Red Hat Product Errata RHSA-2018:3002 - Security Advisory

Issued:: 2018-10-24
Updated:: 2018-10-24

RHSA-2018:3002 - Security Advisory

Overview
Updated Packages

Synopsis

Critical: java-1.8.0-oracle security update

Type/Severity

Security Advisory: Critical

Topic

An update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update upgrades Oracle Java SE 8 to version 8 Update 191.

Security Fix(es):

OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169)
OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183)
Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX) (CVE-2018-3209)
OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149)
OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136)
OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139)
OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180)
Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1 (Serviceability) (CVE-2018-3211)
OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214)
libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service (CVE-2018-13785)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Oracle Java must be restarted for this update to take effect.

Affected Products

Oracle Java (Restricted Maintenance) (for RHEL Server) 7 x86_64
Oracle Java (Restricted Maintenance) (for RHEL Client) 7 x86_64
Oracle Java (Restricted Maintenance) (for RHEL Compute Node) 7 x86_64
Oracle Java (Restricted Maintenance) (for RHEL Workstation) 7 x86_64
Oracle Java (Restricted Maintenance) (for RHEL Compute Node) - Extended Update Support 7.5 x86_64
Oracle Java (Restricted Maintenance) (for RHEL Server) - Extended Update Support 7.5 x86_64

Fixes

BZ - 1599943 - CVE-2018-13785 libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service
BZ - 1639268 - CVE-2018-3183 OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936)
BZ - 1639293 - CVE-2018-3169 OpenJDK: Improper field access checks (Hotspot, 8199226)
BZ - 1639301 - CVE-2018-3214 OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361)
BZ - 1639442 - CVE-2018-3139 OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902)
BZ - 1639484 - CVE-2018-3180 OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613)
BZ - 1639755 - CVE-2018-3136 OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534)
BZ - 1639834 - CVE-2018-3149 OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177)
BZ - 1639904 - CVE-2018-3209 Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX)
BZ - 1639906 - CVE-2018-3211 Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1 (Serviceability)

CVEs

References

https://access.redhat.com/security/updates/classification/#critical

Note: More recent versions of these packages may be available. Click a package name for more details.

Oracle Java (Restricted Maintenance) (for RHEL Server) 7

SRPM
x86_64
java-1.8.0-oracle-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 815804e31de1623180ef604644941b9e9c0235c8e8bdd37f3c5d07f8d8b38221
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: c3ffedac4d5addfb23711ac8376b98a08a85cbaf77796cc1175f303dc0858d40
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: df051c7ec6bce47ff48f382bd69e464cd5052a2e9167d9c03f77ed1f7596349f
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 5091d7f0f789e436f40311b5a9b6e8e90d8e9902fddfb66dc8942041b1e9cb35
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: ea5096f85ad6251fb7ce2c1255e31de369643cf8bbfca9667a29d86089b6b709
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 5a4d9cccc1dd14dee8318abec741d5f555bd52dc741dbab87519a7002fab1109

Oracle Java (Restricted Maintenance) (for RHEL Client) 7

SRPM
x86_64
java-1.8.0-oracle-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 815804e31de1623180ef604644941b9e9c0235c8e8bdd37f3c5d07f8d8b38221
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: c3ffedac4d5addfb23711ac8376b98a08a85cbaf77796cc1175f303dc0858d40
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: df051c7ec6bce47ff48f382bd69e464cd5052a2e9167d9c03f77ed1f7596349f
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 5091d7f0f789e436f40311b5a9b6e8e90d8e9902fddfb66dc8942041b1e9cb35
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: ea5096f85ad6251fb7ce2c1255e31de369643cf8bbfca9667a29d86089b6b709
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 5a4d9cccc1dd14dee8318abec741d5f555bd52dc741dbab87519a7002fab1109

Oracle Java (Restricted Maintenance) (for RHEL Compute Node) 7

SRPM
x86_64
java-1.8.0-oracle-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 815804e31de1623180ef604644941b9e9c0235c8e8bdd37f3c5d07f8d8b38221
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: c3ffedac4d5addfb23711ac8376b98a08a85cbaf77796cc1175f303dc0858d40
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: df051c7ec6bce47ff48f382bd69e464cd5052a2e9167d9c03f77ed1f7596349f
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 5a4d9cccc1dd14dee8318abec741d5f555bd52dc741dbab87519a7002fab1109

Oracle Java (Restricted Maintenance) (for RHEL Workstation) 7

SRPM
x86_64
java-1.8.0-oracle-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 815804e31de1623180ef604644941b9e9c0235c8e8bdd37f3c5d07f8d8b38221
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: c3ffedac4d5addfb23711ac8376b98a08a85cbaf77796cc1175f303dc0858d40
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: df051c7ec6bce47ff48f382bd69e464cd5052a2e9167d9c03f77ed1f7596349f
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 5091d7f0f789e436f40311b5a9b6e8e90d8e9902fddfb66dc8942041b1e9cb35
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: ea5096f85ad6251fb7ce2c1255e31de369643cf8bbfca9667a29d86089b6b709
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 5a4d9cccc1dd14dee8318abec741d5f555bd52dc741dbab87519a7002fab1109

Oracle Java (Restricted Maintenance) (for RHEL Compute Node) - Extended Update Support 7.5

SRPM
x86_64
java-1.8.0-oracle-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 815804e31de1623180ef604644941b9e9c0235c8e8bdd37f3c5d07f8d8b38221
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: c3ffedac4d5addfb23711ac8376b98a08a85cbaf77796cc1175f303dc0858d40
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: df051c7ec6bce47ff48f382bd69e464cd5052a2e9167d9c03f77ed1f7596349f
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 5a4d9cccc1dd14dee8318abec741d5f555bd52dc741dbab87519a7002fab1109

Oracle Java (Restricted Maintenance) (for RHEL Server) - Extended Update Support 7.5

SRPM
x86_64
java-1.8.0-oracle-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 815804e31de1623180ef604644941b9e9c0235c8e8bdd37f3c5d07f8d8b38221
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: c3ffedac4d5addfb23711ac8376b98a08a85cbaf77796cc1175f303dc0858d40
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: df051c7ec6bce47ff48f382bd69e464cd5052a2e9167d9c03f77ed1f7596349f
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 5091d7f0f789e436f40311b5a9b6e8e90d8e9902fddfb66dc8942041b1e9cb35
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: ea5096f85ad6251fb7ce2c1255e31de369643cf8bbfca9667a29d86089b6b709
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el7.x86_64.rpm	SHA-256: 5a4d9cccc1dd14dee8318abec741d5f555bd52dc741dbab87519a7002fab1109

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories