RHSA-2015:1526: Important: java-1.6.0-openjdk security update

First published: Thu Jul 30 2015(Updated: )

The java-1.6.0-openjdk packages provide the OpenJDK 6 Java Runtime<br>Environment and the OpenJDK 6 Java Software Development Kit.<br>Multiple flaws were discovered in the 2D, CORBA, JMX, Libraries and RMI<br>components in OpenJDK. An untrusted Java application or applet could use<br>these flaws to bypass Java sandbox restrictions. (CVE-2015-4760,<br>CVE-2015-2628, CVE-2015-4731, CVE-2015-2590, CVE-2015-4732, CVE-2015-4733)<br>A flaw was found in the way the Libraries component of OpenJDK verified<br>Online Certificate Status Protocol (OCSP) responses. An OCSP response with<br>no nextUpdate date specified was incorrectly handled as having unlimited<br>validity, possibly causing a revoked X.509 certificate to be interpreted as<br>valid. (CVE-2015-4748)<br>It was discovered that the JCE component in OpenJDK failed to use constant<br>time comparisons in multiple cases. An attacker could possibly use these<br>flaws to disclose sensitive information by measuring the time used to<br>perform operations using these non-constant time comparisons.<br>(CVE-2015-2601)<br>A flaw was found in the RC4 encryption algorithm. When using certain keys<br>for RC4 encryption, an attacker could obtain portions of the plain text<br>from the cipher text without the knowledge of the encryption key.<br>(CVE-2015-2808)<br>Note: With this update, OpenJDK now disables RC4 TLS/SSL cipher suites by<br>default to address the CVE-2015-2808 issue. Refer to Red Hat Bugzilla bug<br>1207101, linked to in the References section, for additional details about<br>this change.<br>A flaw was found in the way the TLS protocol composed the Diffie-Hellman<br>(DH) key exchange. A man-in-the-middle attacker could use this flaw to<br>force the use of weak 512 bit export-grade keys during the key exchange,<br>allowing them to decrypt all traffic. (CVE-2015-4000)<br>Note: This update forces the TLS/SSL client implementation in OpenJDK to<br>reject DH key sizes below 768 bits, which prevents sessions to be<br>downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,<br>linked to in the References section, for additional details about this<br>change.<br>It was discovered that the JNDI component in OpenJDK did not handle DNS<br>resolutions correctly. An attacker able to trigger such DNS errors could<br>cause a Java application using JNDI to consume memory and CPU time, and<br>possibly block further DNS resolution. (CVE-2015-4749)<br>Multiple information leak flaws were found in the JMX and 2D components in<br>OpenJDK. An untrusted Java application or applet could use this flaw to<br>bypass certain Java sandbox restrictions. (CVE-2015-2621, CVE-2015-2632)<br>A flaw was found in the way the JSSE component in OpenJDK performed X.509<br>certificate identity verification when establishing a TLS/SSL connection to<br>a host identified by an IP address. In certain cases, the certificate was<br>accepted as valid if it was issued for a host name to which the IP address<br>resolves rather than for the IP address. (CVE-2015-2625)<br>All users of java-1.6.0-openjdk are advised to upgrade to these updated<br>packages, which resolve these issues. All running instances of OpenJDK Java<br>must be restarted for the update to take effect.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2015:1526
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• package-manager/redhat