SUSE SLED12 / SLES12 Security Update : java-1_7_0-openjdk (SUSE-SU-2018:0005-1)

critical Nessus Plugin ID 105538

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

This update for java-1_7_0-openjdk fixes the following issues:
Security issues fixed :

- CVE-2017-10356: Fix issue inside subcomponent Security (bsc#1064084).

- CVE-2017-10274: Fix issue inside subcomponent Smart Card IO (bsc#1064071).

- CVE-2017-10281: Fix issue inside subcomponent Serialization (bsc#1064072).

- CVE-2017-10285: Fix issue inside subcomponent RMI (bsc#1064073).

- CVE-2017-10295: Fix issue inside subcomponent Networking (bsc#1064075).

- CVE-2017-10388: Fix issue inside subcomponent Libraries (bsc#1064086).

- CVE-2017-10346: Fix issue inside subcomponent Hotspot (bsc#1064078).

- CVE-2017-10350: Fix issue inside subcomponent JAX-WS (bsc#1064082).

- CVE-2017-10347: Fix issue inside subcomponent Serialization (bsc#1064079).

- CVE-2017-10349: Fix issue inside subcomponent JAXP (bsc#1064081).

- CVE-2017-10345: Fix issue inside subcomponent Serialization (bsc#1064077).

- CVE-2017-10348: Fix issue inside subcomponent Libraries (bsc#1064080).

- CVE-2017-10357: Fix issue inside subcomponent Serialization (bsc#1064085).

- CVE-2017-10355: Fix issue inside subcomponent Networking (bsc#1064083).

- CVE-2017-10102: Fix incorrect handling of references in DGC (bsc#1049316).

- CVE-2017-10053: Fix reading of unprocessed image data in JPEGImageReader (bsc#1049305).

- CVE-2017-10067: Fix JAR verifier incorrect handling of missing digest (bsc#1049306).

- CVE-2017-10081: Fix incorrect bracket processing in function signature handling (bsc#1049309).

- CVE-2017-10087: Fix insufficient access control checks in ThreadPoolExecutor (bsc#1049311).

- CVE-2017-10089: Fix insufficient access control checks in ServiceRegistry (bsc#1049312).

- CVE-2017-10090: Fix insufficient access control checks in AsynchronousChannelGroupImpl (bsc#1049313).

- CVE-2017-10096: Fix insufficient access control checks in XML transformations (bsc#1049314).

- CVE-2017-10101: Fix unrestricted access to com.sun.org.apache.xml.internal.resolver (bsc#1049315).

- CVE-2017-10107: Fix insufficient access control checks in ActivationID (bsc#1049318).

- CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).

- CVE-2017-10110: Fix insufficient access control checks in ImageWatched (bsc#1049321).

- CVE-2017-10108: Fix unbounded memory allocation in BasicAttribute deserialization (bsc#1049319).

- CVE-2017-10109: Fix unbounded memory allocation in CodeSource deserialization (bsc#1049320).

- CVE-2017-10115: Fix unspecified vulnerability in subcomponent JCE (bsc#1049324).

- CVE-2017-10118: Fix ECDSA implementation timing attack (bsc#1049326).

- CVE-2017-10116: Fix LDAPCertStore following referrals to non-LDAP URL (bsc#1049325).

- CVE-2017-10135: Fix PKCS#8 implementation timing attack (bsc#1049328).

- CVE-2017-10176: Fix incorrect handling of certain EC points (bsc#1049329).

- CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).

- CVE-2017-10074: Fix integer overflows in range check loop predicates (bsc#1049307).

- CVE-2017-10111: Fix checks in LambdaFormEditor (bsc#1049322).

- CVE-2017-10243: Fix unspecified vulnerability in subcomponent JAX-WS (bsc#1049332).

- CVE-2017-10125: Fix unspecified vulnerability in subcomponent deployment (bsc#1049327).

- CVE-2017-10114: Fix unspecified vulnerability in subcomponent JavaFX (bsc#1049323).

- CVE-2017-10105: Fix unspecified vulnerability in subcomponent deployment (bsc#1049317).

- CVE-2017-10086: Fix unspecified in subcomponent JavaFX (bsc#1049310).

- CVE-2017-10198: Fix incorrect enforcement of certificate path restrictions (bsc#1049331).

- CVE-2017-10193: Fix incorrect key size constraint check (bsc#1049330). Bug fixes :

- Drop Exec Shield workaround to fix crashes on recent kernels, where Exec Shield is gone (bsc#1052318).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE OpenStack Cloud 6:zypper in -t patch SUSE-OpenStack-Cloud-6-2018-6=1

SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-6=1

SUSE Linux Enterprise Server for SAP 12:zypper in -t patch SUSE-SLE-SAP-12-2018-6=1

SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-6=1

SUSE Linux Enterprise Server 12-SP3:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-6=1

SUSE Linux Enterprise Server 12-SP2:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-6=1

SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-6=1

SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-2018-6=1

SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-6=1

SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-6=1

To bring your system up-to-date, use 'zypper patch'.

See Also

https://bugzilla.suse.com/show_bug.cgi?id=1049305

https://bugzilla.suse.com/show_bug.cgi?id=1049306

https://www.suse.com/security/cve/CVE-2016-9841/

https://www.suse.com/security/cve/CVE-2016-9842/

https://www.suse.com/security/cve/CVE-2016-9843/

https://www.suse.com/security/cve/CVE-2017-10053/

https://www.suse.com/security/cve/CVE-2017-10067/

https://www.suse.com/security/cve/CVE-2017-10074/

https://www.suse.com/security/cve/CVE-2017-10081/

https://www.suse.com/security/cve/CVE-2017-10086/

https://www.suse.com/security/cve/CVE-2017-10087/

https://www.suse.com/security/cve/CVE-2017-10089/

https://www.suse.com/security/cve/CVE-2017-10090/

https://bugzilla.suse.com/show_bug.cgi?id=1049307

https://bugzilla.suse.com/show_bug.cgi?id=1049309

https://bugzilla.suse.com/show_bug.cgi?id=1049310

https://bugzilla.suse.com/show_bug.cgi?id=1049311

https://bugzilla.suse.com/show_bug.cgi?id=1049312

https://bugzilla.suse.com/show_bug.cgi?id=1049313

https://bugzilla.suse.com/show_bug.cgi?id=1049314

https://bugzilla.suse.com/show_bug.cgi?id=1049315

https://bugzilla.suse.com/show_bug.cgi?id=1049316

https://bugzilla.suse.com/show_bug.cgi?id=1049317

https://bugzilla.suse.com/show_bug.cgi?id=1049318

https://bugzilla.suse.com/show_bug.cgi?id=1049319

https://bugzilla.suse.com/show_bug.cgi?id=1049320

https://bugzilla.suse.com/show_bug.cgi?id=1049321

https://bugzilla.suse.com/show_bug.cgi?id=1049322

https://bugzilla.suse.com/show_bug.cgi?id=1049323

https://bugzilla.suse.com/show_bug.cgi?id=1049324

https://bugzilla.suse.com/show_bug.cgi?id=1049325

https://bugzilla.suse.com/show_bug.cgi?id=1049326

https://bugzilla.suse.com/show_bug.cgi?id=1049327

https://bugzilla.suse.com/show_bug.cgi?id=1049328

https://bugzilla.suse.com/show_bug.cgi?id=1049329

https://bugzilla.suse.com/show_bug.cgi?id=1049330

https://bugzilla.suse.com/show_bug.cgi?id=1049331

https://bugzilla.suse.com/show_bug.cgi?id=1049332

https://bugzilla.suse.com/show_bug.cgi?id=1052318

https://www.suse.com/security/cve/CVE-2017-10096/

https://www.suse.com/security/cve/CVE-2017-10101/

https://www.suse.com/security/cve/CVE-2017-10102/

https://www.suse.com/security/cve/CVE-2017-10105/

https://www.suse.com/security/cve/CVE-2017-10107/

https://www.suse.com/security/cve/CVE-2017-10108/

https://www.suse.com/security/cve/CVE-2017-10109/

https://www.suse.com/security/cve/CVE-2017-10110/

https://www.suse.com/security/cve/CVE-2017-10111/

https://www.suse.com/security/cve/CVE-2017-10114/

https://www.suse.com/security/cve/CVE-2017-10115/

https://www.suse.com/security/cve/CVE-2017-10116/

https://www.suse.com/security/cve/CVE-2017-10118/

https://www.suse.com/security/cve/CVE-2017-10125/

https://www.suse.com/security/cve/CVE-2017-10135/

https://www.suse.com/security/cve/CVE-2017-10176/

https://www.suse.com/security/cve/CVE-2017-10193/

https://www.suse.com/security/cve/CVE-2017-10198/

https://www.suse.com/security/cve/CVE-2017-10243/

https://www.suse.com/security/cve/CVE-2017-10274/

https://www.suse.com/security/cve/CVE-2017-10281/

https://www.suse.com/security/cve/CVE-2017-10285/

https://www.suse.com/security/cve/CVE-2017-10295/

https://www.suse.com/security/cve/CVE-2017-10345/

https://www.suse.com/security/cve/CVE-2017-10346/

https://www.suse.com/security/cve/CVE-2017-10347/

https://www.suse.com/security/cve/CVE-2017-10348/

https://www.suse.com/security/cve/CVE-2017-10349/

https://www.suse.com/security/cve/CVE-2017-10350/

https://www.suse.com/security/cve/CVE-2017-10355/

https://www.suse.com/security/cve/CVE-2017-10356/

https://www.suse.com/security/cve/CVE-2017-10357/

https://www.suse.com/security/cve/CVE-2017-10388/

http://www.nessus.org/u?a779e6a4

https://bugzilla.suse.com/show_bug.cgi?id=1064071

https://bugzilla.suse.com/show_bug.cgi?id=1064072

https://bugzilla.suse.com/show_bug.cgi?id=1064073

https://bugzilla.suse.com/show_bug.cgi?id=1064075

https://bugzilla.suse.com/show_bug.cgi?id=1064077

https://bugzilla.suse.com/show_bug.cgi?id=1064078

https://bugzilla.suse.com/show_bug.cgi?id=1064079

https://bugzilla.suse.com/show_bug.cgi?id=1064080

https://bugzilla.suse.com/show_bug.cgi?id=1064081

https://bugzilla.suse.com/show_bug.cgi?id=1064082

https://bugzilla.suse.com/show_bug.cgi?id=1064083

https://bugzilla.suse.com/show_bug.cgi?id=1064084

https://bugzilla.suse.com/show_bug.cgi?id=1064085

https://bugzilla.suse.com/show_bug.cgi?id=1064086

https://www.suse.com/security/cve/CVE-2016-10165/

https://www.suse.com/security/cve/CVE-2016-9840/

Plugin Details

Severity: Critical

ID: 105538

File Name: suse_SU-2018-0005-1.nasl

Version: 3.5

Type: local

Agent: unix

Published: 1/4/2018

Updated: 9/10/2019

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel, cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-devel-debuginfo, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debugsource, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-demo-debuginfo, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-debuginfo, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless-debuginfo, p-cpe:/a:novell:suse_linux:java-1_7_0-openjdk-headless

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/3/2018

Vulnerability Publication Date: 2/3/2017

Reference Information

CVE: CVE-2016-10165, CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10081, CVE-2017-10086, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10105, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10111, CVE-2017-10114, CVE-2017-10115, CVE-2017-10116, CVE-2017-10118, CVE-2017-10125, CVE-2017-10135, CVE-2017-10176, CVE-2017-10193, CVE-2017-10198, CVE-2017-10243, CVE-2017-10274, CVE-2017-10281, CVE-2017-10285, CVE-2017-10295, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349, CVE-2017-10350, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357, CVE-2017-10388