{"id":"USN-3613-1","summary":"openjdk-8 vulnerabilities","details":"It was discovered that a race condition existed in the cryptography\nimplementation in OpenJDK. An attacker could possibly use this to expose\nsensitive information. (CVE-2018-2579)\n\nIt was discovered that the Hotspot component of OpenJDK did not properly\nvalidate uses of the invokeinterface JVM instruction. An attacker could\npossibly use this to access unauthorized resources. (CVE-2018-2582)\n\nIt was discovered that the LDAP implementation in OpenJDK did not properly\nencode login names. A remote attacker could possibly use this to expose\nsensitive information. (CVE-2018-2588)\n\nIt was discovered that the DNS client implementation in OpenJDK did not\nproperly randomize source ports. A remote attacker could use this to spoof\nresponses to DNS queries made by Java applications. (CVE-2018-2599)\n\nIt was discovered that the Internationalization component of OpenJDK did\nnot restrict search paths when loading resource bundle classes. A local\nattacker could use this to trick a user into running malicious code.\n(CVE-2018-2602)\n\nIt was discovered that OpenJDK did not properly restrict memory allocations\nwhen parsing DER input. A remote attacker could possibly use this to cause\na denial of service. (CVE-2018-2603)\n\nIt was discovered that the Java Cryptography Extension (JCE) implementation\nin OpenJDK in some situations did not guarantee sufficient strength of keys\nduring key agreement. An attacker could use this to expose sensitive\ninformation. (CVE-2018-2618)\n\nIt was discovered that the Java GSS implementation in OpenJDK in some\nsituations did not properly handle GSS contexts in the native GSS library.\nAn attacker could possibly use this to access unauthorized resources.\n(CVE-2018-2629)\n\nIt was discovered that the LDAP implementation in OpenJDK did not properly\nhandle LDAP referrals in some situations. An attacker could possibly use\nthis to expose sensitive information or gain unauthorized privileges.\n(CVE-2018-2633)\n\nIt was discovered that the Java GSS implementation in OpenJDK in some\nsituations did not properly apply subject credentials. An attacker could\npossibly use this to expose sensitive information or gain access to\nunauthorized resources. (CVE-2018-2634)\n\nIt was discovered that the Java Management Extensions (JMX) component of\nOpenJDK did not properly apply deserialization filters in some situations.\nAn attacker could use this to bypass deserialization restrictions.\n(CVE-2018-2637)\n\nIt was discovered that a use-after-free vulnerability existed in the AWT\ncomponent of OpenJDK when loading the GTK library. An attacker could\npossibly use this to execute arbitrary code and escape Java sandbox\nrestrictions. (CVE-2018-2641)\n\nIt was discovered that in some situations OpenJDK did not properly validate\nobjects when performing deserialization. An attacker could use this to\ncause a denial of service (application crash or excessive memory\nconsumption). (CVE-2018-2663)\n\nIt was discovered that the AWT component of OpenJDK did not properly\nrestrict the amount of memory allocated when deserializing some objects. An\nattacker could use this to cause a denial of service (excessive memory\nconsumption). (CVE-2018-2677)\n\nIt was discovered that the JNDI component of OpenJDK did not properly\nrestrict the amount of memory allocated when deserializing objects in some\nsituations. An attacker could use this to cause a denial of service\n(excessive memory consumption). (CVE-2018-2678)\n","modified":"2026-02-10T04:41:17Z","published":"2018-04-02T19:15:32Z","related":["UBUNTU-CVE-2018-2579","UBUNTU-CVE-2018-2582","UBUNTU-CVE-2018-2588","UBUNTU-CVE-2018-2599","UBUNTU-CVE-2018-2602","UBUNTU-CVE-2018-2603","UBUNTU-CVE-2018-2618","UBUNTU-CVE-2018-2629","UBUNTU-CVE-2018-2633","UBUNTU-CVE-2018-2634","UBUNTU-CVE-2018-2637","UBUNTU-CVE-2018-2641","UBUNTU-CVE-2018-2663","UBUNTU-CVE-2018-2677","UBUNTU-CVE-2018-2678"],"upstream":["CVE-2018-2579","CVE-2018-2582","CVE-2018-2588","CVE-2018-2599","CVE-2018-2602","CVE-2018-2603","CVE-2018-2618","CVE-2018-2629","CVE-2018-2633","CVE-2018-2634","CVE-2018-2637","CVE-2018-2641","CVE-2018-2663","CVE-2018-2677","CVE-2018-2678","UBUNTU-CVE-2018-2579","UBUNTU-CVE-2018-2582","UBUNTU-CVE-2018-2588","UBUNTU-CVE-2018-2599","UBUNTU-CVE-2018-2602","UBUNTU-CVE-2018-2603","UBUNTU-CVE-2018-2618","UBUNTU-CVE-2018-2629","UBUNTU-CVE-2018-2633","UBUNTU-CVE-2018-2634","UBUNTU-CVE-2018-2637","UBUNTU-CVE-2018-2641","UBUNTU-CVE-2018-2663","UBUNTU-CVE-2018-2677","UBUNTU-CVE-2018-2678"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-3613-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2579"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2582"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2588"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2599"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2602"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2603"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2618"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2629"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2633"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2634"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2637"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2641"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2663"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2677"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-2678"}],"affected":[{"package":{"name":"openjdk-8","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/openjdk-8@8u162-b12-0ubuntu0.16.04.2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"8u162-b12-0ubuntu0.16.04.2"}]}],"versions":["8u66-b01-5","8u72-b05-1ubuntu1","8u72-b05-5","8u72-b05-6","8u72-b15-1","8u72-b15-2ubuntu1","8u72-b15-2ubuntu3","8u72-b15-3ubuntu1","8u77-b03-1ubuntu2","8u77-b03-3ubuntu1","8u77-b03-3ubuntu2","8u77-b03-3ubuntu3","8u91-b14-0ubuntu4~16.04.1","8u91-b14-3ubuntu1~16.04.1","8u111-b14-2ubuntu0.16.04.2","8u121-b13-0ubuntu1.16.04.2","8u131-b11-0ubuntu1.16.04.2","8u131-b11-2ubuntu1.16.04.2","8u131-b11-2ubuntu1.16.04.3","8u151-b12-0ubuntu0.16.04.2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"openjdk-8-demo","binary_version":"8u162-b12-0ubuntu0.16.04.2"},{"binary_name":"openjdk-8-jdk","binary_version":"8u162-b12-0ubuntu0.16.04.2"},{"binary_name":"openjdk-8-jdk-headless","binary_version":"8u162-b12-0ubuntu0.16.04.2"},{"binary_name":"openjdk-8-jre","binary_version":"8u162-b12-0ubuntu0.16.04.2"},{"binary_name":"openjdk-8-jre-headless","binary_version":"8u162-b12-0ubuntu0.16.04.2"},{"binary_name":"openjdk-8-jre-jamvm","binary_version":"8u162-b12-0ubuntu0.16.04.2"},{"binary_name":"openjdk-8-jre-zero","binary_version":"8u162-b12-0ubuntu0.16.04.2"},{"binary_name":"openjdk-8-source","binary_version":"8u162-b12-0ubuntu0.16.04.2"}]},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2579"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2582"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2588"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2599"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2602"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2018-2603"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2618"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2629"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2633"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2634"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2637"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2641"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2663"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2677"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-2678"}],"ecosystem":"Ubuntu:16.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-3613-1.json"}}],"schema_version":"1.7.3"}