Red Hat Product Errata RHSA-2018:3003 - Security Advisory

Issued:: 2018-10-24
Updated:: 2018-10-24

RHSA-2018:3003 - Security Advisory

Overview
Updated Packages

Synopsis

Critical: java-1.8.0-oracle security update

Type/Severity

Security Advisory: Critical

Topic

An update for java-1.8.0-oracle is now available for Oracle Java for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Oracle Java SE version 8 includes the Oracle Java Runtime Environment and the Oracle Java Software Development Kit.

This update upgrades Oracle Java SE 8 to version 8 Update 191.

Security Fix(es):

OpenJDK: Improper field access checks (Hotspot, 8199226) (CVE-2018-3169)
OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936) (CVE-2018-3183)
Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX) (CVE-2018-3209)
OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177) (CVE-2018-3149)
OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534) (CVE-2018-3136)
OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902) (CVE-2018-3139)
OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613) (CVE-2018-3180)
Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1 (Serviceability) (CVE-2018-3211)
OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361) (CVE-2018-3214)
libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service (CVE-2018-13785)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of Oracle Java must be restarted for this update to take effect.

Affected Products

Oracle Java (Restricted Maintenance) (for RHEL Server) 6 x86_64
Oracle Java (Restricted Maintenance) (for RHEL Server) 6 i386
Oracle Java (Restricted Maintenance) (for RHEL Client) 6 x86_64
Oracle Java (Restricted Maintenance) (for RHEL Client) 6 i386
Oracle Java (Restricted Maintenance) (for RHEL Compute Node) 6 x86_64
Oracle Java (Restricted Maintenance) (for RHEL Workstation) 6 x86_64
Oracle Java (Restricted Maintenance) (for RHEL Workstation) 6 i386

Fixes

BZ - 1599943 - CVE-2018-13785 libpng: Integer overflow and resultant divide-by-zero in pngrutil.c:png_check_chunk_length() allows for denial of service
BZ - 1639268 - CVE-2018-3183 OpenJDK: Unrestricted access to scripting engine (Scripting, 8202936)
BZ - 1639293 - CVE-2018-3169 OpenJDK: Improper field access checks (Hotspot, 8199226)
BZ - 1639301 - CVE-2018-3214 OpenJDK: Infinite loop in RIFF format reader (Sound, 8205361)
BZ - 1639442 - CVE-2018-3139 OpenJDK: Leak of sensitive header data via HTTP redirect (Networking, 8196902)
BZ - 1639484 - CVE-2018-3180 OpenJDK: Missing endpoint identification algorithm check during TLS session resumption (JSSE, 8202613)
BZ - 1639755 - CVE-2018-3136 OpenJDK: Incorrect handling of unsigned attributes in signed Jar manifests (Security, 8194534)
BZ - 1639834 - CVE-2018-3149 OpenJDK: Incomplete enforcement of the trustURLCodebase restriction (JNDI, 8199177)
BZ - 1639904 - CVE-2018-3209 Oracle JDK: unspecified vulnerability fixed in 8u191 (JavaFX)
BZ - 1639906 - CVE-2018-3211 Oracle JDK: unspecified vulnerability fixed in 8u191 and 11.0.1 (Serviceability)

CVEs

References

https://access.redhat.com/security/updates/classification/#critical

Note: More recent versions of these packages may be available. Click a package name for more details.

Oracle Java (Restricted Maintenance) (for RHEL Server) 6

SRPM
x86_64
java-1.8.0-oracle-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 2dce8ac9b0f2811b95a18434afdb92b48dbc9d39dd0bbfa00460d5b0193088df
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: ced4e19a3f26776f62ecdab06070d0a8d642bc8178d26fab01bfba79cad7584b
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 6466e3af137a617036cc25c27e02bd222e0bff9c1b634d0fa53a2f668c6f5be4
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 5bef6d72cd10113e34f1be53794a727e8a5505b4646f85c539235539f7a33f96
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: b83ee4f5eb0ab1566e633c6e4ff2cae9c95b02e8c4a8b3107c747bcb698a13f5
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 7f7123d7b4c86899f8784c4e8a4d71b53a496c06586c4d71dc8b58500142a7d5
i386
java-1.8.0-oracle-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: e95dd595d456f1a1e0b8281d0a7a7b1f20f85eaa3e262bac515cdce7ec781c8e
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: 86005b479c7213a8fc5c9f3634811fd190929d23b7110e0ef9e35abcf8918f34
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: 6a2c319631ec69aa358cc8a8a689b873c1474660900dcabc038443c8d61a1221
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: a6c47765fa0e62dd625ddda5f4e76f93be119644f20626c3e2debf94c0c60b7b
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: b65c51956c2f052253026e361d8b6c9c4332acfd734d9276b3cb2af69b245cc2
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: f6624cfd2d8afde6d74bcffed1a7a7765f5e1073d81cfd7b3e83297e93c1b16a

Oracle Java (Restricted Maintenance) (for RHEL Client) 6

SRPM
x86_64
java-1.8.0-oracle-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 2dce8ac9b0f2811b95a18434afdb92b48dbc9d39dd0bbfa00460d5b0193088df
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: ced4e19a3f26776f62ecdab06070d0a8d642bc8178d26fab01bfba79cad7584b
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 6466e3af137a617036cc25c27e02bd222e0bff9c1b634d0fa53a2f668c6f5be4
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 5bef6d72cd10113e34f1be53794a727e8a5505b4646f85c539235539f7a33f96
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: b83ee4f5eb0ab1566e633c6e4ff2cae9c95b02e8c4a8b3107c747bcb698a13f5
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 7f7123d7b4c86899f8784c4e8a4d71b53a496c06586c4d71dc8b58500142a7d5
i386
java-1.8.0-oracle-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: e95dd595d456f1a1e0b8281d0a7a7b1f20f85eaa3e262bac515cdce7ec781c8e
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: 86005b479c7213a8fc5c9f3634811fd190929d23b7110e0ef9e35abcf8918f34
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: 6a2c319631ec69aa358cc8a8a689b873c1474660900dcabc038443c8d61a1221
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: a6c47765fa0e62dd625ddda5f4e76f93be119644f20626c3e2debf94c0c60b7b
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: b65c51956c2f052253026e361d8b6c9c4332acfd734d9276b3cb2af69b245cc2
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: f6624cfd2d8afde6d74bcffed1a7a7765f5e1073d81cfd7b3e83297e93c1b16a

Oracle Java (Restricted Maintenance) (for RHEL Compute Node) 6

SRPM
x86_64
java-1.8.0-oracle-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 2dce8ac9b0f2811b95a18434afdb92b48dbc9d39dd0bbfa00460d5b0193088df
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: ced4e19a3f26776f62ecdab06070d0a8d642bc8178d26fab01bfba79cad7584b
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 6466e3af137a617036cc25c27e02bd222e0bff9c1b634d0fa53a2f668c6f5be4
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 5bef6d72cd10113e34f1be53794a727e8a5505b4646f85c539235539f7a33f96
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: b83ee4f5eb0ab1566e633c6e4ff2cae9c95b02e8c4a8b3107c747bcb698a13f5
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 7f7123d7b4c86899f8784c4e8a4d71b53a496c06586c4d71dc8b58500142a7d5

Oracle Java (Restricted Maintenance) (for RHEL Workstation) 6

SRPM
x86_64
java-1.8.0-oracle-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 2dce8ac9b0f2811b95a18434afdb92b48dbc9d39dd0bbfa00460d5b0193088df
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: ced4e19a3f26776f62ecdab06070d0a8d642bc8178d26fab01bfba79cad7584b
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 6466e3af137a617036cc25c27e02bd222e0bff9c1b634d0fa53a2f668c6f5be4
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 5bef6d72cd10113e34f1be53794a727e8a5505b4646f85c539235539f7a33f96
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: b83ee4f5eb0ab1566e633c6e4ff2cae9c95b02e8c4a8b3107c747bcb698a13f5
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el6.x86_64.rpm	SHA-256: 7f7123d7b4c86899f8784c4e8a4d71b53a496c06586c4d71dc8b58500142a7d5
i386
java-1.8.0-oracle-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: e95dd595d456f1a1e0b8281d0a7a7b1f20f85eaa3e262bac515cdce7ec781c8e
java-1.8.0-oracle-devel-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: 86005b479c7213a8fc5c9f3634811fd190929d23b7110e0ef9e35abcf8918f34
java-1.8.0-oracle-javafx-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: 6a2c319631ec69aa358cc8a8a689b873c1474660900dcabc038443c8d61a1221
java-1.8.0-oracle-jdbc-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: a6c47765fa0e62dd625ddda5f4e76f93be119644f20626c3e2debf94c0c60b7b
java-1.8.0-oracle-plugin-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: b65c51956c2f052253026e361d8b6c9c4332acfd734d9276b3cb2af69b245cc2
java-1.8.0-oracle-src-1.8.0.191-1jpp.1.el6.i686.rpm	SHA-256: f6624cfd2d8afde6d74bcffed1a7a7765f5e1073d81cfd7b3e83297e93c1b16a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories