Issued:
2018-04-23
Updated:
2018-04-23

RHSA-2018:1202 - Security Advisory

Synopsis

Critical: java-1.8.0-oracle security update

Type/Severity

Security Advisory: Critical

Topic

An update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update upgrades Oracle Java SE 8 to version 8 Update 171.

Security Fix(es):

  • OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025) (CVE-2018-2814)
  • OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997) (CVE-2018-2794)
  • Oracle JDK: unspecified vulnerability fixed in 8u171 and 10.0.1 (Install) (CVE-2018-2811)
  • OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977) (CVE-2018-2795)
  • OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981) (CVE-2018-2796)
  • OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985) (CVE-2018-2797)
  • OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989) (CVE-2018-2798)
  • OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993) (CVE-2018-2799)
  • OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833) (CVE-2018-2800)
  • OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757) (CVE-2018-2815)
  • OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969) (CVE-2018-2790)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Oracle Java must be restarted for this update to take effect.

Affected Products

  • Oracle Java (Restricted Maintenance) (for RHEL Server) 6 x86_64
  • Oracle Java (Restricted Maintenance) (for RHEL Server) 6 i386
  • Oracle Java (Restricted Maintenance) (for RHEL Client) 6 x86_64
  • Oracle Java (Restricted Maintenance) (for RHEL Client) 6 i386
  • Oracle Java (Restricted Maintenance) (for RHEL Compute Node) 6 x86_64
  • Oracle Java (Restricted Maintenance) (for RHEL Workstation) 6 x86_64
  • Oracle Java (Restricted Maintenance) (for RHEL Workstation) 6 i386

Fixes

  • BZ - 1567121 - CVE-2018-2814 OpenJDK: incorrect handling of Reference clones can lead to sandbox bypass (Hotspot, 8192025)
  • BZ - 1567126 - CVE-2018-2794 OpenJDK: unrestricted deserialization of data from JCEKS key stores (Security, 8189997)
  • BZ - 1567351 - CVE-2018-2795 OpenJDK: insufficient consistency checks in deserialization of multiple classes (Security, 8189977)
  • BZ - 1567537 - CVE-2018-2815 OpenJDK: unbounded memory allocation during deserialization in StubIORImpl (Serialization, 8192757)
  • BZ - 1567542 - CVE-2018-2799 OpenJDK: unbounded memory allocation during deserialization in NamedNodeMapImpl (JAXP, 8189993)
  • BZ - 1567543 - CVE-2018-2798 OpenJDK: unbounded memory allocation during deserialization in Container (AWT, 8189989)
  • BZ - 1567545 - CVE-2018-2797 OpenJDK: unbounded memory allocation during deserialization in TabularDataSupport (JMX, 8189985)
  • BZ - 1567546 - CVE-2018-2796 OpenJDK: unbounded memory allocation during deserialization in PriorityBlockingQueue (Concurrency, 8189981)
  • BZ - 1568163 - CVE-2018-2800 OpenJDK: RMI HTTP transport enabled by default (RMI, 8193833)
  • BZ - 1568515 - CVE-2018-2790 OpenJDK: incorrect merging of sections in the JAR manifest (Security, 8189969)
  • BZ - 1569203 - CVE-2018-2811 Oracle JDK: unspecified vulnerability fixed in 8u171 and 10.0.1 (Install)

CVEs

References

Oracle Java (Restricted Maintenance) (for RHEL Server) 6

SRPM
x86_64
java-1.8.0-oracle-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 96a3c331381eac3e26330a1ea63daed181979c0518f88f61af1a3d6706267730
java-1.8.0-oracle-devel-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: d713760c763ef84c4223c69bcd8671f9ce4ed06395dac4b2f68d537c5fea4735
java-1.8.0-oracle-javafx-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 7949c0c433ce679f751041cdad3835ccb4f15a755955fae5cf4df4608efb82dc
java-1.8.0-oracle-jdbc-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: e348b21c44c4f5535ee40930fbe5cc4ef76fdc73f8f30e062a615f4d69919c11
java-1.8.0-oracle-plugin-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 7a50a73832877d2d9a7b86f9de49b752e8ec3811bcde835a82a99a289e6c380a
java-1.8.0-oracle-src-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: b4767c4a2fbf4daba2a89be8c6aa218aef5b245f16981290765c954597ac7e99
i386
java-1.8.0-oracle-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 2f76f9e7cf30b5ff352bcf5cc8ca20bfd1df9d3dba4d04b7f2ee3223838c6f04
java-1.8.0-oracle-devel-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 6120b410c27cfe3e3d9bc6fe711f098838d16448bdcd45e65efc44596b5b6358
java-1.8.0-oracle-javafx-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 27e544e5c1fd3653fdc1170ab4220bb2d03d1702281f2ae405311d6e7d9d0440
java-1.8.0-oracle-jdbc-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 69ac8b3d83e83cd46852493b4d52cb5f760a19ad329d0fecd15f3bcdca9c2e03
java-1.8.0-oracle-plugin-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: f64b3a602022c588d63fd1ded8362357f5b2ce7323507a76729012a430928718
java-1.8.0-oracle-src-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 93ef72633f777ecc470ca7e43eb9f16c7a6922fa3d882f761c2f77a4e204e4db

Oracle Java (Restricted Maintenance) (for RHEL Client) 6

SRPM
x86_64
java-1.8.0-oracle-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 96a3c331381eac3e26330a1ea63daed181979c0518f88f61af1a3d6706267730
java-1.8.0-oracle-devel-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: d713760c763ef84c4223c69bcd8671f9ce4ed06395dac4b2f68d537c5fea4735
java-1.8.0-oracle-javafx-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 7949c0c433ce679f751041cdad3835ccb4f15a755955fae5cf4df4608efb82dc
java-1.8.0-oracle-jdbc-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: e348b21c44c4f5535ee40930fbe5cc4ef76fdc73f8f30e062a615f4d69919c11
java-1.8.0-oracle-plugin-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 7a50a73832877d2d9a7b86f9de49b752e8ec3811bcde835a82a99a289e6c380a
java-1.8.0-oracle-src-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: b4767c4a2fbf4daba2a89be8c6aa218aef5b245f16981290765c954597ac7e99
i386
java-1.8.0-oracle-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 2f76f9e7cf30b5ff352bcf5cc8ca20bfd1df9d3dba4d04b7f2ee3223838c6f04
java-1.8.0-oracle-devel-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 6120b410c27cfe3e3d9bc6fe711f098838d16448bdcd45e65efc44596b5b6358
java-1.8.0-oracle-javafx-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 27e544e5c1fd3653fdc1170ab4220bb2d03d1702281f2ae405311d6e7d9d0440
java-1.8.0-oracle-jdbc-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 69ac8b3d83e83cd46852493b4d52cb5f760a19ad329d0fecd15f3bcdca9c2e03
java-1.8.0-oracle-plugin-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: f64b3a602022c588d63fd1ded8362357f5b2ce7323507a76729012a430928718
java-1.8.0-oracle-src-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 93ef72633f777ecc470ca7e43eb9f16c7a6922fa3d882f761c2f77a4e204e4db

Oracle Java (Restricted Maintenance) (for RHEL Compute Node) 6

SRPM
x86_64
java-1.8.0-oracle-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 96a3c331381eac3e26330a1ea63daed181979c0518f88f61af1a3d6706267730
java-1.8.0-oracle-devel-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: d713760c763ef84c4223c69bcd8671f9ce4ed06395dac4b2f68d537c5fea4735
java-1.8.0-oracle-javafx-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 7949c0c433ce679f751041cdad3835ccb4f15a755955fae5cf4df4608efb82dc
java-1.8.0-oracle-jdbc-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: e348b21c44c4f5535ee40930fbe5cc4ef76fdc73f8f30e062a615f4d69919c11
java-1.8.0-oracle-plugin-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 7a50a73832877d2d9a7b86f9de49b752e8ec3811bcde835a82a99a289e6c380a
java-1.8.0-oracle-src-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: b4767c4a2fbf4daba2a89be8c6aa218aef5b245f16981290765c954597ac7e99

Oracle Java (Restricted Maintenance) (for RHEL Workstation) 6

SRPM
x86_64
java-1.8.0-oracle-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 96a3c331381eac3e26330a1ea63daed181979c0518f88f61af1a3d6706267730
java-1.8.0-oracle-devel-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: d713760c763ef84c4223c69bcd8671f9ce4ed06395dac4b2f68d537c5fea4735
java-1.8.0-oracle-javafx-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 7949c0c433ce679f751041cdad3835ccb4f15a755955fae5cf4df4608efb82dc
java-1.8.0-oracle-jdbc-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: e348b21c44c4f5535ee40930fbe5cc4ef76fdc73f8f30e062a615f4d69919c11
java-1.8.0-oracle-plugin-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: 7a50a73832877d2d9a7b86f9de49b752e8ec3811bcde835a82a99a289e6c380a
java-1.8.0-oracle-src-1.8.0.171-1jpp.2.el6.x86_64.rpm SHA-256: b4767c4a2fbf4daba2a89be8c6aa218aef5b245f16981290765c954597ac7e99
i386
java-1.8.0-oracle-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 2f76f9e7cf30b5ff352bcf5cc8ca20bfd1df9d3dba4d04b7f2ee3223838c6f04
java-1.8.0-oracle-devel-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 6120b410c27cfe3e3d9bc6fe711f098838d16448bdcd45e65efc44596b5b6358
java-1.8.0-oracle-javafx-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 27e544e5c1fd3653fdc1170ab4220bb2d03d1702281f2ae405311d6e7d9d0440
java-1.8.0-oracle-jdbc-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 69ac8b3d83e83cd46852493b4d52cb5f760a19ad329d0fecd15f3bcdca9c2e03
java-1.8.0-oracle-plugin-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: f64b3a602022c588d63fd1ded8362357f5b2ce7323507a76729012a430928718
java-1.8.0-oracle-src-1.8.0.171-1jpp.2.el6.i686.rpm SHA-256: 93ef72633f777ecc470ca7e43eb9f16c7a6922fa3d882f761c2f77a4e204e4db

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.