CVE-2016-5542
First published: Mon Oct 17 2016(Updated: )
It was discovered that the Libraries component of OpenJDK did not allow users to restrict the set of algorithms allowed for Jar integrity verification. This flaw could allow an attacker to modify content of the Jar file that used weak signing key or hash algorithm. The fix for this issue adds new security property - jdk.jar.disabledAlgorithms - which defines a set of algorithms not allowed to be used during Jar verification. MD2 hash algorithm and RSA keys with less than 1024 bits are disabled by default. Future updates are also expected to disable MD5 hash algorithm by default.
Credit: secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | =1.6.0-update121 | |
| Oracle JDK | =1.7.0-update111 | |
| Oracle JDK | =1.8.0-update101 | |
| Oracle JDK | =1.8.0-update102 | |
| Oracle JRE | =1.6.0-update121 | |
| Oracle JRE | =1.7.0-update111 | |
| Oracle JRE | =1.8.0-update101 | |
| Oracle JRE | =1.8.0-update102 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2016-2079.html
- http://rhn.redhat.com/errata/RHSA-2016-2088.html
- http://rhn.redhat.com/errata/RHSA-2016-2089.html
- http://rhn.redhat.com/errata/RHSA-2016-2090.html
- http://rhn.redhat.com/errata/RHSA-2016-2136.html
- http://rhn.redhat.com/errata/RHSA-2016-2137.html
- http://rhn.redhat.com/errata/RHSA-2016-2138.html
- http://rhn.redhat.com/errata/RHSA-2016-2658.html
- http://rhn.redhat.com/errata/RHSA-2016-2659.html
- http://rhn.redhat.com/errata/RHSA-2017-0061.html
- http://www.debian.org/security/2016/dsa-3707
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.securityfocus.com/bid/93643
- http://www.securitytracker.com/id/1037040
- http://www.ubuntu.com/usn/USN-3130-1
- http://www.ubuntu.com/usn/USN-3154-1
- https://access.redhat.com/errata/RHSA-2017:1216
- https://security.gentoo.org/glsa/201611-04
- https://security.gentoo.org/glsa/201701-43
- https://security.netapp.com/advisory/ntap-20161019-0001/
- http://www.oracle.com/technetwork/java/javase/8u111-relnotes-3124969.html
- http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_121
- http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_131
- http://java.com/cryptoroadmap
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/67252a0030a1
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/55e37dab57a1
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/ab26fe28f9ed
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/b1304d71a2ec
- https://rhn.redhat.com/errata/RHSA-2016-2079.html
- https://rhn.redhat.com/errata/RHSA-2016-2088.html
- https://rhn.redhat.com/errata/RHSA-2016-2090.html
- https://rhn.redhat.com/errata/RHSA-2016-2089.html
- https://rhn.redhat.com/errata/RHSA-2016-2138.html
- https://rhn.redhat.com/errata/RHSA-2016-2137.html
- https://rhn.redhat.com/errata/RHSA-2016-2136.html
- https://rhn.redhat.com/errata/RHSA-2016-2659.html
- https://rhn.redhat.com/errata/RHSA-2016-2658.html
- https://rhn.redhat.com/errata/RHSA-2017-0061.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1385723
- collector/nvd-index
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-5542
- agent/description
- agent/tags
- agent/event
- agent/references
- agent/severity
- collector/mitre-cve
- source/MITRE
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.6.0-update121
- version/oracle jdk/1.7.0-update111
- version/oracle jdk/1.8.0-update101
- version/oracle jdk/1.8.0-update102
- canonical/oracle jre
- version/oracle jre/1.6.0-update121
- version/oracle jre/1.7.0-update111
- version/oracle jre/1.8.0-update101
- version/oracle jre/1.8.0-update102