CVE-2018-2618
First published: Mon Jan 15 2018(Updated: )
It was discovered that the DHKeyAgreement and P11KeyAgreement implementations in the JCE component of OpenJDK did not guarantee sufficient strength of used keys to adequately protect generated shared secret. This could make it easier to break encryption by attacking key agreement rather than the encryption using the negotiated key. The patch for this issue causes classes' method generateSecret(String algorithm) to fail unless it's call for "TlsPremasterSecret", or the "jdk.crypto.KeyAgreement.legacyKDF" system property is set to true.
Credit: secalert_us@oracle.com secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/openjdk-8 | 8u442-ga-2 | |
| Oracle Java SE 7 | =1.6.0-update171 | |
| Oracle Java SE 7 | =1.7.0-update161 | |
| Oracle Java SE 7 | =1.8.0-update152 | |
| Oracle Java SE 7 | =9.0.1 | |
| Oracle JRE | =1.6.0-update171 | |
| Oracle JRE | =1.7.0-update161 | |
| Oracle JRE | =1.8.0-update152 | |
| Oracle JRE | =9.0.1 | |
| Oracle Java SE | =r28.3.16 | |
| Red Hat Satellite | =5.6 | |
| Red Hat Satellite | =5.7 | |
| Red Hat Satellite | =5.8 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.5 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Server | =7.4 | |
| Red Hat Enterprise Linux Server | =7.6 | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| Debian Linux | =7.0 | |
| Debian Linux | =8.0 | |
| Debian Linux | =9.0 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =17.10 | |
| Schneider Electric EcoStruxure Data Center Expert | <7.6.0 | |
| HP StorageWorks Command View | >=8.6.2-01 | |
| HP StorageWorks Command View | >=8.6.2-01 | |
| HP P9000 Command View Advanced Edition Software | >=8.6.2-01 | |
| Oracle Java SE 7 | =1.9.0.1 | |
| Oracle JRE | =1.9.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.securityfocus.com/bid/102612
- http://www.securitytracker.com/id/1040203
- https://access.redhat.com/errata/RHSA-2018:0095
- https://access.redhat.com/errata/RHSA-2018:0099
- https://access.redhat.com/errata/RHSA-2018:0100
- https://access.redhat.com/errata/RHSA-2018:0115
- https://access.redhat.com/errata/RHSA-2018:0349
- https://access.redhat.com/errata/RHSA-2018:0351
- https://access.redhat.com/errata/RHSA-2018:0352
- https://access.redhat.com/errata/RHSA-2018:0458
- https://access.redhat.com/errata/RHSA-2018:0521
- https://access.redhat.com/errata/RHSA-2018:1463
- https://access.redhat.com/errata/RHSA-2018:1812
- https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0
- https://lists.debian.org/debian-lts-announce/2018/04/msg00003.html
- https://security.netapp.com/advisory/ntap-20180117-0001/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03911en_us
- https://usn.ubuntu.com/3613-1/
- https://usn.ubuntu.com/3614-1/
- https://www.debian.org/security/2018/dsa-4144
- https://www.debian.org/security/2018/dsa-4166
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03911en_us
- https://launchpad.net/bugs/cve/CVE-2018-2618
- http://www.oracle.com/technetwork/java/javase/8u161-relnotes-4021379.html
- http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_171
- http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_181
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixJAVA
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/9b819798e7b0
- https://bugzilla.redhat.com/show_bug.cgi?id=1534762
- https://security-tracker.debian.org/tracker/CVE-2018-2618
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2618
- https://nvd.nist.gov/vuln/detail/CVE-2018-2618
- https://ubuntu.com/security/CVE-2018-2618
Frequently Asked Questions
What is the severity of CVE-2018-2618?
The severity of CVE-2018-2618 is medium, with a CVSS score of 5.9.
What is the impacted software for CVE-2018-2618?
The impacted software for CVE-2018-2618 includes Java SE 6u171, 7u161, 8u152, and 9.0.1; Java SE Embedded 8u151; and JRockit R28.3.16.
How can I fix CVE-2018-2618?
To fix CVE-2018-2618, upgrade to OpenJDK 8u382-ga-2 (for Debian) or OpenJDK 7 or 8 (for Ubuntu).
Are Oracle JDK and JRE affected by CVE-2018-2618?
Yes, Oracle JDK versions 1.6.0-update171, 1.7.0-update161, 1.8.0-update152, and 1.9.0.1, as well as Oracle JRE versions 1.6.0-update171, 1.7.0-update161, 1.8.0-update152, and 1.9.0.1 are affected by CVE-2018-2618.
Are Redhat Satellite and Redhat Enterprise Linux affected by CVE-2018-2618?
Yes, Redhat Satellite versions 5.6, 5.7, and 5.8, as well as Redhat Enterprise Linux versions 6.0, 7.0, 7.4, 7.5, and 7.6 are affected by CVE-2018-2618.
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-2618
- agent/type
- agent/severity
- agent/author
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/last-modified-date
- agent/source
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/debian
- vendor/oracle
- canonical/oracle java se 7
- version/oracle java se 7/1.6.0-update171
- version/oracle java se 7/1.7.0-update161
- version/oracle java se 7/1.8.0-update152
- version/oracle java se 7/9.0.1
- canonical/oracle jre
- version/oracle jre/1.6.0-update171
- version/oracle jre/1.7.0-update161
- version/oracle jre/1.8.0-update152
- version/oracle jre/9.0.1
- canonical/oracle java se
- version/oracle java se/r28.3.16
- vendor/redhat
- canonical/red hat satellite
- version/red hat satellite/5.6
- version/red hat satellite/5.7
- version/red hat satellite/5.8
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/6.0
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/7.4
- version/red hat enterprise linux server/7.6
- version/red hat enterprise linux server/7.5
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/6.0
- version/red hat enterprise linux workstation/7.0
- vendor/debian
- canonical/debian linux
- version/debian linux/7.0
- version/debian linux/8.0
- version/debian linux/9.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/17.10
- vendor/schneider-electric
- canonical/schneider electric ecostruxure data center expert
- vendor/hp
- canonical/hp storageworks command view
- version/hp storageworks command view/8.6.2-01
- canonical/hp p9000 command view advanced edition software
- version/hp p9000 command view advanced edition software/8.6.2-01
- version/oracle java se 7/1.9.0.1
- version/oracle jre/1.9.0.1