First published: Wed Jul 15 2015(Updated: )
The java-1.8.0-openjdk packages provide the OpenJDK 8 Java Runtime<br>Environment and the OpenJDK 8 Java Software Development Kit.<br>Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI<br>components in OpenJDK. An untrusted Java application or applet could use<br>these flaws to bypass Java sandbox restrictions. (CVE-2015-4760,<br>CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)<br>A flaw was found in the way the Libraries component of OpenJDK verified<br>Online Certificate Status Protocol (OCSP) responses. An OCSP response with<br>no nextUpdate date specified was incorrectly handled as having unlimited<br>validity, possibly causing a revoked X.509 certificate to be interpreted as<br>valid. (CVE-2015-4748)<br>It was discovered that the JCE component in OpenJDK failed to use constant<br>time comparisons in multiple cases. An attacker could possibly use these<br>flaws to disclose sensitive information by measuring the time used to<br>perform operations using these non-constant time comparisons.<br>(CVE-2015-2601)<br>It was discovered that the GCM (Galois Counter Mode) implementation in the<br>Security component of OpenJDK failed to properly perform a null check.<br>This could cause the Java Virtual Machine to crash when an application<br>performed encryption using a block cipher in the GCM mode. (CVE-2015-2659)<br>A flaw was found in the RC4 encryption algorithm. When using certain keys<br>for RC4 encryption, an attacker could obtain portions of the plain text<br>from the cipher text without the knowledge of the encryption key.<br>(CVE-2015-2808)<br>Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by<br>default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug<br>1207101, linked to in the References section, for additional details about<br>this change.<br>A flaw was found in the way the TLS protocol composed the Diffie-Hellman<br>(DH) key exchange. A man-in-the-middle attacker could use this flaw to<br>force the use of weak 512 bit export-grade keys during the key exchange,<br>allowing them do decrypt all traffic. (CVE-2015-4000)<br>Note: This update forces the TLS/SSL client implementation in OpenJDK to<br>reject DH key sizes below 768 bits, which prevents sessions to be<br>downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,<br>linked to in the References section, for additional details about this<br>change.<br>It was discovered that the JNDI component in OpenJDK did not handle DNS<br>resolutions correctly. An attacker able to trigger such DNS errors could<br>cause a Java application using JNDI to consume memory and CPU time, and<br>possibly block further DNS resolution. (CVE-2015-4749)<br>Multiple information leak flaws were found in the JMX and 2D components in<br>OpenJDK. An untrusted Java application or applet could use this flaw to<br>bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)<br>A flaw was found in the way the JSSE component in OpenJDK performed X.509<br>certificate identity verification when establishing a TLS/SSL connection to<br>a host identified by an IP address. In certain cases, the certificate was<br>accepted as valid if it was issued for a host name to which the IP address<br>resolves rather than for the IP address. (CVE-2015-2625)<br>Multiple insecure temporary file use issues were found in the way the<br>Hotspot component in OpenJDK created performance statistics and error log<br>files. A local attacker could possibly make a victim using OpenJDK<br>overwrite arbitrary files using a symlink attack. Note: This issue was<br>originally fixed as CVE-2015-0383, but the fix was regressed in the<br>RHSA-2015:0809 advisory. (CVE-2015-3149)<br>All users of java-1.8.0-openjdk are advised to upgrade to these updated<br>packages, which resolve these issues. All running instances of OpenJDK Java<br>must be restarted for the update to take effect.<br>
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/java | <1.8.0-openjdk-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-javadoc-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-javadoc-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-javadoc-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-javadoc-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-debuginfo-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-demo-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-devel-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-headless-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6 | 1.8.0-openjdk-src-1.8.0.51-0.b16.el6_6 |
redhat/java | <1.8.0-openjdk-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-accessibility-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-debuginfo-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-demo-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-devel-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-headless-1.8.0.51-1.b16.el7_1 |
redhat/java | <1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1 | 1.8.0-openjdk-src-1.8.0.51-1.b16.el7_1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.