CVE-2019-2842
First published: Mon Jul 15 2019(Updated: )
It was discovered that crypto provider implementations in the JCE component of OpenJDK for crypto algorithms such as AES or SHA did not perform array bounds checks. This could lead to out-of-bounds access if compiler intrinsics were used instead of the Java runtime implementations of the specific operations.
Credit: secalert_us@oracle.com secalert_us@oracle.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Oracle JDK | =1.8.0-update212 | |
| Oracle JRE | =1.8.0-update212 | |
| openSUSE Leap | =15.0 | |
| openSUSE Leap | =15.1 | |
| Hp Xp7 Command View | <8.7.0-00 | |
| McAfee ePolicy Orchestrator | =5.9.0 | |
| McAfee ePolicy Orchestrator | =5.9.1 | |
| McAfee ePolicy Orchestrator | =5.10.0 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_1 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_2 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_3 | |
| McAfee ePolicy Orchestrator | =5.10.0-update_4 | |
| Canonical Ubuntu Linux | =16.04 | |
| debian/openjdk-8 | 8u432-b06-2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00044.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10300
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://usn.ubuntu.com/4080-1/
- https://kc.mcafee.com/corporate/index?page=content&id=SB10300
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03977en_us
- https://launchpad.net/bugs/cve/CVE-2019-2842
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html#AppendixJAVA
- https://access.redhat.com/errata/RHSA-2019:1811
- https://access.redhat.com/errata/RHSA-2019:1815
- https://access.redhat.com/errata/RHSA-2019:1816
- https://access.redhat.com/errata/RHSA-2019:1840
- https://access.redhat.com/errata/RHSA-2019:1839
- http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/rev/55f693ba975d
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/bdf644065d87
- http://hg.openjdk.java.net/jdk7u/jdk7u/hotspot/rev/f9541fe46eae
- http://hg.openjdk.java.net/jdk7u/jdk7u/jdk/rev/d15ed96035d0
- https://bugzilla.redhat.com/show_bug.cgi?id=1730110
- https://security-tracker.debian.org/tracker/CVE-2019-2842
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2842
- https://nvd.nist.gov/vuln/detail/CVE-2019-2842
- https://ubuntu.com/security/CVE-2019-2842
Frequently Asked Questions
What is CVE-2019-2842?
CVE-2019-2842 is a vulnerability in the Java SE component of Oracle Java SE, specifically in the JCE (Java Cryptography Extension) subcomponent.
What is the severity of CVE-2019-2842?
CVE-2019-2842 has a severity level of medium (3.7).
How can an attacker exploit CVE-2019-2842?
An unauthenticated attacker with network access via multiple protocols can exploit CVE-2019-2842 to compromise Java SE.
Which versions of Java SE are affected by CVE-2019-2842?
Java SE version 8u212 is the supported version affected by CVE-2019-2842.
How do I fix CVE-2019-2842?
To fix CVE-2019-2842, it is recommended to update to the latest available version of Java SE (8u212 or higher) provided by Oracle or your respective software vendor.
- collector/nvd-index
- agent/author
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-2842
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/severity
- agent/description
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/oracle
- canonical/oracle jdk
- version/oracle jdk/1.8.0-update212
- canonical/oracle jre
- version/oracle jre/1.8.0-update212
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.0
- version/opensuse leap/15.1
- vendor/hp
- canonical/hp xp7 command view
- vendor/mcafee
- canonical/mcafee epolicy orchestrator
- version/mcafee epolicy orchestrator/5.9.0
- version/mcafee epolicy orchestrator/5.9.1
- version/mcafee epolicy orchestrator/5.10.0
- version/mcafee epolicy orchestrator/5.10.0-update_1
- version/mcafee epolicy orchestrator/5.10.0-update_2
- version/mcafee epolicy orchestrator/5.10.0-update_3
- version/mcafee epolicy orchestrator/5.10.0-update_4
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- package-manager/debian