW6vs3BeYdfN5BnmK40NxrH5d5LMRV4xKmN+
HlkzX1CrDCBl9PtbQF0xpUGluvXCg1u2kzGHj4Dv7JP64bV1wXmLm5kwrPL/QZhv
8IL8kIZinC8=
=eoiE
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC