Bug 44687

Summary: openjdk-7: Multiple issues (4.2)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Jürn Brodersen <brodersen>
Severity: normal    
Priority: P3 Flags: requate: Patch_Available+
Version: UCS 4.2   
Target Milestone: UCS 4.2-3-errata   
Hardware: Other   
OS: Linux   
URL: http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Bug Depends on:    
Bug Blocks: 44726    

Description Arvid Requate univentionstaff 2017-05-24 13:53:04 CEST 
Upstream Debian package version 7u131-2.6.9-2~deb8u1 fixes:

    - S8163520, CVE-2017-3509: Reuse cache entries.
    - S8163528, CVE-2017-3511: Better library loading.
    - S8169011, CVE-2017-3526: Resizing XML parse trees.
    - S8170222, CVE-2017-3533: Better transfers of files.
    - S8171121, CVE-2017-3539: Enhancing jar checking.
    - S8171533, CVE-2017-3544: Better email transfer.
Comment 1 Arvid Requate univentionstaff 2017-09-08 13:13:00 CEST 
Upstream Debian package version 7u151-2.6.11-1~deb8u1 fixes:

* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java (CVE-2017-10053)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10067)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java (CVE-2017-10074)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java accessible data. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10081)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10087)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10089)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10090)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10096)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10101)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. While the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service (CVE-2017-10102)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10107)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java (CVE-2017-10108)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10109)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java. Note: This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10110)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10115)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java (CVE-2017-10116)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10118)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10135)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10176)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java accessible data. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator) (CVE-2017-10193)
* Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java accessible data (CVE-2017-10198)
* Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java accessible data and unauthorized ability to cause a partial denial of service (partial DOS) (CVE-2017-10243)
Comment 2 Arvid Requate univentionstaff 2017-12-11 11:58:46 CET 
Upstream Debian package version 7u151-2.6.11-2~deb8u1 fixes:

CVE-2017-10274 CVE-2017-10281 CVE-2017-10285 CVE-2017-10295
CVE-2017-10345 CVE-2017-10346 CVE-2017-10347 CVE-2017-10348
CVE-2017-10349 CVE-2017-10350 CVE-2017-10355 CVE-2017-10356
CVE-2017-10357 CVE-2017-10388

Details: http://www.oracle.com/technetwork/security-advisory/cpuoct2017verbose-3236627.html
Comment 3 Arvid Requate univentionstaff 2017-12-11 16:34:04 CET 
Imported and built.

Advisory: https://git.knut.univention.de/univention/ucs/blob/4.2-3/doc/errata/staging/openjdk-7.yaml
Comment 5 Arvid Requate univentionstaff 2017-12-12 11:49:40 CET 
Yes, I have decided not to put any detailed CVE descriptions into the advisory to save half an hour of cut & paste & formatting. I've put the Links to the verbose release notes from Oracle. I've now added an ignore tag to relax the test criteria.
Comment 6 Jürn Brodersen univentionstaff 2017-12-12 13:23:44 CET 
Installation: OK
YAML: OK
java: "Hello_World": OK

Verified
Comment 7 Arvid Requate univentionstaff 2017-12-14 12:55:55 CET 
<http://errata.software-univention.de/ucs/4.2/249.html>