CVE-2018-2582
First published: Mon Jan 15 2018(Updated: )
It was discovered that the Hotspot component of OpenJDK failed to properly validate uses of the invokeinterface Java Virtual Machine instruction. An untrusted Java application or applet could use this flaw to bypass certain Java sandbox restrictions.
Credit: secalert_us@oracle.com secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | =1.8.0-update152 | |
| Oracle JDK | =1.9.0.1 | |
| Oracle JRE | =1.8.0-update152 | |
| Oracle JRE | =1.9.0.1 | |
| Redhat Satellite | =5.8 | |
| Redhat Enterprise Linux Desktop | =6.0 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Server | =6.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Server Eus | =7.5 | |
| Redhat Enterprise Linux Workstation | =6.0 | |
| Redhat Enterprise Linux Workstation | =7.0 | |
| Debian Debian Linux | =9.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =17.10 | |
| Schneider-electric Struxureware Data Center Expert | <7.6.0 | |
| Hp Xp Command View | >=8.6.2-01 | |
| Hp Xp P9000 Command View | >=8.6.2-01 | |
| Hp Xp7 Command View | >=8.6.2-01 | |
| Oracle JDK | =9.0.1 | |
| Oracle JRE | =9.0.1 | |
| debian/openjdk-8 | 8u422-b05-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.securityfocus.com/bid/102597
- http://www.securitytracker.com/id/1040203
- https://access.redhat.com/errata/RHSA-2018:0095
- https://access.redhat.com/errata/RHSA-2018:0099
- https://access.redhat.com/errata/RHSA-2018:0351
- https://access.redhat.com/errata/RHSA-2018:0352
- https://access.redhat.com/errata/RHSA-2018:0458
- https://access.redhat.com/errata/RHSA-2018:0521
- https://access.redhat.com/errata/RHSA-2018:1463
- https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0
- https://security.netapp.com/advisory/ntap-20180117-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03911en_us
- https://usn.ubuntu.com/3613-1/
- https://www.debian.org/security/2018/dsa-4144
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03911en_us
- https://launchpad.net/bugs/cve/CVE-2018-2582
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/a3e756231625
- http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/rev/f8a45a60bc6b
- http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/rev/b1606443958a
- https://bugzilla.redhat.com/show_bug.cgi?id=1534768
- https://security-tracker.debian.org/tracker/CVE-2018-2582
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2582
- https://nvd.nist.gov/vuln/detail/CVE-2018-2582
- https://ubuntu.com/security/CVE-2018-2582
Frequently Asked Questions
What is CVE-2018-2582?
CVE-2018-2582 is a vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE, which allows unauthenticated attackers with network access to exploit a vulnerability via multiple protocols.
Which versions of Java SE are affected by CVE-2018-2582?
Java SE versions 8u152 and 9.0.1 are affected by CVE-2018-2582.
How severe is CVE-2018-2582?
CVE-2018-2582 has a severity rating of 6.5 (high).
What is the recommended remedy for CVE-2018-2582 on Ubuntu?
For Ubuntu, the recommended remedy for CVE-2018-2582 is to upgrade to openjdk-9 version 9.0.4+12-1 or openjdk-8 version 8.
Where can I find more information on CVE-2018-2582?
You can find more information on CVE-2018-2582 on the Oracle Security Advisory and SecurityFocus websites.
- collector/nvd-index
- collector/nvd-api
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-2582
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/author
- agent/description
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.8.0-update152
- version/oracle jdk/1.9.0.1
- canonical/oracle jre
- version/oracle jre/1.8.0-update152
- version/oracle jre/1.9.0.1
- vendor/redhat
- canonical/redhat satellite
- version/redhat satellite/5.8
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.5
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/17.10
- vendor/schneider-electric
- canonical/schneider-electric struxureware data center expert
- vendor/hp
- canonical/hp xp command view
- version/hp xp command view/8.6.2-01
- canonical/hp xp p9000 command view
- version/hp xp p9000 command view/8.6.2-01
- canonical/hp xp7 command view
- version/hp xp7 command view/8.6.2-01
- version/oracle jdk/9.0.1
- version/oracle jre/9.0.1
- package-manager/debian