Red Hat Product Errata RHSA-2020:2237 - Security Advisory
Issued:
2020-05-20
Updated:
2020-05-20

RHSA-2020:2237 - Security Advisory

Synopsis

Important: java-1.8.0-ibm security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for java-1.8.0-ibm is now available for Red Hat Enterprise Linux 7 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

IBM Java SE version 8 includes the IBM Java Runtime Environment and the IBM Java Software Development Kit.

This update upgrades IBM Java SE 8 to version 8 SR6-FP10.

Security Fix(es):

  • OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302) (CVE-2019-2949)
  • OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841) (CVE-2020-2803)
  • OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274) (CVE-2020-2805)
  • OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037) (CVE-2020-2654)
  • OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408) (CVE-2020-2781)
  • OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825) (CVE-2020-2800)
  • OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201) (CVE-2020-2830)
  • OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898) (CVE-2020-2754)
  • OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904) (CVE-2020-2755)
  • OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541) (CVE-2020-2756)
  • OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549) (CVE-2020-2757)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

All running instances of IBM Java must be restarted for this update to take effect.

Affected Products

  • Red Hat Enterprise Linux Server 7 x86_64
  • Red Hat Enterprise Linux Workstation 7 x86_64
  • Red Hat Enterprise Linux Desktop 7 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 7 s390x
  • Red Hat Enterprise Linux for Power, big endian 7 ppc64
  • Red Hat Enterprise Linux for Scientific Computing 7 x86_64
  • Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

  • BZ - 1761594 - CVE-2019-2949 OpenJDK: Improper handling of Kerberos proxy credentials (Kerberos, 8220302)
  • BZ - 1791217 - CVE-2020-2654 OpenJDK: Excessive memory usage in OID processing in X.509 certificate parsing (Libraries, 8234037)
  • BZ - 1823199 - CVE-2020-2754 OpenJDK: Misplaced regular expression syntax error check in RegExpScanner (Scripting, 8223898)
  • BZ - 1823200 - CVE-2020-2755 OpenJDK: Incorrect handling of empty string nodes in regular expression Parser (Scripting, 8223904)
  • BZ - 1823215 - CVE-2020-2756 OpenJDK: Incorrect handling of references to uninitialized class descriptors during deserialization (Serialization, 8224541)
  • BZ - 1823216 - CVE-2020-2757 OpenJDK: Uncaught InstantiationError exception in ObjectStreamClass (Serialization, 8224549)
  • BZ - 1823527 - CVE-2020-2800 OpenJDK: CRLF injection into HTTP headers in HttpServer (Lightweight HTTP Server, 8234825)
  • BZ - 1823542 - CVE-2020-2830 OpenJDK: Regular expression DoS in Scanner (Concurrency, 8236201)
  • BZ - 1823694 - CVE-2020-2803 OpenJDK: Incorrect bounds checks in NIO Buffers (Libraries, 8234841)
  • BZ - 1823844 - CVE-2020-2805 OpenJDK: Incorrect type checks in MethodType.readObject() (Libraries, 8235274)
  • BZ - 1823960 - CVE-2020-2781 OpenJDK: Re-use of single TLS session for new connections (JSSE, 8234408)

Red Hat Enterprise Linux Server 7

SRPM
x86_64
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 1c5c303b2ab080ad7d224349970c3cda6809085d8a71edbf604c5404451e8d42
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 79a8f7ab15b0fbc04a3a18876a359748244cc9277182d4f02f27ca98cd74a5bf
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 1c8314538c0fc9616bd0c8b24472cc12cdd7b407bedca69cb4645423081f5806
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: ef607c82c22342ce6ad6395cebdf85da255e42d2bcf320c030199c0fa236bb1c
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: d2bc730f7c3bc32f74cded3d727ab087c9bffb71f5b3311c74ca7a9b93ae5461
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 31c3de6bd49fc587d7c2723bd77aed3a546820ae9dd4b606c1ebc6d77c860efa

Red Hat Enterprise Linux Workstation 7

SRPM
x86_64
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 1c5c303b2ab080ad7d224349970c3cda6809085d8a71edbf604c5404451e8d42
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 79a8f7ab15b0fbc04a3a18876a359748244cc9277182d4f02f27ca98cd74a5bf
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 1c8314538c0fc9616bd0c8b24472cc12cdd7b407bedca69cb4645423081f5806
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: ef607c82c22342ce6ad6395cebdf85da255e42d2bcf320c030199c0fa236bb1c
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: d2bc730f7c3bc32f74cded3d727ab087c9bffb71f5b3311c74ca7a9b93ae5461
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 31c3de6bd49fc587d7c2723bd77aed3a546820ae9dd4b606c1ebc6d77c860efa

Red Hat Enterprise Linux Desktop 7

SRPM
x86_64
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 1c5c303b2ab080ad7d224349970c3cda6809085d8a71edbf604c5404451e8d42
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 79a8f7ab15b0fbc04a3a18876a359748244cc9277182d4f02f27ca98cd74a5bf
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 1c8314538c0fc9616bd0c8b24472cc12cdd7b407bedca69cb4645423081f5806
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: ef607c82c22342ce6ad6395cebdf85da255e42d2bcf320c030199c0fa236bb1c
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: d2bc730f7c3bc32f74cded3d727ab087c9bffb71f5b3311c74ca7a9b93ae5461
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 31c3de6bd49fc587d7c2723bd77aed3a546820ae9dd4b606c1ebc6d77c860efa

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
s390x
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.s390x.rpm SHA-256: a4a05f14222ac71f74d94b2b10cb3a9ba57e010f18fe77a6177651e5746191d4
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.s390x.rpm SHA-256: 6c004a828564249da11431c03c3ac46d077b61b80ea332593be1a3b468d25d73
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.s390x.rpm SHA-256: f753d73711456180ce8e7d1453d7e2ccef31038f5cca3cb2cd3b9dcc6ce6cff5
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.s390x.rpm SHA-256: 143bf671189ddd383fce1c54ad3848a7a494c0c026452f9fe1b0056cfab88b3e
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.s390x.rpm SHA-256: b6c648dbd05c3f1c47b0fc6bf8a15e559b5a7818bbadd47013bf5b52ee9eab37

Red Hat Enterprise Linux for Power, big endian 7

SRPM
ppc64
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.ppc64.rpm SHA-256: c9fe7e606c701c17a11769f113752991b8face60577fac0251df317d15b31e4a
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.ppc64.rpm SHA-256: 81efea2f11fa68249e4d0df67fe2f83aaa67a788158dc2f729f86180430f6bea
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.ppc64.rpm SHA-256: 8b690c9d46e413ac9ce052dee4aeada25d98b2e798a074a02ffb8d76e4ea81d2
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.ppc64.rpm SHA-256: 75f7cfa25ec1d93681714f9db12de2b65db57e2e82863924396aa3eebe703999
java-1.8.0-ibm-plugin-1.8.0.6.10-1jpp.1.el7.ppc64.rpm SHA-256: d532b2c870f9275ec4adebbff39524b644e4702c75b4ed34df3a024788b3815f
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.ppc64.rpm SHA-256: 79d10ea629b490c08a256542f0e1336c107affbe201c92281faf72b324a517b5

Red Hat Enterprise Linux for Scientific Computing 7

SRPM
x86_64
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 1c5c303b2ab080ad7d224349970c3cda6809085d8a71edbf604c5404451e8d42
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 79a8f7ab15b0fbc04a3a18876a359748244cc9277182d4f02f27ca98cd74a5bf
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 1c8314538c0fc9616bd0c8b24472cc12cdd7b407bedca69cb4645423081f5806
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.x86_64.rpm SHA-256: 31c3de6bd49fc587d7c2723bd77aed3a546820ae9dd4b606c1ebc6d77c860efa

Red Hat Enterprise Linux for Power, little endian 7

SRPM
ppc64le
java-1.8.0-ibm-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm SHA-256: 6a7c5d8d559f3d157b2730f752e0068a86e955b2052e8330b920b7b119dc7c61
java-1.8.0-ibm-demo-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm SHA-256: 62128270f1ab04c5af543188ef6084197ba3340802c8f257fd0d9b5daaf2140e
java-1.8.0-ibm-devel-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm SHA-256: 2cb78a2257c3134ced42b568c8f403d8b571e5a0e33837e2fb4e9519fc14fbbd
java-1.8.0-ibm-jdbc-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm SHA-256: 6d96c8f7e388f93eb2e278a499d544d9183840ca097a6aa525d7eb49aaf4b015
java-1.8.0-ibm-src-1.8.0.6.10-1jpp.1.el7.ppc64le.rpm SHA-256: a4140a3a1330802b0f0df9b81ec669dcba7ec0229957e910c7d82286a32f80d3

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.