USN-4257-1

See a problem?

Source

https://ubuntu.com/security/notices/USN-4257-1

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4257-1.json

JSON Data

https://api.osv.dev/v1/vulns/USN-4257-1

Related

Published

2020-01-28T20:03:55.238196Z

Modified

2020-01-28T20:03:55.238196Z

Summary

openjdk-8, openjdk-lts vulnerabilities

Details

It was discovered that OpenJDK incorrectly handled exceptions during deserialization in BeanContextSupport. An attacker could possibly use this issue to cause a denial of service or other unspecified impact. (CVE-2020-2583)

It was discovered that OpenJDK incorrectly validated properties of SASL messages included in Kerberos GSSAPI. An unauthenticated remote attacker with network access via Kerberos could possibly use this issue to insert, modify or obtain sensitive information. (CVE-2020-2590)

It was discovered that OpenJDK incorrectly validated URLs. An attacker could possibly use this issue to insert, edit or obtain sensitive information. (CVE-2020-2593)

It was discovered that OpenJDK Security component still used MD5 algorithm. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2020-2601)

It was discovered that OpenJDK incorrectly handled the application of serialization filters. An attacker could possibly use this issue to bypass the intended filter during serialization. (CVE-2020-2604)

Bo Zhang and Long Kuan discovered that OpenJDK incorrectly handled X.509 certificates. An attacker could possibly use this issue to cause a denial of service. (CVE-2020-2654)

Bengt Jonsson, Juraj Somorovsky, Kostis Sagonas, Paul Fiterau Brostean and Robert Merget discovered that OpenJDK incorrectly handled CertificateVerify TLS handshake messages. A remote attacker could possibly use this issue to insert, edit or obtain sensitive information. This issue only affected OpenJDK 11. (CVE-2020-2655)

It was discovered that OpenJDK incorrectly enforced the limit of datagram sockets that can be created by a code running within a Java sandbox. An attacker could possibly use this issue to bypass the sandbox restrictions causing a denial of service. This issue only affected OpenJDK 8. (CVE-2020-2659)

References

Affected packages

Ubuntu:16.04:LTS / openjdk-8

Package

Name: openjdk-8
Purl: pkg:deb/ubuntu/openjdk-8@8u242-b08-0ubuntu3~16.04?arch=src?distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8u242-b08-0ubuntu3~16.04

Affected versions

Other

8u66-b01-5

8u72-b05-1ubuntu1

8u72-b05-5

8u72-b05-6

8u72-b15-1

8u72-b15-2ubuntu1

8u72-b15-2ubuntu3

8u72-b15-3ubuntu1

8u77-b03-1ubuntu2

8u77-b03-3ubuntu1

8u77-b03-3ubuntu2

8u77-b03-3ubuntu3

8u91-b14-0ubuntu4~16.*

8u91-b14-0ubuntu4~16.04.1

8u91-b14-3ubuntu1~16.*

8u91-b14-3ubuntu1~16.04.1

8u111-b14-2ubuntu0.*

8u111-b14-2ubuntu0.16.04.2

8u121-b13-0ubuntu1.*

8u121-b13-0ubuntu1.16.04.2

8u131-b11-0ubuntu1.*

8u131-b11-0ubuntu1.16.04.2

8u131-b11-2ubuntu1.*

8u131-b11-2ubuntu1.16.04.2

8u131-b11-2ubuntu1.16.04.3

8u151-b12-0ubuntu0.*

8u151-b12-0ubuntu0.16.04.2

8u162-b12-0ubuntu0.*

8u162-b12-0ubuntu0.16.04.2

8u171-b11-0ubuntu0.*

8u171-b11-0ubuntu0.16.04.1

8u181-b13-0ubuntu0.*

8u181-b13-0ubuntu0.16.04.1

8u181-b13-1ubuntu0.*

8u181-b13-1ubuntu0.16.04.1

8u191-b12-0ubuntu0.*

8u191-b12-0ubuntu0.16.04.1

8u191-b12-2ubuntu0.*

8u191-b12-2ubuntu0.16.04.1

8u212-b03-0ubuntu1.*

8u212-b03-0ubuntu1.16.04.1

8u222-b10-1ubuntu1~16.*

8u222-b10-1ubuntu1~16.04.1

8u232-b09-0ubuntu1~16.*

8u232-b09-0ubuntu1~16.04.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "openjdk-8-jre-jamvm": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-doc": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-dbg": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-jdk-headless": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-demo": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-jre-zero": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-jre-dbgsym": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-source": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-jre-headless": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-jre-headless-dbgsym": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-jdk": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-jre": "8u242-b08-0ubuntu3~16.04",
            "openjdk-8-demo-dbgsym": "8u242-b08-0ubuntu3~16.04"
        }
    ]
}

Ubuntu:18.04:LTS / openjdk-8

Package

Name: openjdk-8
Purl: pkg:deb/ubuntu/openjdk-8@8u242-b08-0ubuntu3~18.04?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8u242-b08-0ubuntu3~18.04

Affected versions

Other

8u144-b01-2

8u151-b12-1

8u162-b12-1

8u171-b11-0ubuntu0.*

8u171-b11-0ubuntu0.18.04.1

8u181-b13-0ubuntu0.*

8u181-b13-0ubuntu0.18.04.1

8u181-b13-1ubuntu0.*

8u181-b13-1ubuntu0.18.04.1

8u191-b12-0ubuntu0.*

8u191-b12-0ubuntu0.18.04.1

8u191-b12-2ubuntu0.*

8u191-b12-2ubuntu0.18.04.1

8u212-b03-0ubuntu1.*

8u212-b03-0ubuntu1.18.04.1

8u222-b10-1ubuntu1~18.*

8u222-b10-1ubuntu1~18.04.1

8u232-b09-0ubuntu1~18.*

8u232-b09-0ubuntu1~18.04.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "openjdk-8-dbg": "8u242-b08-0ubuntu3~18.04",
            "openjdk-8-jdk-headless": "8u242-b08-0ubuntu3~18.04",
            "openjdk-8-demo": "8u242-b08-0ubuntu3~18.04",
            "openjdk-8-jre-zero": "8u242-b08-0ubuntu3~18.04",
            "openjdk-8-jre-headless": "8u242-b08-0ubuntu3~18.04",
            "openjdk-8-source": "8u242-b08-0ubuntu3~18.04",
            "openjdk-8-jdk": "8u242-b08-0ubuntu3~18.04",
            "openjdk-8-jre": "8u242-b08-0ubuntu3~18.04",
            "openjdk-8-doc": "8u242-b08-0ubuntu3~18.04"
        }
    ]
}

Ubuntu:18.04:LTS / openjdk-lts

Package

Name: openjdk-lts
Purl: pkg:deb/ubuntu/openjdk-lts@11.0.6+10-1ubuntu1~18.04.1?arch=src?distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.0.6+10-1ubuntu1~18.04.1

Affected versions

9.*

9.0.4+12-2ubuntu4

9.0.4+12-4ubuntu1

Other

10~46-4ubuntu1

10~46-5ubuntu1

10.*

10.0.1+10-1ubuntu2

10.0.1+10-3ubuntu1

10.0.2+13-1ubuntu0.18.04.1

10.0.2+13-1ubuntu0.18.04.2

10.0.2+13-1ubuntu0.18.04.3

10.0.2+13-1ubuntu0.18.04.4

11.*

11.0.2+9-3ubuntu1~18.04.3

11.0.3+7-1ubuntu2~18.04.1

11.0.4+11-1ubuntu2~18.04.3

11.0.5+10-0ubuntu1.1~18.04

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "openjdk-11-dbg": "11.0.6+10-1ubuntu1~18.04.1",
            "openjdk-11-demo": "11.0.6+10-1ubuntu1~18.04.1",
            "openjdk-11-source": "11.0.6+10-1ubuntu1~18.04.1",
            "openjdk-11-jdk": "11.0.6+10-1ubuntu1~18.04.1",
            "openjdk-11-doc": "11.0.6+10-1ubuntu1~18.04.1",
            "openjdk-11-jdk-headless": "11.0.6+10-1ubuntu1~18.04.1",
            "openjdk-11-jre-zero": "11.0.6+10-1ubuntu1~18.04.1",
            "openjdk-11-jre": "11.0.6+10-1ubuntu1~18.04.1",
            "openjdk-11-jre-headless": "11.0.6+10-1ubuntu1~18.04.1"
        }
    ]
}