1. Home
  2. Security Advisories
  3. Red Hat
  4. RHSA-2015:1228

[RHSA-2015:1228] java-1.8.0-openjdk security update

Severity Important
Affected Packages 11
CVEs 16
Info Packages References Vulnerabilities

The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime
Environment and the OpenJDK 8 Java Software Development Kit.

Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI
components in OpenJDK. An untrusted Java application or applet could use
these flaws to bypass Java sandbox restrictions. (CVE-2015-4760,
CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)

A flaw was found in the way the Libraries component of OpenJDK verified
Online Certificate Status Protocol (OCSP) responses. An OCSP response with
no nextUpdate date specified was incorrectly handled as having unlimited
validity, possibly causing a revoked X.509 certificate to be interpreted as
valid. (CVE-2015-4748)

It was discovered that the JCE component in OpenJDK failed to use constant
time comparisons in multiple cases. An attacker could possibly use these
flaws to disclose sensitive information by measuring the time used to
perform operations using these non-constant time comparisons.
(CVE-2015-2601)

It was discovered that the GCM (Galois Counter Mode) implementation in the
Security component of OpenJDK failed to properly perform a null check.
This could cause the Java Virtual Machine to crash when an application
performed encryption using a block cipher in the GCM mode. (CVE-2015-2659)

A flaw was found in the RC4 encryption algorithm. When using certain keys
for RC4 encryption, an attacker could obtain portions of the plain text
from the cipher text without the knowledge of the encryption key.
(CVE-2015-2808)

Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by
default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug
1207101, linked to in the References section, for additional details about
this change.

A flaw was found in the way the TLS protocol composed the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them do decrypt all traffic. (CVE-2015-4000)

Note: This update forces the TLS/SSL client implementation in OpenJDK to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,
linked to in the References section, for additional details about this
change.

It was discovered that the JNDI component in OpenJDK did not handle DNS
resolutions correctly. An attacker able to trigger such DNS errors could
cause a Java application using JNDI to consume memory and CPU time, and
possibly block further DNS resolution. (CVE-2015-4749)

Multiple information leak flaws were found in the JMX and 2D components in
OpenJDK. An untrusted Java application or applet could use this flaw to
bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)

A flaw was found in the way the JSSE component in OpenJDK performed X.509
certificate identity verification when establishing a TLS/SSL connection to
a host identified by an IP address. In certain cases, the certificate was
accepted as valid if it was issued for a host name to which the IP address
resolves rather than for the IP address. (CVE-2015-2625)

Multiple insecure temporary file use issues were found in the way the
Hotspot component in OpenJDK created performance statistics and error log
files. A local attacker could possibly make a victim using OpenJDK
overwrite arbitrary files using a symlink attack. Note: This issue was
originally fixed as CVE-2015-0383, but the fix was regressed in the
RHSA-2015:0809 advisory. (CVE-2015-3149)

All users of java-1.8.0-openjdk are advised to upgrade to these updated
packages, which resolve these issues. All running instances of OpenJDK Java
must be restarted for the update to take effect.

Package Affected Version
pkg:rpm/redhat/java-1.8.0-openjdk?arch=x86_64&distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
pkg:rpm/redhat/java-1.8.0-openjdk?arch=i686&distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
pkg:rpm/redhat/java-1.8.0-openjdk-src?arch=x86_64&distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
pkg:rpm/redhat/java-1.8.0-openjdk-src?arch=i686&distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
pkg:rpm/redhat/java-1.8.0-openjdk-javadoc?distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
pkg:rpm/redhat/java-1.8.0-openjdk-headless?arch=x86_64&distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
pkg:rpm/redhat/java-1.8.0-openjdk-headless?arch=i686&distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
pkg:rpm/redhat/java-1.8.0-openjdk-devel?arch=x86_64&distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
pkg:rpm/redhat/java-1.8.0-openjdk-devel?arch=i686&distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
pkg:rpm/redhat/java-1.8.0-openjdk-demo?arch=x86_64&distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
pkg:rpm/redhat/java-1.8.0-openjdk-demo?arch=i686&distro=redhat-6.6 < 1.8.0.51-0.b16.el6_6
ID
RHSA-2015:1228
Severity
important
URL
https://access.redhat.com/errata/RHSA-2015:1228
Published
2015-07-15T00:00:00
(9 years ago)
Modified
2015-07-15T00:00:00
(9 years ago)
Rights
Copyright 2015 Red Hat, Inc.
Other Advisories
Source # ID Name URL
Bugzilla 1207101 https://bugzilla.redhat.com/1207101
Bugzilla 1213365 https://bugzilla.redhat.com/1213365
Bugzilla 1223211 https://bugzilla.redhat.com/1223211
Bugzilla 1241965 https://bugzilla.redhat.com/1241965
Bugzilla 1242019 https://bugzilla.redhat.com/1242019
Bugzilla 1242144 https://bugzilla.redhat.com/1242144
Bugzilla 1242232 https://bugzilla.redhat.com/1242232
Bugzilla 1242234 https://bugzilla.redhat.com/1242234
Bugzilla 1242240 https://bugzilla.redhat.com/1242240
Bugzilla 1242275 https://bugzilla.redhat.com/1242275
Bugzilla 1242281 https://bugzilla.redhat.com/1242281
Bugzilla 1242372 https://bugzilla.redhat.com/1242372
Bugzilla 1242379 https://bugzilla.redhat.com/1242379
Bugzilla 1242394 https://bugzilla.redhat.com/1242394
Bugzilla 1242447 https://bugzilla.redhat.com/1242447
Bugzilla 1243139 https://bugzilla.redhat.com/1243139
RHSA RHSA-2015:1228 https://access.redhat.com/errata/RHSA-2015:1228
CVE CVE-2015-2590 https://access.redhat.com/security/cve/CVE-2015-2590
CVE CVE-2015-2601 https://access.redhat.com/security/cve/CVE-2015-2601
CVE CVE-2015-2621 https://access.redhat.com/security/cve/CVE-2015-2621
CVE CVE-2015-2625 https://access.redhat.com/security/cve/CVE-2015-2625
CVE CVE-2015-2628 https://access.redhat.com/security/cve/CVE-2015-2628
CVE CVE-2015-2632 https://access.redhat.com/security/cve/CVE-2015-2632
CVE CVE-2015-2659 https://access.redhat.com/security/cve/CVE-2015-2659
CVE CVE-2015-2808 https://access.redhat.com/security/cve/CVE-2015-2808
CVE CVE-2015-3149 https://access.redhat.com/security/cve/CVE-2015-3149
CVE CVE-2015-4000 https://access.redhat.com/security/cve/CVE-2015-4000
CVE CVE-2015-4731 https://access.redhat.com/security/cve/CVE-2015-4731
CVE CVE-2015-4732 https://access.redhat.com/security/cve/CVE-2015-4732
CVE CVE-2015-4733 https://access.redhat.com/security/cve/CVE-2015-4733
CVE CVE-2015-4748 https://access.redhat.com/security/cve/CVE-2015-4748
CVE CVE-2015-4749 https://access.redhat.com/security/cve/CVE-2015-4749
CVE CVE-2015-4760 https://access.redhat.com/security/cve/CVE-2015-4760
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:rpm/redhat/java-1.8.0-openjdk?arch=x86_64&distro=redhat-6.6 redhat java-1.8.0-openjdk < 1.8.0.51-0.b16.el6_6 redhat-6.6 x86_64
Affected pkg:rpm/redhat/java-1.8.0-openjdk?arch=i686&distro=redhat-6.6 redhat java-1.8.0-openjdk < 1.8.0.51-0.b16.el6_6 redhat-6.6 i686
Affected pkg:rpm/redhat/java-1.8.0-openjdk-src?arch=x86_64&distro=redhat-6.6 redhat java-1.8.0-openjdk-src < 1.8.0.51-0.b16.el6_6 redhat-6.6 x86_64
Affected pkg:rpm/redhat/java-1.8.0-openjdk-src?arch=i686&distro=redhat-6.6 redhat java-1.8.0-openjdk-src < 1.8.0.51-0.b16.el6_6 redhat-6.6 i686
Affected pkg:rpm/redhat/java-1.8.0-openjdk-javadoc?distro=redhat-6.6 redhat java-1.8.0-openjdk-javadoc < 1.8.0.51-0.b16.el6_6 redhat-6.6
Affected pkg:rpm/redhat/java-1.8.0-openjdk-headless?arch=x86_64&distro=redhat-6.6 redhat java-1.8.0-openjdk-headless < 1.8.0.51-0.b16.el6_6 redhat-6.6 x86_64
Affected pkg:rpm/redhat/java-1.8.0-openjdk-headless?arch=i686&distro=redhat-6.6 redhat java-1.8.0-openjdk-headless < 1.8.0.51-0.b16.el6_6 redhat-6.6 i686
Affected pkg:rpm/redhat/java-1.8.0-openjdk-devel?arch=x86_64&distro=redhat-6.6 redhat java-1.8.0-openjdk-devel < 1.8.0.51-0.b16.el6_6 redhat-6.6 x86_64
Affected pkg:rpm/redhat/java-1.8.0-openjdk-devel?arch=i686&distro=redhat-6.6 redhat java-1.8.0-openjdk-devel < 1.8.0.51-0.b16.el6_6 redhat-6.6 i686
Affected pkg:rpm/redhat/java-1.8.0-openjdk-demo?arch=x86_64&distro=redhat-6.6 redhat java-1.8.0-openjdk-demo < 1.8.0.51-0.b16.el6_6 redhat-6.6 x86_64
Affected pkg:rpm/redhat/java-1.8.0-openjdk-demo?arch=i686&distro=redhat-6.6 redhat java-1.8.0-openjdk-demo < 1.8.0.51-0.b16.el6_6 redhat-6.6 i686
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date