SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle Java SE Vendors:   Oracle, Sun
(Oracle Issues Fix for Oracle Linux) Oracle Java SE Multiple Bugs Let Remote Users Gain Elevated Privileges, Remote and Local Users Access and Modify Data, and Remote Users Deny Service
SecurityTracker Alert ID:  1041916
SecurityTracker URL:  http://securitytracker.com/id/1041916
CVE Reference:   CVE-2018-3136, CVE-2018-3139, CVE-2018-3149, CVE-2018-3180, CVE-2018-3214   (Links to External Site)
Date:  Oct 18 2018
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Oracle Java SE. A remote user can gain elevated privileges. A remote or local user can access and modify data on the target system. A remote user can cause denial of service conditions on the target system.

A remote user can exploit a flaw in the Scripting component to gain elevated privileges [CVE-2018-3183].

A remote user can exploit a flaw in the JavaFX component to gain elevated privileges [CVE-2018-3209].

A remote user can exploit a flaw in the Hotspot component to gain elevated privileges [CVE-2018-3169].

A remote user can exploit a flaw in the JNDI component to gain elevated privileges [CVE-2018-3149].

A local user can exploit a flaw in the Serviceability component to access and modify data [CVE-2018-3211].

A remote user can exploit a flaw in the JSSE component to partially access data, partially modify data, and partially deny service [CVE-2018-3180].

A remote user can exploit a flaw in the Sound component to cause partial denial of service conditions [CVE-2018-3214].

A remote user can exploit a flaw in the Sound component to partially access data [CVE-2018-3157].

A remote user can exploit a flaw in the Utility component to partially modify data [CVE-2018-3150].

A remote user can exploit a flaw in the Deployment (libpng) component to cause partial denial of service conditions [CVE-2018-13785].

A remote user can exploit a flaw in the Security component to partially modify data [CVE-2018-3136].

A remote user can exploit a flaw in the Networking component to partially access data [CVE-2018-3139].

Artem Smotrakov, Felix Dorre, Krzysztof Szafranski, Nelson William Gamazo Sanchez of Trend Micro's Zero Day Initiative, and Tobias Ospelt of modzero reported these vulnerabilities.

Impact:   A remote user can obtain data on the target system.

A remote user can modify data on the target system.

A remote user can cause denial of service conditions.

A local user can obtain data on the target system.

A local user can modify data on the target system.

A remote user can gain elevated privileges on the target system.

Solution:   Oracle has issued a fix for CVE-2018-3136, CVE-2018-3139, CVE-2018-3149, CVE-2018-3180, and CVE-2018-3214.

The Oracle Linux advisory is available at:

http://linux.oracle.com/errata/ELSA-2018-2942.html

Vendor URL:  linux.oracle.com/errata/ELSA-2018-2942.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Oracle)
Underlying OS Comments:  7

Message History:   This archive entry is a follow-up to the message listed below.
Oct 16 2018 Oracle Java SE Multiple Bugs Let Remote Users Gain Elevated Privileges, Remote and Local Users Access and Modify Data, and Remote Users Deny Service



 Source Message Contents

Subject:  [El-errata] ELSA-2018-2942 Critical: Oracle Linux 7 java-1.8.0-openjdk security update (aarch64)

Oracle Linux Security Advisory ELSA-2018-2942

http://linux.oracle.com/errata/ELSA-2018-2942.html

The following updated rpms for Oracle Linux 7 have been uploaded to the 
Unbreakable Linux Network:

aarch64:
java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-devel-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-headless-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-accessibility-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-accessibility-debug-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-debug-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-demo-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-demo-debug-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-devel-debug-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-headless-debug-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-javadoc-1.8.0.191.b12-0.el7_5.noarch.rpm
java-1.8.0-openjdk-javadoc-debug-1.8.0.191.b12-0.el7_5.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-1.8.0.191.b12-0.el7_5.noarch.rpm
java-1.8.0-openjdk-javadoc-zip-debug-1.8.0.191.b12-0.el7_5.noarch.rpm
java-1.8.0-openjdk-src-1.8.0.191.b12-0.el7_5.aarch64.rpm
java-1.8.0-openjdk-src-debug-1.8.0.191.b12-0.el7_5.aarch64.rpm


SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/java-1.8.0-openjdk-1.8.0.191.b12-0.el7_5.src.rpm



Description of changes:

[1:1.8.0.191.b12-0]
- Update to aarch64-shenandoah-jdk8u191-b12.
- Resolves: rhbz#1633817

[1:1.8.0.191.b10-0]
- Update to aarch64-shenandoah-jdk8u191-b10.
- Drop 8146115/PR3508/RH1463098 applied upstream.
- Resolves: rhbz#1633817

[1:1.8.0.181.b16-0]
- Add new Shenandoah patch PR3634 as upstream still fails on s390.
- Resolves: rhbz#1633817

[1:1.8.0.181.b16-0]
- Update to aarch64-shenandoah-jdk8u181-b16.
- Drop PR3619 & PR3620 Shenandoah patches which should now be fixed 
upstream.
- Resolves: rhbz#1633817

[1:1.8.0.181.b15-0]
- Move to single OpenJDK tarball build, based on aarch64/shenandoah-jdk8u.
- Update to aarch64-shenandoah-jdk8u181-b15.
- Drop 8165489-pr3589.patch which was only applied to aarch64/jdk8u builds.
- Move buildver to where it should be in the OpenJDK version.
- Split ppc64 Shenandoah fix into separate patch file with its own bug 
ID (PR3620).
- Update pr3539-rh1548475.patch to apply after 8187045.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Remove unneeded functions from ppc shenandoahBarrierSet.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Add missing shenandoahBarrierSet implementation for ppc64{be,le}.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Fix wrong format specifiers in Shenandoah code.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Avoid changing variable types to fix size_t, at least for now.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- More size_t fixes for Shenandoah.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Add additional s390 size_t case for Shenandoah.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Actually add the patch...
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Attempt to fix Shenandoah build issues on s390.
- Resolves: rhbz#1633817

[1:1.8.0.181-4.b13]
- Use the Shenandoah HotSpot on all architectures.
- Resolves: rhbz#1633817


_______________________________________________
El-errata mailing list
El-errata@oss.oracle.com
https://oss.oracle.com/mailman/listinfo/el-errata
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC