[ALAS-2016-647] Amazon Linux AMI 2014.03 - ALAS-2016-647: important priority package update for java-1.8.0-openjdk

Severity Important

Affected Packages 13

CVEs 7

Package updates are available for Amazon Linux AMI that fix the following vulnerabilities:
CVE-2016-0494:
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
1298906:
CVE-2016-0494 ICU: integer signedness issue in IndicRearrangementProcessor (OpenJDK 2D, 8140543)

CVE-2016-0483:
An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A specially crafted JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrusted Java application or applet could use this flaw to bypass Java sandbox restrictions.
1299441:
CVE-2016-0483 OpenJDK: incorrect boundary check in JPEG decoder (AWT, 8139017)

CVE-2016-0475:
It was discovered that the password-based encryption (PBE) implementation in the Libraries component in OpenJDK used an incorrect key length. This could, in certain cases, lead to generation of keys that were weaker than expected.
1298949:
CVE-2016-0475 OpenJDK: PBE incorrect key lengths (Libraries, 8138589)

CVE-2016-0466:
It was discovered that the JAXP component in OpenJDK did not properly enforce the totalEntitySizeLimit limit. An attacker able to make a Java application process a specially crafted XML file could use this flaw to make the application consume an excessive amount of memory.
1299385:
CVE-2016-0466 OpenJDK: insufficient enforcement of totalEntitySizeLimit (JAXP, 8133962)

CVE-2016-0448:
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66, and Java SE Embedded 8u65 allows remote authenticated users to affect confidentiality via vectors related to JMX.
1299073:
CVE-2016-0448 OpenJDK: logging of RMI connection secrets (JMX, 8130710)

CVE-2016-0402:
Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect integrity via unknown vectors related to Networking.
1298957:
CVE-2016-0402 OpenJDK: URL deserialization inconsistencies (Networking, 8059054)

CVE-2015-7575:
A flaw was found in the way TLS 1.2 could use the MD5 hash function for signing ServerKeyExchange and Client Authentication packets during a TLS handshake. A man-in-the-middle attacker able to force a TLS connection to use the MD5 hash function could use this flaw to conduct collision attacks to impersonate a TLS server or an authenticated TLS client.
1289841:
CVE-2015-7575 TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol (SLOTH)

Package	Affected Version
pkg:rpm/amazonlinux/java-1.8.0-openjdk?arch=x86_64&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk?arch=i686&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-src?arch=x86_64&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-src?arch=i686&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-javadoc?arch=noarch&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-headless?arch=x86_64&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-headless?arch=i686&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-devel?arch=x86_64&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-devel?arch=i686&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-demo?arch=x86_64&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-demo?arch=i686&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-debuginfo?arch=x86_64&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1
pkg:rpm/amazonlinux/java-1.8.0-openjdk-debuginfo?arch=i686&distro=amazonlinux-1	< 1.8.0.71-2.b15.8.amzn1

ID

ALAS-2016-647

Severity

important

URL

https://alas.aws.amazon.com/ALAS-2016-647.html

Published

2016-02-09T13:30:00
(8 years ago)

Modified

2016-02-09T13:30:00
(8 years ago)

Rights

Amazon Linux Security Team

Other Advisories

Source	# ID	URL
CVE	CVE-2015-7575	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
CVE	CVE-2016-0402	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402
CVE	CVE-2016-0448	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0448
CVE	CVE-2016-0466	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466
CVE	CVE-2016-0475	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0475
CVE	CVE-2016-0483	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483
CVE	CVE-2016-0494	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0494

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk?arch=x86_64&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk?arch=i686&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-src?arch=x86_64&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-src	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-src?arch=i686&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-src	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-javadoc?arch=noarch&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-javadoc	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	noarch
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-headless?arch=x86_64&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-headless	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-headless?arch=i686&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-headless	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-devel?arch=x86_64&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-devel	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-devel?arch=i686&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-devel	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-demo?arch=x86_64&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-demo	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-demo?arch=i686&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-demo	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	i686
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-debuginfo?arch=x86_64&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-debuginfo	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	x86_64
Affected	pkg:rpm/amazonlinux/java-1.8.0-openjdk-debuginfo?arch=i686&distro=amazonlinux-1	amazonlinux	java-1.8.0-openjdk-debuginfo	< 1.8.0.71-2.b15.8.amzn1	amazonlinux-1	i686

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date