First published: Tue Aug 21 2018(Updated: )
It was discovered that OpenJDK did not properly validate types in some situations. An attacker could use this to construct a Java class that could possibly bypass sandbox restrictions. (CVE-2018-2825, CVE-2018-2826) It was discovered that the PatternSyntaxException class in OpenJDK did not properly validate arguments passed to it. An attacker could use this to potentially construct a class that caused a denial of service (excessive memory consumption). (CVE-2018-2952) Daniel Bleichenbacher discovered a vulnerability in the Galois/Counter Mode (GCM) mode of operation for symmetric block ciphers in OpenJDK. An attacker could use this to expose sensitive information. (CVE-2018-2972)
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
ubuntu/openjdk-11-jre | <10.0.2+13-1ubuntu0.18.04.1 | 10.0.2+13-1ubuntu0.18.04.1 |
=18.04 | ||
All of | ||
ubuntu/openjdk-11-jre-headless | <10.0.2+13-1ubuntu0.18.04.1 | 10.0.2+13-1ubuntu0.18.04.1 |
=18.04 | ||
All of | ||
ubuntu/openjdk-11-jre-zero | <10.0.2+13-1ubuntu0.18.04.1 | 10.0.2+13-1ubuntu0.18.04.1 |
=18.04 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Contains the following vulnerabilities)
The severity of USN-3747-1 is high.
OpenJDK version 10.0.2+13-1ubuntu0.18.04.1 is affected by USN-3747-1.
The vulnerabilities addressed by USN-3747-1 are CVE-2018-2825 and CVE-2018-2826.
An attacker can exploit USN-3747-1 by constructing a Java class that may bypass sandbox restrictions.
You can find more information about USN-3747-1 at the following references: [CVE-2018-2825](https://ubuntu.com/security/CVE-2018-2825), [CVE-2018-2826](https://ubuntu.com/security/CVE-2018-2826), [CVE-2018-2952](https://ubuntu.com/security/CVE-2018-2952).