Amazon Linux AMI update for java-1.8.0-openjdk

1) Improper access control

EUVDB-ID: #VU33421

Risk: Low

CVSSv4.0: 2.1 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-2745

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 7u221, 8u212 and 11.0.3. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

Mitigation

Update the affected packages:

i686:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.i686

noarch:
    java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.47.amzn1.noarch
    java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.47.amzn1.noarch

src:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.src

x86_64:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1269.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU33422

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-2762

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., via a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts).

Mitigation

Update the affected packages:

i686:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.i686

noarch:
    java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.47.amzn1.noarch
    java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.47.amzn1.noarch

src:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.src

x86_64:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1269.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU33424

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-2769

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., via a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts).

Mitigation

Update the affected packages:

i686:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.i686

noarch:
    java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.47.amzn1.noarch
    java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.47.amzn1.noarch

src:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.src

x86_64:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1269.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Protection Mechanism Failure

EUVDB-ID: #VU19281

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-2786

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain restrictions.

The vulnerability exists due to the the AccessController class implementation in the Security component failed in certain cases. A remote attacker can use an untrusted Java application or applet to bypass certain Java sandbox restrictions.

The vulnerability affects openjdk-jre package of an implementation of the Java Platform, Standard Edition (Java SE).

Mitigation

Update the affected packages:

i686:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.i686

noarch:
    java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.47.amzn1.noarch
    java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.47.amzn1.noarch

src:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.src

x86_64:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1269.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper access control

EUVDB-ID: #VU33425

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-2816

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).

Mitigation

Update the affected packages:

i686:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.i686

noarch:
    java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.47.amzn1.noarch
    java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.47.amzn1.noarch

src:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.src

x86_64:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1269.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Input validation error

EUVDB-ID: #VU33426

Risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-2842

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE. Note: This vulnerability applies to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., via a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7 (Availability impacts).

Mitigation

Update the affected packages:

i686:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.i686
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.i686

noarch:
    java-1.8.0-openjdk-javadoc-1.8.0.222.b10-0.47.amzn1.noarch
    java-1.8.0-openjdk-javadoc-zip-1.8.0.222.b10-0.47.amzn1.noarch

src:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.src

x86_64:
    java-1.8.0-openjdk-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-devel-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-debuginfo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-demo-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-headless-1.8.0.222.b10-0.47.amzn1.x86_64
    java-1.8.0-openjdk-src-1.8.0.222.b10-0.47.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2019-1269.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Risk	Medium
Patch available	YES
Number of vulnerabilities	6
CVE-ID	CVE-2019-2745 CVE-2019-2762 CVE-2019-2769 CVE-2019-2786 CVE-2019-2816 CVE-2019-2842
CWE-ID	CWE-284 CWE-20 CWE-693
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services