CVE-2018-2618
First published: Mon Jan 15 2018(Updated: )
It was discovered that the DHKeyAgreement and P11KeyAgreement implementations in the JCE component of OpenJDK did not guarantee sufficient strength of used keys to adequately protect generated shared secret. This could make it easier to break encryption by attacking key agreement rather than the encryption using the negotiated key. The patch for this issue causes classes' method generateSecret(String algorithm) to fail unless it's call for "TlsPremasterSecret", or the "jdk.crypto.KeyAgreement.legacyKDF" system property is set to true.
Credit: secalert_us@oracle.com secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openjdk-8 | 8u442-ga-2 | |
| Oracle JDK 6 | =1.6.0-update171 | |
| Oracle JDK 6 | =1.7.0-update161 | |
| Oracle JDK 6 | =1.8.0-update152 | |
| Oracle JDK 6 | =9.0.1 | |
| Oracle Java Runtime Environment (JRE) | =1.6.0-update171 | |
| Oracle Java Runtime Environment (JRE) | =1.7.0-update161 | |
| Oracle Java Runtime Environment (JRE) | =1.8.0-update152 | |
| Oracle Java Runtime Environment (JRE) | =9.0.1 | |
| BEA JRockit | =r28.3.16 | |
| redhat satellite | =5.6 | |
| redhat satellite | =5.7 | |
| redhat satellite | =5.8 | |
| redhat enterprise Linux desktop | =6.0 | |
| redhat enterprise Linux desktop | =7.0 | |
| redhat enterprise Linux server | =6.0 | |
| redhat enterprise Linux server | =7.0 | |
| redhat enterprise Linux server aus | =7.4 | |
| redhat enterprise Linux server aus | =7.6 | |
| redhat enterprise Linux server eus | =7.4 | |
| redhat enterprise Linux server eus | =7.5 | |
| redhat enterprise Linux server eus | =7.6 | |
| redhat enterprise Linux server tus | =7.4 | |
| redhat enterprise Linux server tus | =7.6 | |
| redhat enterprise Linux workstation | =6.0 | |
| redhat enterprise Linux workstation | =7.0 | |
| Debian | =7.0 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =17.10 | |
| Schneider Electric EcoStruxure Data Center Expert | <7.6.0 | |
| HP P9000 Command View Advanced Edition Software | >=8.6.2-01 | |
| HP XP P9000 Command View | >=8.6.2-01 | |
| HP P9000 Command View Advanced Edition Software | >=8.6.2-01 | |
| Oracle JDK 6 | =1.9.0.1 | |
| Oracle Java Runtime Environment (JRE) | =1.9.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.securityfocus.com/bid/102612
- http://www.securitytracker.com/id/1040203
- https://access.redhat.com/errata/RHSA-2018:0095
- https://access.redhat.com/errata/RHSA-2018:0099
- https://access.redhat.com/errata/RHSA-2018:0100
- https://access.redhat.com/errata/RHSA-2018:0115
- https://access.redhat.com/errata/RHSA-2018:0349
- https://access.redhat.com/errata/RHSA-2018:0351
- https://access.redhat.com/errata/RHSA-2018:0352
- https://access.redhat.com/errata/RHSA-2018:0458
- https://access.redhat.com/errata/RHSA-2018:0521
- https://access.redhat.com/errata/RHSA-2018:1463
- https://access.redhat.com/errata/RHSA-2018:1812
- https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0
- https://lists.debian.org/debian-lts-announce/2018/04/msg00003.html
- https://security.netapp.com/advisory/ntap-20180117-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03911en_us
- https://usn.ubuntu.com/3613-1/
- https://usn.ubuntu.com/3614-1/
- https://www.debian.org/security/2018/dsa-4144
- https://www.debian.org/security/2018/dsa-4166
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03911en_us
- https://launchpad.net/bugs/cve/CVE-2018-2618
- http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
- http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_171
- http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_181
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/9b819798e7b0
- https://bugzilla.redhat.com/show_bug.cgi?id=1534762
- https://security-tracker.debian.org/tracker/CVE-2018-2618
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2618
- https://nvd.nist.gov/vuln/detail/CVE-2018-2618
- https://ubuntu.com/security/CVE-2018-2618
Frequently Asked Questions
What is the severity of CVE-2018-2618?
The severity of CVE-2018-2618 is medium, with a CVSS score of 5.9.
What is the impacted software for CVE-2018-2618?
The impacted software for CVE-2018-2618 includes Java SE 6u171, 7u161, 8u152, and 9.0.1; Java SE Embedded 8u151; and JRockit R28.3.16.
How can I fix CVE-2018-2618?
To fix CVE-2018-2618, upgrade to OpenJDK 8u382-ga-2 (for Debian) or OpenJDK 7 or 8 (for Ubuntu).
Are Oracle JDK and JRE affected by CVE-2018-2618?
Yes, Oracle JDK versions 1.6.0-update171, 1.7.0-update161, 1.8.0-update152, and 1.9.0.1, as well as Oracle JRE versions 1.6.0-update171, 1.7.0-update161, 1.8.0-update152, and 1.9.0.1 are affected by CVE-2018-2618.
Are Redhat Satellite and Redhat Enterprise Linux affected by CVE-2018-2618?
Yes, Redhat Satellite versions 5.6, 5.7, and 5.8, as well as Redhat Enterprise Linux versions 6.0, 7.0, 7.4, 7.5, and 7.6 are affected by CVE-2018-2618.
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-2618
- agent/type
- agent/severity
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/last-modified-date
- agent/source
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/nvd-api
- package-manager/debian
- vendor/oracle
- canonical/oracle jdk 6
- version/oracle jdk 6/1.6.0-update171
- version/oracle jdk 6/1.7.0-update161
- version/oracle jdk 6/1.8.0-update152
- version/oracle jdk 6/9.0.1
- canonical/oracle java runtime environment (jre)
- version/oracle java runtime environment (jre)/1.6.0-update171
- version/oracle java runtime environment (jre)/1.7.0-update161
- version/oracle java runtime environment (jre)/1.8.0-update152
- version/oracle java runtime environment (jre)/9.0.1
- canonical/bea jrockit
- version/bea jrockit/r28.3.16
- vendor/redhat
- canonical/redhat satellite
- version/redhat satellite/5.6
- version/redhat satellite/5.7
- version/redhat satellite/5.8
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/7.4
- version/redhat enterprise linux server aus/7.6
- canonical/redhat enterprise linux server eus
- version/redhat enterprise linux server eus/7.4
- version/redhat enterprise linux server eus/7.5
- version/redhat enterprise linux server eus/7.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.4
- version/redhat enterprise linux server tus/7.6
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0
- vendor/debian
- canonical/debian
- version/debian/7.0
- version/debian/8.0
- version/debian/9.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/17.10
- vendor/schneider-electric
- canonical/schneider electric ecostruxure data center expert
- vendor/hp
- canonical/hp p9000 command view advanced edition software
- version/hp p9000 command view advanced edition software/8.6.2-01
- canonical/hp xp p9000 command view
- version/hp xp p9000 command view/8.6.2-01
- version/oracle jdk 6/1.9.0.1
- version/oracle java runtime environment (jre)/1.9.0.1