REDHAT-BUG-1567126
First published: Fri Apr 13 2018(Updated: )
It was discovered that the Security component of OpenJDK did not restrict which classes could be used when deserializing keys form the JCEKS key stores. A specially crafted JCEKS key store could possibly use this flaw to execute arbitrary code with the privileges of an application reading data form the key store. The fix adds support for a new security property jceks.key.serialFilter which can be used to specify classes that can be used when deserializing data from the JCEKS key stores.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenJDK 17 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixJAVA
- http://www.oracle.com/technetwork/java/javase/8u171-relnotes-4308888.html
- http://www.oracle.com/technetwork/java/javaseproducts/documentation/javase7supportreleasenotes-1601161.html#R170_181
- http://www.oracle.com/technetwork/java/javase/documentation/overview-156328.html#R160_191
- https://access.redhat.com/errata/RHSA-2018:1188
- https://access.redhat.com/errata/RHSA-2018:1191
- http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/rev/6cbe2e5989a8
- http://hg.openjdk.java.net/jdk8u/jdk8u/langtools/rev/5e864878da06
- https://access.redhat.com/errata/RHSA-2018:1201
- https://access.redhat.com/errata/RHSA-2018:1202
- https://access.redhat.com/errata/RHSA-2018:1204
- https://access.redhat.com/errata/RHSA-2018:1203
- https://access.redhat.com/errata/RHSA-2018:1205
- https://access.redhat.com/errata/RHSA-2018:1206
- https://access.redhat.com/errata/RHSA-2018:1270
- https://access.redhat.com/errata/RHSA-2018:1278
- https://access.redhat.com/errata/RHSA-2018:1721
- https://access.redhat.com/errata/RHSA-2018:1722
- https://access.redhat.com/errata/RHSA-2018:1723
- https://access.redhat.com/errata/RHSA-2018:1724
- https://access.redhat.com/errata/RHSA-2018:1974
- https://access.redhat.com/errata/RHSA-2018:1975
- https://bugzilla.redhat.com/show_bug.cgi?id=1567126
Frequently Asked Questions
What is the severity of REDHAT-BUG-1567126?
The severity of REDHAT-BUG-1567126 is classified as critical due to the potential for executing arbitrary code.
How do I fix REDHAT-BUG-1567126?
To fix REDHAT-BUG-1567126, update to the latest version of Oracle OpenJDK that addresses this vulnerability.
Which versions of OpenJDK are affected by REDHAT-BUG-1567126?
REDHAT-BUG-1567126 affects OpenJDK 17 and potentially earlier versions.
What is the risk of not addressing REDHAT-BUG-1567126?
Not addressing REDHAT-BUG-1567126 poses a risk of arbitrary code execution, which can compromise system security.
Is there a workaround for REDHAT-BUG-1567126?
Currently, there are no defined workarounds for REDHAT-BUG-1567126 other than applying the relevant updates.
- agent/type
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-2794
- agent/first-publish-date
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/oracle
- canonical/openjdk 17