CVE-2016-0448
First published: Fri Jan 15 2016(Updated: )
It was discovered that the RMIConnector and RMIConnectionImpl classes in the JMX component of OpenJDK could log sensitive information such as user passwords in its debug log, possibly leading the exposure of the information.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK 6 | =1.6.0-update105 | |
| Oracle JDK 6 | =1.7.0-update91 | |
| Oracle JDK 6 | =1.8.0-update66 | |
| Oracle Java Runtime Environment (JRE) | =1.6.0-update105 | |
| Oracle Java Runtime Environment (JRE) | =1.8.0-update66 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.04 | |
| Ubuntu | =15.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00042.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00043.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00045.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00047.html
- http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00048.html
- http://rhn.redhat.com/errata/RHSA-2016-0049.html
- http://rhn.redhat.com/errata/RHSA-2016-0050.html
- http://rhn.redhat.com/errata/RHSA-2016-0053.html
- http://rhn.redhat.com/errata/RHSA-2016-0054.html
- http://rhn.redhat.com/errata/RHSA-2016-0055.html
- http://rhn.redhat.com/errata/RHSA-2016-0056.html
- http://rhn.redhat.com/errata/RHSA-2016-0057.html
- http://rhn.redhat.com/errata/RHSA-2016-0067.html
- http://www.debian.org/security/2016/dsa-3458
- http://www.debian.org/security/2016/dsa-3465
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
- http://www.securityfocus.com/bid/81123
- http://www.securitytracker.com/id/1034715
- http://www.ubuntu.com/usn/USN-2884-1
- http://www.ubuntu.com/usn/USN-2885-1
- https://access.redhat.com/errata/RHSA-2016:1430
- https://security.gentoo.org/glsa/201603-14
- https://security.gentoo.org/glsa/201610-08
- http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/de1c23d1e964
- https://rhn.redhat.com/errata/RHSA-2016-0050.html
- https://rhn.redhat.com/errata/RHSA-2016-0049.html
- https://rhn.redhat.com/errata/RHSA-2016-0057.html
- https://rhn.redhat.com/errata/RHSA-2016-0056.html
- https://rhn.redhat.com/errata/RHSA-2016-0055.html
- https://rhn.redhat.com/errata/RHSA-2016-0053.html
- https://rhn.redhat.com/errata/RHSA-2016-0054.html
- https://rhn.redhat.com/errata/RHSA-2016-0067.html
- https://rhn.redhat.com/errata/RHSA-2016-0101.html
- https://rhn.redhat.com/errata/RHSA-2016-0100.html
- https://rhn.redhat.com/errata/RHSA-2016-0098.html
- https://rhn.redhat.com/errata/RHSA-2016-0099.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1299073
Frequently Asked Questions
What is the severity of CVE-2016-0448?
CVE-2016-0448 is considered a medium severity vulnerability due to the potential exposure of sensitive information such as user passwords.
How do I fix CVE-2016-0448?
To address CVE-2016-0448, update your Java SE or JDK to a version that has mitigated this logging issue.
Which versions are affected by CVE-2016-0448?
CVE-2016-0448 affects Oracle JDK versions 1.6.0-update105, 1.7.0-update91, 1.8.0-update66, and specific versions of Oracle JRE and Ubuntu Linux.
What components are impacted by CVE-2016-0448?
CVE-2016-0448 impacts the RMIConnector and RMIConnectionImpl classes within the JMX component of OpenJDK.
What information is exposed due to CVE-2016-0448?
CVE-2016-0448 can expose sensitive information such as user passwords via its debug logging feature.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-0448
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/last-modified-date
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.6.0-update105
- version/oracle jdk 6/1.7.0-update91
- version/oracle jdk 6/1.8.0-update66
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.6.0-update105
- version/oracle java runtime environment (jre)/1.8.0-update66
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.04
- version/ubuntu/15.10