{"id":"USN-3275-1","summary":"openjdk-8 vulnerabilities","details":"It was discovered that OpenJDK improperly re-used cached NTLM\nconnections in some situations. A remote attacker could possibly\nuse this to cause a Java application to perform actions with the\ncredentials of a different user. (CVE-2017-3509)\n\nIt was discovered that an untrusted library search path flaw existed\nin the Java Cryptography Extension (JCE) component of OpenJDK. A\nlocal attacker could possibly use this to gain the privileges of a\nJava application. (CVE-2017-3511)\n\nIt was discovered that the Java API for XML Processing (JAXP) component\nin OpenJDK did not properly enforce size limits when parsing XML\ndocuments. An attacker could use this to cause a denial of service\n(processor and memory consumption). (CVE-2017-3526)\n\nIt was discovered that the FTP client implementation in OpenJDK did\nnot properly sanitize user inputs. If a user was tricked into opening\na specially crafted FTP URL, a remote attacker could use this to\nmanipulate the FTP connection. (CVE-2017-3533)\n\nIt was discovered that OpenJDK allowed MD5 to be used as an algorithm\nfor JAR integrity verification. An attacker could possibly use this\nto modify the contents of a JAR file without detection. (CVE-2017-3539)\n\nIt was discovered that the SMTP client implementation in OpenJDK\ndid not properly sanitize sender and recipient addresses. A remote\nattacker could use this to specially craft email addresses and gain\ncontrol of a Java application's SMTP connections. (CVE-2017-3544)\n","modified":"2026-02-10T04:41:07Z","published":"2017-05-11T15:15:32Z","related":["UBUNTU-CVE-2017-3509","UBUNTU-CVE-2017-3511","UBUNTU-CVE-2017-3526","UBUNTU-CVE-2017-3533","UBUNTU-CVE-2017-3539","UBUNTU-CVE-2017-3544"],"upstream":["CVE-2017-3509","CVE-2017-3511","CVE-2017-3526","CVE-2017-3533","CVE-2017-3539","CVE-2017-3544","UBUNTU-CVE-2017-3509","UBUNTU-CVE-2017-3511","UBUNTU-CVE-2017-3526","UBUNTU-CVE-2017-3533","UBUNTU-CVE-2017-3539","UBUNTU-CVE-2017-3544"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3275-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3509"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3511"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3526"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3533"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3539"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-3544"}],"affected":[{"package":{"name":"openjdk-8","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/openjdk-8@8u131-b11-0ubuntu1.16.04.2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8u131-b11-0ubuntu1.16.04.2"}]}],"versions":["8u66-b01-5","8u72-b05-1ubuntu1","8u72-b05-5","8u72-b05-6","8u72-b15-1","8u72-b15-2ubuntu1","8u72-b15-2ubuntu3","8u72-b15-3ubuntu1","8u77-b03-1ubuntu2","8u77-b03-3ubuntu1","8u77-b03-3ubuntu2","8u77-b03-3ubuntu3","8u91-b14-0ubuntu4~16.04.1","8u91-b14-3ubuntu1~16.04.1","8u111-b14-2ubuntu0.16.04.2","8u121-b13-0ubuntu1.16.04.2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"8u131-b11-0ubuntu1.16.04.2","binary_name":"openjdk-8-demo"},{"binary_version":"8u131-b11-0ubuntu1.16.04.2","binary_name":"openjdk-8-jdk"},{"binary_version":"8u131-b11-0ubuntu1.16.04.2","binary_name":"openjdk-8-jdk-headless"},{"binary_version":"8u131-b11-0ubuntu1.16.04.2","binary_name":"openjdk-8-jre"},{"binary_version":"8u131-b11-0ubuntu1.16.04.2","binary_name":"openjdk-8-jre-headless"},{"binary_version":"8u131-b11-0ubuntu1.16.04.2","binary_name":"openjdk-8-jre-jamvm"},{"binary_version":"8u131-b11-0ubuntu1.16.04.2","binary_name":"openjdk-8-jre-zero"},{"binary_version":"8u131-b11-0ubuntu1.16.04.2","binary_name":"openjdk-8-source"}]},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:16.04:LTS","cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2017-3509"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2017-3511"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2017-3526"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2017-3533"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2017-3539"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2017-3544"}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3275-1.json"}}],"schema_version":"1.7.3"}