{"id":"MGASA-2017-0460","summary":"Updated java-1.8.0-openjdk packages fix security vulnerabilities","details":"Multiple flaws were discovered in the RMI and Hotspot components in\nOpenJDK. An untrusted Java application or applet could use these flaws\nto completely bypass Java sandbox restrictions. (CVE-2017-10285,\nCVE-2017-10346)\n\nIt was discovered that the Kerberos client implementation in the\nLibraries component of OpenJDK used the sname field from the plain text\npart rather than encrypted part of the KDC reply message. A man-in-the-\nmiddle attacker could possibly use this flaw to impersonate Kerberos\nservices to Java applications acting as Kerberos clients.\n(CVE-2017-10388)\n\nIt was discovered that the Security component of OpenJDK generated weak\npassword-based encryption keys used to protect private keys stored in\nkey stores. This made it easier to perform password guessing attacks to\ndecrypt stored keys if an attacker could gain access to a key store.\n(CVE-2017-10356)\n\nA flaw was found in the Smart Card IO component in OpenJDK. An untrusted\nJava application or applet could use this flaw to bypass certain Java\nsandbox restrictions. (CVE-2017-10274)\n\nIt was found that the FtpClient implementation in the Networking\ncomponent of OpenJDK did not set connect and read timeouts by default.\nA malicious FTP server or a man-in-the-middle attacker could use this\nflaw to block execution of a Java application connecting to an FTP\nserver. (CVE-2017-10355)\n\nIt was found that the HttpURLConnection and HttpsURLConnection classes\nin the Networking component of OpenJDK failed to check for newline\ncharacters embedded in URLs. An attacker able to make a Java application\nperform an HTTP request using an attacker provided URL could possibly\ninject additional headers into the request. (CVE-2017-10295)\n\nIt was discovered that multiple classes in the JAXP, Serialization,\nLibraries, and JAX-WS components of OpenJDK did not limit the amount of\nmemory allocated when creating object instances from the serialized\nform. A specially-crafted input could cause a Java application to use an\nexcessive amount of memory when deserialized. (CVE-2017-10349,\nCVE-2017-10357, CVE-2017-10347, CVE-2017-10281, CVE-2017-10345,\nCVE-2017-10348, CVE-2017-10350)\n","modified":"2026-04-16T06:24:00.448522786Z","published":"2017-12-21T18:18:18Z","upstream":["CVE-2017-10274","CVE-2017-10281","CVE-2017-10285","CVE-2017-10295","CVE-2017-10345","CVE-2017-10346","CVE-2017-10347","CVE-2017-10348","CVE-2017-10349","CVE-2017-10350","CVE-2017-10355","CVE-2017-10356","CVE-2017-10357","CVE-2017-10388"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0460.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=21903"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2017:2998"},{"type":"ADVISORY","url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"}],"affected":[{"package":{"name":"copy-jdk-configs","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/copy-jdk-configs?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0460.json"}},{"package":{"name":"java-1.8.0-openjdk","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/java-1.8.0-openjdk?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.0.151-1.b12.1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0460.json"}},{"package":{"name":"copy-jdk-configs","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/copy-jdk-configs?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.3-1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0460.json"}},{"package":{"name":"java-1.8.0-openjdk","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/java-1.8.0-openjdk?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.8.0.151-1.b12.1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0460.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}