medium
5.9
Advisory Published
CVE Published
Updated

CVE-2018-2618

First published: Mon Jan 15 2018(Updated: )

It was discovered that the DHKeyAgreement and P11KeyAgreement implementations in the JCE component of OpenJDK did not guarantee sufficient strength of used keys to adequately protect generated shared secret. This could make it easier to break encryption by attacking key agreement rather than the encryption using the negotiated key. The patch for this issue causes classes' method generateSecret(String algorithm) to fail unless it's call for "TlsPremasterSecret", or the "jdk.crypto.KeyAgreement.legacyKDF" system property is set to true.

Credit: secalert_us@oracle.com secalert_us@oracle.com secalert_us@oracle.com

Affected SoftwareAffected VersionHow to fix
Oracle JDK=1.6.0-update171
Oracle JDK=1.7.0-update161
Oracle JDK=1.8.0-update152
Oracle JDK=1.9.0.1
Oracle JRE=1.6.0-update171
Oracle JRE=1.7.0-update161
Oracle JRE=1.8.0-update152
Oracle JRE=1.9.0.1
Oracle JRockit=r28.3.16
Redhat Satellite=5.6
Redhat Satellite=5.7
Redhat Satellite=5.8
Redhat Enterprise Linux Desktop=6.0
Redhat Enterprise Linux Desktop=7.0
Redhat Enterprise Linux Server=6.0
Redhat Enterprise Linux Server=7.0
Redhat Enterprise Linux Server Aus=7.4
Redhat Enterprise Linux Server Aus=7.6
Redhat Enterprise Linux Server Eus=7.4
Redhat Enterprise Linux Server Eus=7.5
Redhat Enterprise Linux Server Eus=7.6
Redhat Enterprise Linux Server Tus=7.4
Redhat Enterprise Linux Server Tus=7.6
Redhat Enterprise Linux Workstation=6.0
Redhat Enterprise Linux Workstation=7.0
Debian Debian Linux=7.0
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=17.10
Schneider-electric Struxureware Data Center Expert<7.6.0
Hp Xp Command View>=8.6.2-01
Hp Xp P9000 Command View>=8.6.2-01
Hp Xp7 Command View>=8.6.2-01
Oracle JDK=9.0.1
Oracle JRE=9.0.1
debian/openjdk-8
8u422-b05-1

Remedy

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2018-2618?

    The severity of CVE-2018-2618 is medium, with a CVSS score of 5.9.

  • What is the impacted software for CVE-2018-2618?

    The impacted software for CVE-2018-2618 includes Java SE 6u171, 7u161, 8u152, and 9.0.1; Java SE Embedded 8u151; and JRockit R28.3.16.

  • How can I fix CVE-2018-2618?

    To fix CVE-2018-2618, upgrade to OpenJDK 8u382-ga-2 (for Debian) or OpenJDK 7 or 8 (for Ubuntu).

  • Are Oracle JDK and JRE affected by CVE-2018-2618?

    Yes, Oracle JDK versions 1.6.0-update171, 1.7.0-update161, 1.8.0-update152, and 1.9.0.1, as well as Oracle JRE versions 1.6.0-update171, 1.7.0-update161, 1.8.0-update152, and 1.9.0.1 are affected by CVE-2018-2618.

  • Are Redhat Satellite and Redhat Enterprise Linux affected by CVE-2018-2618?

    Yes, Redhat Satellite versions 5.6, 5.7, and 5.8, as well as Redhat Enterprise Linux versions 6.0, 7.0, 7.4, 7.5, and 7.6 are affected by CVE-2018-2618.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203