Oracle Linux 7 : java-1.8.0-openjdk (ELSA-2018-2242)

low Nessus Plugin ID 111254

Synopsis

The remote Oracle Linux host is missing a security update.

Description

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2018-2242 advisory.

[1:1.8.0.181-7.b13]
- Update to aarch64-jdk8u181-b13 and aarch64-shenandoah-jdk8u181-b13.
- Remove 8187577/PR3578 now applied upstream.
- Resolves: rhbz#1594249

[1:1.8.0.181-3.b04]
- Fix hook to show hs_err*.log files on failures.
- Resolves: rhbz#1594249

[1:1.8.0.181-3.b04]
- Fix requires/provides filters for internal libs. See RHBZ#1590796
- Resolves: rhbz#1594249

[1:1.8.0.181-3.b04]
- Update bug status and add missing bug IDs
- Resolves: rhbz#1594249

[1:1.8.0.181-2.b04]
- Add '8206406, PR3610, RH1597825: StubCodeDesc constructor publishes partially-constructed objects on StubCodeDesc::_list'
- Resolves: rhbz#1594249

[1:1.8.0.181-1.b04]
- Add hook to show hs_err*.log files on failures.
- Resolves: rhbz#1594249

[1:1.8.0.181-1.b04]
- Mark bugs that have been pushed to 8u upstream and are scheduled for a release.
- Resolves: rhbz#1594249

[1:1.8.0.181-1.b04]
- Update to aarch64-jdk8u181-b04 and aarch64-shenandoah-jdk8u181-b04.
- Resolves: rhbz#1594249

[1:1.8.0.181-0.b03]
- Update to aarch64-jdk8u181-b03 and aarch64-shenandoah-jdk8u181-b03.
- Remove AArch64 patch for PR3458/RH1540242 as applied upstream.
- Resolves: rhbz#1594249

[1:1.8.0.172-4.b11]
- Read jssecacerts file prior to trying either cacerts file (system or local) (PR3575)
- Resolves: rhbz#1593737

[1:1.8.0.172-3.b11]
- Update Shenandoah tarball to fix TCK overflow failure.
- Resolves: rhbz#1588364

[11:1.8.0.172-3.b11]
- jsa files changed to 444 to pass rpm verification
- Fix reg-ex for filtering private libraries' provides/requires.
- Resolves: rhbz#1588364

[1:1.8.0.172-2.b11]
- Remove build flags exemption for aarch64 now the platform is more mature and can bootstrap OpenJDK with these flags.
- Remove duplicate -fstack-protector-strong; it is provided by the RHEL cflags.
- Resolves: rhbz#1588364

[1:1.8.0.172-1.b11]
- Fix a number of bad bug identifiers (PR3546 should be PR3578, PR3456 should be PR3546)
- Resolves: rhbz#1588364

[1:1.8.0.172-1.b11]
- Update Shenandoah tarball to include 2018-05-15 merge.
- Split PR3458/RH1540242 fix into AArch64 & Zero sections, so former can be skipped on Shenandoah builds.
- Drop PR3573 patch applied upstream.
- Restrict 8187577 fix to non-Shenandoah builds, as it's included in the new tarball.
- Resolves: rhbz#1588364

[1:1.8.0.172-1.b11]
- Sync with IcedTea 3.8.0.
- Label architecture-specific fixes with architecture concerned
- x86: S8199936, PR3533: HotSpot generates code with unaligned stack, crashes on SSE operations (-mstackrealign workaround)
- PR3539, RH1548475: Pass EXTRA_LDFLAGS to HotSpot build
- 8171000, PR3542, RH1402819: Robot.createScreenCapture() crashes in wayland mode
- 8197546, PR3542, RH1402819: Fix for 8171000 breaks Solaris + Linux builds
- 8185723, PR3553: Zero: segfaults on Power PC 32-bit
- 8186461, PR3557: Zero's atomic_copy64() should use SPE instructions on linux-powerpcspe
- PR3559: Use ldrexd for atomic reads on ARMv7.
- 8187577, PR3578: JVM crash during gc doing concurrent marking
- 8201509, PR3579: Zero: S390 31bit atomic_copy64 inline assembler is wrong
- 8165489, PR3589: Missing G1 barrier in Unsafe_GetObjectVolatile
- PR3591: Fix for bug 3533 doesn't add -mstackrealign to JDK code
- 8184309, PR3596: Build warnings from GCC 7.1 on Fedora 26
- Resolves: rhbz#1588364

[1:1.8.0.172-0.b11]
- Update to aarch64-jdk8u172-b11 and aarch64-shenandoah-jdk8u172-b11.
- Resolves: rhbz#1588364

[1:1.8.0.171-9.b12]
- Update to aarch64-jdk8u171-b12 and aarch64-shenandoah-jdk8u171-b12.
- Remove patch for 8200556/PR3566 as applied upstream.
- Resolves: rhbz#1588364

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2018-2242.html

Plugin Details

Severity: Low

ID: 111254

File Name: oraclelinux_ELSA-2018-2242.nasl

Version: 1.7

Type: local

Agent: unix

Published: 7/24/2018

Updated: 11/1/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2018-2952

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:java-1.8.0-openjdk, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-accessibility, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-headless-debug, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-zip, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-accessibility-debug, cpe:/o:oracle:linux:7, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-debug, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-debug, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel-debug, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc-zip-debug, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-devel, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-src-debug, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-javadoc, p-cpe:/a:oracle:linux:java-1.8.0-openjdk-demo-debug

Required KB Items: Host/local_checks_enabled, Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/24/2018

Vulnerability Publication Date: 7/18/2018

Reference Information

CVE: CVE-2018-2952

RHSA: 2018:2242