Become a premium member to remove ads
AwakenedRage

MGASA-2015-0158 Security Exploit Prevented (Advised that you update Java)

1 post in this topic

Hi All,

 

A security exploit has been identified in the openjdk 1.7.0 version. The server uses OpenJDK 1.8 and has already patched the exploit. However this is also present in Java SE clients. It is highly advised that you update your java.

 

FAQ

 

Are there any crucial differences between Oracle and Open JDK?

 

 

Nothing crucial. The openjdk project is mostly based on hotspot source code donated by Sun.

Moreover, openjdk was selected to be the reference implementation for java 7, and is maintained by Oracle engineers.

There's a more detailed answer to your question here, which links to this blog post:

Q

: What is the difference between the source code found in the OpenJDK repository, and the code you use to build the Oracle JDK?

A

: It is very close - our build process for Oracle JDK releases builds on OpenJDK 7 by adding just a couple of pieces, like the deployment code, which includes Oracle's implementation of the Java Plugin and Java WebStart, as well as some closed source third party components like a graphics rasterizer, some open source third party components, like Rhino, and a few bits and pieces here and there, like additional documentation or third party fonts. Moving forward, our intent is to open source all pieces of the Oracle JDK except those that we consider commercial features such as JRockit Mission Control (not yet available in Oracle JDK), and replace encumbered third party components with open source alternatives to achieve closer parity between the code bases.

 

 

i dont get it. if they are similar then why two?

 

Technical differences are a consequence of the goal of each one (OpenJDK is meant to be the reference implementation, open to the community, while Oracle is meant to be a commercial one)

They both have "almost" the same code of the classes in the Java API; but the code for the virtual machine itself is actually different, and when it comes to libraries, OpenJDK tends to use open libraries while Oracle tends to use closed ones; for instance, the font library.

 

Is the Server Affected?

 

The Server was not affected by this exploit as the server uses OpenJDK 1.8 which had this fixed.

 

 

 

Updated java-1.7.0-openjdk packages fix security vulnerabilities
Publication date: 15 Apr 2015
Type: security
Affected Mageia releases : 4
CVE: CVE-2005-1080 , CVE-2015-0460 , CVE-2015-0469 , CVE-2015-0477 , CVE-2015-0478 , CVE-2015-0480 , CVE-2015-0488
Description

Updated java-1.7.0 packages fix security vulnerabilities:

An off-by-one flaw, leading to a buffer overflow, was found in the font
parsing code in the 2D component in OpenJDK. A specially crafted font file
could possibly cause the Java Virtual Machine to execute arbitrary code,
allowing an untrusted Java application or applet to bypass Java sandbox
restrictions (CVE-2015-0469).

A flaw was found in the way the Hotspot component in OpenJDK handled
phantom references. An untrusted Java application or applet could use this
flaw to corrupt the Java Virtual Machine memory and, possibly, execute
arbitrary code, bypassing Java sandbox restrictions (CVE-2015-0460).

A flaw was found in the way the JSSE component in OpenJDK parsed X.509
certificate options. A specially crafted certificate could cause JSSE to
raise an exception, possibly causing an application using JSSE to exit
unexpectedly (CVE-2015-0488).

A flaw was discovered in the Beans component in OpenJDK. An untrusted Java
application or applet could use this flaw to bypass certain Java sandbox
restrictions (CVE-2015-0477).

A directory traversal flaw was found in the way the jar tool extracted JAR
archive files. A specially crafted JAR archive could cause jar to overwrite
arbitrary files writable by the user running jar when the archive was
extracted (CVE-2005-1080, CVE-2015-0480).

It was found that the RSA implementation in the JCE component in OpenJDK
did not follow recommended practices for implementing RSA signatures
(CVE-2015-0478).
                

References

    https://bugs.mageia.org/show_bug.cgi?id=15706
    http://blog.fuseyism.com/index.php/2015/04/15/security-icedtea-2-5-5-for-openjdk-7-released/
    http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
    https://rhn.redhat.com/errata/RHSA-2015-0806.html
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1080
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0460
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0469
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0477
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0478
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0480
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0488
 

 

 

 

I am glad that I used the Beta Version of Mageia that has updated dependencies and took the extra downtime. This would of been a nightmare to take care of. Looks like the downtime actually benefited us for once

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now